The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This definition of cloud services can be divided into four parts:
Over the years we’ve seen that companies want to consume more and more things as a service. What is consumed as a service can either be very technical, such as IT infrastructure, but can also be very functional, like a Business Process. Typically, there are two drivers behind this need for a service consumption - the centralization/decentralization pendulum and the level of abstraction cloud services provide. The common denominator between these drivers is the cost and efficiency optimization of these cloud services. This also debunks the myth that cloud computing is only about technical aspects of enterprise architecture.
These drivers can be translated into cloud computing models grouped in two generations.
1st generation:
Focus is technical and linked with technology and application layers of enterprise architecture:
2nd generation:
Linked with the information and business architecture levels of the enterprise architecture:
Another myth to debunk is that ‘network accessible’ means ‘internet accessible’. Although most of the cloud services are organized outside the organization and accessed over the internet, it is not a necessary condition. Cloud computing can be organized on the premises as well.
Deployment models are the different ways cloud services can be accessed. Typically, five models can be identified. There are (1) the private clouds which give access to a single entity and (2) the public clouds which provide access to anyone with internet access. In addition, there are (3) community clouds which provide the middle ground between a private and public cloud, (4) hybrid clouds which is a mix of previous models and (5) multi-clouds which is a consuming cloud for multiple providers.
Furthermore, in cloud computing there are four parties involved: the service provider, service creator, service consumer and service broker.
A myth linked to the service characteristics: since a cloud provider describes what services are available but does not prescribe how to use it, cloud will still require business-Information and communications technology (ICT) alignment.
The reasons for cloud computing can be explained by four key ICT drivers:
Increased flexibility and speed allow ICT departments to meet targets and support innovation and modern software development methodologies.
Reduced risks and costs allow ICT departments to meet their targets which comprise a budget responsibility and a security and vulnerability responsibility.
Despite its benefits including the reduction of risks due to the use of out-of-the-box solutions and involving trusted providers, it should however be clear that cloud computing may also introduce additional risks. The main reason for that is the fact that the company gives up control over its data and IT environment - at least to some extent, depending on, amongst others, the applicable service model.
The risks cloud computing introduces should be approached holistically across people, processes and technology in order to better leverage the cloud computing initiatives.
The five major risks related to cloud computing are:
As managing the risks of cloud becomes an increasing priority for organizations, the following areas also need particular attention:
Through its key role as assurance provider, internal audit (IA) is well positioned to help management as well as the Board identify key risks related to cloud. IA can assist the business in determining whether those risks are being appropriately mitigated.
Internal audit should embrace the “trusted advisor” role as the organization takes on new risks and:
Cloud computing is a disruptive technology and impacts how an audit is performed. Cloud audit challenges include:
Understanding the scope of the cloud computing environment:
Cloud computing audit specialists, on top of standard audit skills, should possess the following skills:
Testing the effectiveness of controls in through use of audit logging and audit trail may not be so evident in a Cloud environment compared to the traditional IT as this data may not be accessible to the organization. Access to it may require special agreements with the Cloud provider.
Dirk Vanderbist Digital Enablement - Cloud & Architecture T: +32 (0)27083967 |
Thomas Vormezeele Digital Risk Management & Assurance T: +32 (0)27084853 |