Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

Week 1 ISACA Cloud Governance Project

Welcome to the first week of our Cloud Computing Governance Project.

A lot has been written about cloud computing and the benefits it provides in terms of agility in deploying technology and also in terms of cost savings.  A great deal has also been written about security, privacy, compliance and resiliance both in support of cloud and in pointing out problems.  Very little has been presented in terns of governance.  Cloud discussions have mostly been focused on tactical and management aspcets of cloud rather than starting with governance considerations.

Our first discussion will get us all thinking about cloud computing, what it is, and what the governance considerations are.  Cloud is often described from the vantage point of the supplier rather than the subscriber.  Cloud is defined in terms of how it is offered; as an infrastructure, as a platform, or as a service.  Cloud is also described in terms of where it is deployed; internally, externally and in a hybrid method.

Question 1: What is cloud computing?

Question 2: How does cloud computing differ from other approaches to IT deployment and what are the governance implications of these differences?


Thanks for participating in this discussion. 
You must sign in to rate content.
(2 ratings)

Comments

RE: Week 1 ISACA Cloud Governance Project

Answer #1: I like ISACA's White paper on Cloud Computing (Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives) definition -  it is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. I am particularly fond of "it is a model" and not just a platform or an infrastructure.

Answer #2: Let me start with the Governance of Cloud Computing question - in order to guarantee consistent, predictable, compliant, and reliable Cloud services, we need policies and procedures on Cloud services management and risk management. 
For me the main difference between the Cloud Computing approach and conventional outsourcing is the high interoperability and interdependency of the services in the Cloud(s) making it susceptible to other services failure or unauthorized change. 
Souza NetoLively at 5/15/2011 8:58:31 AM Quote
You must sign in to rate content.
(2 ratings)

RE: Week 1 ISACA Cloud Governance Project

I am in favor of adopting the NIST definition.  It is concise, avoids hyperbole and focuses on the defining attributes.  

As to what makes Cloud Computing different than other models...  from my perspective there are two key comparisons, one commercially and one private.  The comparator I use for the 'commercial' model is a generic outsourcing model.    I pick that general model for the common theme of "paying someone else to do something that you could for yourself".   A purely privately operated model appears a more technical comparison.  let me get back to that.

In a commercially cloud computing model, whether a completely implemented scenario or a partial scenario much of the same administrative governance (contract, oversight, compliance, etc.) are common to a conventional outsourcing model.  The same contract rigor is required going into and operating a cloud model as is required in a conventional outsourcing model.   The differences in cloud computing for me are additional diligence with respect to exit strategies, conformance to open standards,  clear understanding of how dynamic re-distribution of data/computing resources will affect regulatory compliance and maintain a conforming environment.  Add to that additional oversight to handle 'sub-contract' entities or 'brokered services'.   Right now many companies and governmental agencies are finding the persistance of time/place along with inter-operability to be issues with governance.

A private implementation using cloud models doesn't carry the same contractual requirements as a commercially one.  However, the same level of diligence must be applied to insuring corporate governance standards are maintained when time/place persistence are now part of the environment.  As with a commercially model cross border data requirements become additional concerns.

In either environment the financial governance and oversight require new tools and technical disciplines that may not yet be fully developed.  Similarly, the risk model associated with IT governance should not only be revisted but may also have to be resvisited more frequently than in other less dynamic models.  
Austin HuttonLively at 5/15/2011 9:49:20 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Week 1 ISACA Cloud Governance Project

I will post more during the week, but wanted to start with an initial view of question 1, what is cloud computing?

Having read through much of the posted documentation, as well as numerous other articles/news stories, I am struck by how much we all think we know what cloud computing is, but how actually vague the definitions really are.  This is a point developed to some degree in the article 'The last cloud computinjg definition you'll ever need' (Giglia and  Lipinsky de Orlov), with their '"Cloud" has become a vague and flexible term that does not reference anything in particular' quote. 


Going further and analysing the NIST definition within the Hutton consulting overview document was interesting.  Much of the definition is very open to individual interpretation.  Terms ‘rapidly provisioned’ and ‘minimal management effort or service provider interaction’ may be thought to be understood by all, but all may have a different view on what is rapid and what is minimal.  This will be driven by the perception of the person, built on their starting points, experience and expectations, and using the definition a wide variety of pre-existing IT/computing services could be (and are) being badged as cloud.  This is similar to the days of putting 'e' in front of everything (e-commerce etc).



John LloydLively at 5/16/2011 10:03:54 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Week 1 ISACA Cloud Governance Project

I agree that the term "cloud computing" is vague and does not convey much meaning by itself. Also, given that this paradigm shift is being driven primarily vendors and service providers, most of the discussion is naturally centered around deployment models and service models which lack the consumer or user focus. I think we need to define Cloud Computing given the way its users see it rather than the way service providers deploy or manage it behind the scene.

From the users perspective, I think cloud turns IT service in to a commodity or utility which is available when you need it, where you need it,  just like electricity or water. You use as much you need and you pay for what you use. The entire infrastructure, complexity, time, cost, management and operational efforts are borne by the specialist service provider who creates win win situation with the economies of scale.  Strictly from 'IT Service Delivery' perspective there are tremendous advantages of Cloud as we all know, mainly in terms of rapid provisioning, on-demand/anywhere access, and pay as you go cost model.

But even though this arrangement is beneficial from purely IT and Business standpoint there are some spectacular gaps in the Governance, Security and Control aspects. These issues aren't new and in many cases solved for in-house IT situation but they need to be resolved again for the Cloud. I think we need to take these open questions one at time and discuss how best they could be addressed them bilaterally to build required level of transparency between vendor and consumer. I think getting both parties agree to certain set of Governance standards will tremendously boost the consumer confidence and consequently the adoption of the cloud.
SubodhLively at 5/16/2011 2:26:48 PM Quote
You must sign in to rate content.
(2 ratings)

RE: Week 1 ISACA Cloud Governance Project

Q1.  In my mind cloud computing is a repackaging of the old Application Service Providers (ASPs) or Remote Computing Option (RCO) offered by typically application vendors (in the past). The biggest difference is that in the past the services were provided by the vendor who sold you the software and in this rebirth the providers of the cloud service are not the same company who designs, develops and sells you the software. I like the utility model analogy. You connect up to the cloud and use as much or as little as you need.

Q2. The governance implications of cloud computing, while the same as other types of deployments, are harder to achieve due to the many different cloud business models being offered. In order to make business sense, many of the vendors offering cloud services require a great deal of flexibility in how they provide their services that are largely transparent to the purchaser of the services.  Unless the buyer is diligent in asking the right types of questions and understands the provider's model well enough to ask the right questions, there may be aspects to the deployment that do not have the level of governance required. It makes the contracting process much more critical and complicated, but not impossible. Without paying careful attention to the contract and doing your research, it could be a case of "buyer beware".
Mary SieroLively at 5/18/2011 7:39:51 AM Quote
You must sign in to rate content.
(2 ratings)

RE: Week 1 ISACA Cloud Governance Project

Q1. I like the NIST definition already mentioned. While it does contain subjective terms that could be debated I don't think this devalues it as a definition. I particularly like the 'model' aspect without which descriptions of cloud tend to become product or service specific.

Q2. Far too many organisations seem to have allowed a mentality of "the data is on our servers, in our data centre which is staffed by permanent employees so it must be safe" to develop - particularly amongst SMEs. To get the benefits of cloud they will have a very steep mountain of learning to climb. They will have to properly understand issues like supplier risk management, cross-border data protection etc. - perhaps for the first time! If they don't we can expect a dramatic increase in data leakage and availability incidents.

Another challenge will be getting good advice that is not overly vendor driven - especially with regard to the EU and UK data protection legislation where the guidance from the regulators tends to be generalist rather than specific and often lags behind technology developments.  

A further challenge will be controlling end-user procurement of cloud. I see this as a similar challenge to the one that the mainframe-centric organisations faced with the prolifiration of early PCs bought by individual departments. It took them a while to wake up the challenge and arguably some of the seeds of the governance challenges we still battle today were planted then. Although similar, the cloud is more of a governance challenge in that the barriers to entry are so low!
RGN01Lively at 5/18/2011 2:31:11 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Week 1 ISACA Cloud Governance Project

Our early comments on what cloud computing is seemed to focus on the qualities of cloud such as convenient, on demand, network access, shared pool and so on.  It is interesting that these qualities are somewhat vague as John pointed out. It is also interesting that if this is the definition of cloud computing many organizations that claim to have launched a private cloud have only virtualized their servers.  Virtualization may be a tool within the cloud solution but by itself it does not meet all of the criteria.  Is there really such a thing as a private cloud?

Souzaneto commented that while people look at cloud computing as being "outsourcing" there are differences.  Cloud differs from traditional outsourcing because of the high level of interoperabiity and interdependency that exists between the service provider and the tennant.  Perhaps a better way to look at cloud computing is as a supply chain.  This may be particularly true if we consider the impact brokers and integrators will have in designing and building more complex custom and packaged solutions.

Austin presented the idea that cloud can be different from outsourcing because of the needed focus on an exit strategy.  He added that there may be a need for different governance tools and risk models.  Althoug we are not talking about the impact on organizations and professions, it may be good to mention that traditional audit which looks for evidence of past performance may need to focus on real time and continuous performance and conformance assessments.

Another group also looking at cloud computing provided the notion that cloud computing is multi-dimensional.  We can look at a technical description or a funcational description, both are valid. We can also look at cloud from the perspective of the business which may come closer to providing a supply chain like definition.  Subodh commented that we need to define cloud from a consumer perspective or as a utility which may be closer to a business definition as well.

Many of us have commented on what the differences are between cloud and other models for delivering IT services.  Mary concludes that cloud will require asking more questions and provides the example of privacy issues, UK - EU regulations, and the lack of specific guidance.

I posted the Cloud Computing Risk Intelligence Map that Deloitte produced to the publications.  Look at this map and lets identify specific differences between cloud computing and traditional computing models that will have a governance impact.
Ron Hale Ph.D. CISMEnergizer at 5/19/2011 9:02:21 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 1 ISACA Cloud Governance Project

So , whatis “ Cloud Computing “ ? As we shall see , the experts disagree on its exactdefinition but most concur that it includes the notion of web based servicesthat are available on demand from an optimized and highly scalable , serviceprovider .

Despite thetechnical sound of its characteristics , it has not garnered excitement fromtechnologists but has captured the attention of business leaders around theworld.

We haveestablished that “ Cloud computing “ is one of buzzword , Everyone wants toknow more about it . All vendors are re-branding their products as beingaligned with the cloud . And still the most common question we hear – what doesit mean ? ( same is evidenced from response submitted in this discussion )-Some standard definition which are resonating in blogosphere are taken asstandard ones from – NIST , Cloud Security Alliance , Gartner , Forrester ,Wikipedia …

The key tounderstanding common interpretations of term “ Cloud Computing “ is to examinethe assortment of attributes of typical cloud solutions . This doesn’t meanthat every cloud attribute is essential to cloud computing or even that thereis necessarily any which qualifies a given approach as fitting the cloudparadigm . But typically the more these attributes apply , the more likelyothers will accept it as cloud solution.

Some keycomponents include ;

  • Off-premise
  • Elasticity
  • Flexible Billing
  • Virtualization
  • Service Delivery
  • Universal Access
  • Simplified Management
  • Affordable resources
  • Multi-tenancy
  • Service Level Management
  • Security !
  •  

 

Madhav ChablaniSocial at 5/19/2011 2:33:14 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 1 ISACA Cloud Governance Project

Q1. I agree with Souzaneto, definition of cloud computing in ISACA White paper is excellent. I just add something from Gartner related to a cloud computing definition: "Style of computing in which scalable and elastic IT-enabled capabilities are provided as a service to consumers using Internet technologies". For me the word "capabilities" makes the difference, a cloud model offers capabilities instead of a particular solution.

Q2. Cloud computing is an emerging technology, it is full of questions and few responses about how the model will really work with complex business services. Cloud computing is different from old outsourcing and hosting models because its approach on the consumption model. Cloud providers must support the delivery of an elastically scalable service for multiple users. 
The cloud model presents some governance challenges to address. Just the fact that some business unit can receive services directly from the cloud is a big issue.
The first step since my point of view is that the information security policies has to be revised and updated to include cloud services.

 

Salomon RicoLively at 5/19/2011 7:07:44 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 1 ISACA Cloud Governance Project

Q1 - I don't have major comments on the first question other than it is an excellent challenge for some professionals with scientific background which don't like to lead with any kind of conceptual ambiguity. The concept is so abstract, virtualized, disperse, diffused and amorphous. How do you explain the concept to somebody in your Board with a non technical background, or more important, how do you provide them explanation of any available forms of assurance, if any?Q2- let's play roles. You are member of one of the governance bodies of your company. That is we are talking about when we refer to IT Governance, isn't? For example, you are member of the IT governance committee, or you are member of the audit committee. Your CXO is considering migrating a portion of the application portfolio to "the cloud". your company operate within a regulated industry.The first thing you should be aware is that "the cloud" could be (under my point of view) an ultimate kind of IT outsourcing, eventually in-sourcing, or co-sourcing, but more important eventually could be the most extreme case of off-shoring! Off-shoring? Yes, the cloud could be served here, there, and far from your location, eventually at the same time. To which country? Preliminary undefined. These are some comments just to illustrate that IT Governance of Cloud Computing may have some particular complexities. I invite you to play the role and launch question from a governance perspective.- which part of the apps portfolio you will migrate first, and why?- are these initiatives governed under CAPEX (capital projects) or OPEX/APEX (operating/administrative expenses) rules and procedures?- what kind of assurance the provider include in the contract/SLA?- what kind of audits we should provide to the stakeholders?- is SAS70 enough to provide assurance to "the cloud"? SSAE16?- there is any standard for "cloud computing"? Anything in draft mode?- what could be a reasonable contingency plan if the "cloud" fail? Can we use more than one " cloud" at the same time?- are we sure we are in compliance with laws and regulations?- there is any hidden cost of compliance?
fnikitinLively at 5/19/2011 10:33:44 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 1 ISACA Cloud Governance Project

The key characteristic of cloud computing is that the computing is "in the cloud"; i.e. processing is done on something which is Internet-like (this can be public or we can create a virtual internet-like environment). In Intenet like environment the infrastructure, data, applications etc are all distributed across many computers over wide-spread networks and users access it using a simple browser and/or minimal resources. I think cloud computing is very much like "Internet-computing" with the only difference being we create/define our own Internet and then offer various shared services (SaaS,Paas, IaaS etc) which the consumer/user can subsribe to. So "Cloud computing" = "Internet-Like Computing". Then there are terms like public and private clouds. Public cloud can be analogous to "Internet " and private cloud can be analogous to "Virtual Private Network(VPN)"

Regarding Governance of Cloud Computing, I think it is similar to "Governance of Computing on Internet or Internet-Like environment" and this can be more difficult because we are referring to our corporate data anywhere on the cloud or virtualized environment and not specifically on our web-servers located in our data center.

SKAEnergizer at 5/20/2011 2:59:04 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Week 1 ISACA Cloud Governance Project

For the last task set by Ron Hale, I converted Deloitte’s Cloud Computing Risk Intelligence Map to text.

The task was to identify specific differences between cloud computing and traditional computing models that will have a governance impact.

I’ve put a # in front of those risks that I considered specific to cloud computing and not general in nature. For example, “inadequate management oversight of cloud adoption”, that can be found 5 lines below, deals with a general management problem, the one of inadequate management oversight. This is not exclusive of cloud computing !

Here is the list with my marks:

Governance, Risk Management and Compliance

Governance

Inadequate management oversight of cloud adoption

Failure to evaluate and monitor usage of cloud

Risk Management

Inadequate analysis of incremental risks introduced by cloud

Lack of independent assessment of cloud solution

Insufficient expertise in auditing cloud environment

Compliance

Inability to demonstrate compliance with regulatory requirements

Limitations on ability to monitor compliance of cloud components

Changing compliance landscape due to evolving regulations and standards

# Noncompliance with multijurisdictional data privacy laws due to lack of visibility into data location

Delivery Strategy and Architecture

Strategy

Lack of a coherent cloud strategy and roadmap

Cloud strategy not aligned with business needs or technology maturity

Architecture

# Lack of proper isolation for sensitive data due to multitenancy in cloud

Lack of configurability and customization of cloud architecture

Inability to use best-of-breed technologies

Unacceptable performance degradation due to increased network or system latency

# Failure to engineer cloud applications to leverage scalability offered by the cloud

Infrastructure Security

Vulnerability Management

# Security vulnerabilities introduced by cloud co-tenants and ecosystem partners

Failure to protect against new vulnerabilities in virtualization technologies

Lack of timely security patches for proprietary cloud components

# Failure to patch vulnerabilities in virtual machine templates and offline virtual machines

# Inadequate vulnerability testing of services obtained from cloud ecosystem partners

Network Security

Compromise of cloud management interfaces due to targeted attacks

Failure to secure network traffic between distributed cloud components

Exposure to distributed-denial-of–service attacks against public-facing cloud interfaces

# Lack of defense against attacks originating from within the cloud environment

System Security

Compromise of cloud environment due to poor security practices by the customer

# Lack of adequate cloud service security due to conflicting customer priorities

Insecure end-user systems interacting with cloud-based applications

# Failure to secure intra-host communications among multiple virtual machines

Application Security

Inability to independently test application security

Circumvention of application access controls by cloud provider staff

Failure to secure interfaces between variety of cloud-based and traditional applications

Inadequate facilities to capture and store application logs

Encryption

Lack of controls to prevent cloud provider from accessing encryption keys

Poorly implemented encryption and key management due to cloud service immaturity

Identity and Access Management

Identity Management

# Insecure integration of internal and cloud-based identity management components

# Inadequate due diligence prior to assignment of broad cloud management privileges

Access Management

Failure to implement proper access controls for cloud management interfaces

Inadequate logical access control options due to cloud service immaturity

Inability to restrict access or implement segregation of duties for cloud provider staff

Data Management

Data Acquisition

Housing inappropriately collected data

Data Storage

Unauthorized access to data storage through underlying cloud technology

# Inability to monitor data integrity inside cloud storage

# Failure to properly retain data due to complexity of multiple cloud data stores

Data Usage

# Lack of clear ownership of cloud-generated data

Unauthorized access or inappropriate use of sensitive data (e.g. personal data, intellectual property)

Underutilization of data use due to restrictions on access to data in cloud

Data Transfer

# Noncompliance with data privacy laws due to cross-jurisdictional data transfer

# Inability to integrate data loss prevention technology with cloud solution

Data Disposal

# Failure to remove data from multiple cloud data stores

# Insecure deletion of data from multiple-use hardware resources

Business Resiliency and Availability

Technology Resiliency

Cloud service failure due to oversubscription in peak usage periods

# Inability to verify cloud infrastructure resiliency

Single-points-of-failure due to addition of complex technology components

# Increased complexity of data replication or backup to other clouds or back in-house

Cloud Provider Continuity

# Inability to test cloud continuity and disaster recovery plans

# Lack of continuity plan for cloud provider failure, acquisition, or change in service strategy

Failure to establish source code escrow agreement for proprietary software

Supply Chain Continuity

# Interruption of cloud services due to critical subcontractor failure

IT Operation

Asset Management

# Failure to comply with software licenses due to ease of cloud resource provisioning

# Insufficient tracking of virtual assets

Project Management

Poorly defined roles and responsibilities of cloud participants

Unresponsiveness in cloud provider communications due to customer volume

Incident Management

# Delayed data breach notification due to complex identification of affected customers

# Ineffective incident investigation due to impermanence of virtual systems

# Failure to limit incident spill-over to other cloud tenants

# Inability to troubleshoot performance issues due to continuous environment changes

Change Management

# Inadequate cloud migration planning

# Inability to align business process changes with standardized cloud service options

# Lack of coordination of system maintenance resulting in conflicting changes and difficult troubleshooting

Operations

Inadequate monitoring of cloud resource utilization

IT operational processes not updated to reflect unique cloud computing risks

Lower availability of cloud service than prescribed by the SLA due to provider oversubscription

# Inability to provide adequate level of service globally

Physical and Environmental

# Inadequate physical and environmental safeguards for cloud locations

# Increased data loss for multiple customers from physical machine theft

Vendor Management

Vendor Selection

Inadequate due diligence of cloud security controls

Lack of sufficient number of viable cloud providers

Lack of performance track record due to cloud service immaturity

Monitoring

Lack of performance monitoring mechanisms beyond cloud provider reports

# Inability to use third parties to assess cloud provider performance

# Gap between provider’s nonperformance vs. business impact of service disruption

Vendor Lock-in

High cost of migrating cloud-resident technology due to proprietary architecture

# Complexity in architecting technical solutions that minimize vendor lock-in

# Failure to plan for cloud portability and interoperability

# Lack of agreed upon exit obligations for both provider and customer

Contracting

# Inability to customize cloud contract and establish cloud provider liability

# Failure to update cloud contract over time to reflect operating changes

Resource Provisioning

# Failure to formally define maximum available cloud resources

Business Operations

Human Resources

Malicious insiders with administrative access to cloud components

Inadequate IT skills to manage cloud-based technologies

Failure to retain technical specialists upon cloud migration to oversee cloud operations

Legal

# Inadequate records management, preservation, retention, and disposal policies

# Unauthorized exposure of data at cloud locations with unpredictable legal environment

Failure to consider digital evidence and e-discovery issues in contracts

Finance

# Lack of internal controls for financial processes and transactions in the cloud

# Failure to control cloud expenses due to ease of proliferation of cloud usage

# Economic denial-of-service by exhausting metered cloud resources

Tax

# Failure to analyze and plan for tax considerations

Souza NetoLively at 5/20/2011 5:14:34 PM Quote
You must sign in to rate content.
(1 ratings)

RE: Week 1 ISACA Cloud Governance Project

The definition of Cloud Computing still has a lot of freedom in its conceptualization, being influenced by the experience of those who define it. In my case is on-demand access to a shared set of computing resources in a standardized way.

Regarding the differences with other approaches, I consider that cloud computing can integrate more easily and rapidly with business applications and facilitates adaptation worldwide. However, it could result in a high dependency on the provider and Internet access. Additionally, sensitive data could be exposed if the customer relies their storage in the cloud and the provider has highly critical vulnerabilities.

Romulo LomparteSocial at 5/23/2011 10:15:25 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Week 1 ISACA Cloud Governance Project

All of your definition are correct.
In my opinion,  the definition of Cloud Computing is like a Molecular Ubiquity Data interaction with computational systems.

ramoncodLively at 5/23/2011 12:03:11 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 1 ISACA Cloud Governance Project

Regarding the definition of cloud computing I think the mentioned definitions (esp. ISACA) are a good foundation for future work. Though they might have certain differences or focus different areas they are sufficient to have a common understanding. To develop the one and only definition might be more of scientific value rather than practical importance.

I think there are much bigger challenges in the area of governance, risk management and compliance. I work in a regulated, asset based industry which belongs to the national infrastructure. So risk is always a concern. Todays methods cover the usual IT demand/supply relations. Cloud computing in contrast comes with new challenges. For example: Data and data services. Today data is grouped around its logical coherence and dedicated services are definied to store, transform, archive ... that data. Looking forward the different setup of cloud services could lead to a completely different split of data into cloud ready data and data which has to be covered by the usual service relations. One reason to implement that split lies for example in the legislation regarding data protection.
Michael.SemrauLively at 5/24/2011 2:17:49 PM Quote
You must sign in to rate content.
(Unrated)

RE: Week 1 ISACA Cloud Governance Project

There are many definitions about it but I think that all of them are incomplete because in each one has a part of the conditions for a cloud.

Then for me cloud computing is a model who has three dimensions, first is a platform that contains the different levels that people can use (this are universe of services, for example of infrastructure, databases, application, etc).  Second dimension include SLA - Services Levels Agreements, this are conditions that users need for services contracted. At this point is important to know that in this model, users don´t have any information about details of the services that they need.  The third dimension include a group of conditions that providers need to ensure excellent services. This conditions are asociated to availability, integrity and confidentiality.

For me the third dimension has the major considerations of control center and I believe that it is where the major interactions of government must be had.

JpvargasLively at 5/26/2011 10:36:54 AM Quote
You must sign in to rate content.
(Unrated)

RE: Week 1 ISACA Cloud Governance Project

Yes, materials from are very good resources.
Especially, results from NIST's open disucussion are very important for us.
"the NIST Cloud Computing Collaboration Site"
  • Reference Architecture and Taxonomy
  • Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC)
  • Cloud Security
  • Standards Roadmap
  • Business Use Cases

    These may be very useful for our discussion base. I think.

    Though, there is no discussion about IT governance of Cloud Computing.
    Cloud Computing is one of our choices. Cloud Computing is not almighty.
    Cloud Computing brings us new benefits and new risks.
    Let's discuss together about the governance & guidelines of the Cloud Computing era.

  • Masatoshi Kajimoto,CISA, CRISCEnergizer at 5/29/2011 7:03:49 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    Yes, materials from are very good resources.
    Especially, results from NIST's open disucussion are very important for us.
    "the NIST Cloud Computing Collaboration Site"
  • Reference Architecture and Taxonomy
  • Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC)
  • Cloud Security
  • Standards Roadmap
  • Business Use Cases

    These may be very useful for our discussion base. I think.

    Though, there is no discussion about IT governance of Cloud Computing.
    Cloud Computing is one of our choices. Cloud Computing is not almighty.
    Cloud Computing brings us new benefits and new risks.
    Let's discuss together about the governance & guidelines of the Cloud Computing era.

  • Masatoshi Kajimoto,CISA, CRISCEnergizer at 5/29/2011 7:03:49 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    There are many definitions about it but I think that all of them are incomplete because in each one has a part of the conditions for a cloud.

    Then for me cloud computing is a model who has three dimensions, first is a platform that contains the different levels that people can use (this are universe of services, for example of infrastructure, databases, application, etc).  Second dimension include SLA - Services Levels Agreements, this are conditions that users need for services contracted. At this point is important to know that in this model, users don´t have any information about details of the services that they need.  The third dimension include a group of conditions that providers need to ensure excellent services. This conditions are asociated to availability, integrity and confidentiality.

    For me the third dimension has the major considerations of control center and I believe that it is where the major interactions of government must be had.

    JpvargasLively at 5/26/2011 10:36:54 AM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    Regarding the definition of cloud computing I think the mentioned definitions (esp. ISACA) are a good foundation for future work. Though they might have certain differences or focus different areas they are sufficient to have a common understanding. To develop the one and only definition might be more of scientific value rather than practical importance.

    I think there are much bigger challenges in the area of governance, risk management and compliance. I work in a regulated, asset based industry which belongs to the national infrastructure. So risk is always a concern. Todays methods cover the usual IT demand/supply relations. Cloud computing in contrast comes with new challenges. For example: Data and data services. Today data is grouped around its logical coherence and dedicated services are definied to store, transform, archive ... that data. Looking forward the different setup of cloud services could lead to a completely different split of data into cloud ready data and data which has to be covered by the usual service relations. One reason to implement that split lies for example in the legislation regarding data protection.
    Michael.SemrauLively at 5/24/2011 2:17:49 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    All of your definition are correct.
    In my opinion,  the definition of Cloud Computing is like a Molecular Ubiquity Data interaction with computational systems.

    ramoncodLively at 5/23/2011 12:03:11 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    The definition of Cloud Computing still has a lot of freedom in its conceptualization, being influenced by the experience of those who define it. In my case is on-demand access to a shared set of computing resources in a standardized way.

    Regarding the differences with other approaches, I consider that cloud computing can integrate more easily and rapidly with business applications and facilitates adaptation worldwide. However, it could result in a high dependency on the provider and Internet access. Additionally, sensitive data could be exposed if the customer relies their storage in the cloud and the provider has highly critical vulnerabilities.

    Romulo LomparteSocial at 5/23/2011 10:15:25 AM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    For the last task set by Ron Hale, I converted Deloitte’s Cloud Computing Risk Intelligence Map to text.

    The task was to identify specific differences between cloud computing and traditional computing models that will have a governance impact.

    I’ve put a # in front of those risks that I considered specific to cloud computing and not general in nature. For example, “inadequate management oversight of cloud adoption”, that can be found 5 lines below, deals with a general management problem, the one of inadequate management oversight. This is not exclusive of cloud computing !

    Here is the list with my marks:

    Governance, Risk Management and Compliance

    Governance

    Inadequate management oversight of cloud adoption

    Failure to evaluate and monitor usage of cloud

    Risk Management

    Inadequate analysis of incremental risks introduced by cloud

    Lack of independent assessment of cloud solution

    Insufficient expertise in auditing cloud environment

    Compliance

    Inability to demonstrate compliance with regulatory requirements

    Limitations on ability to monitor compliance of cloud components

    Changing compliance landscape due to evolving regulations and standards

    # Noncompliance with multijurisdictional data privacy laws due to lack of visibility into data location

    Delivery Strategy and Architecture

    Strategy

    Lack of a coherent cloud strategy and roadmap

    Cloud strategy not aligned with business needs or technology maturity

    Architecture

    # Lack of proper isolation for sensitive data due to multitenancy in cloud

    Lack of configurability and customization of cloud architecture

    Inability to use best-of-breed technologies

    Unacceptable performance degradation due to increased network or system latency

    # Failure to engineer cloud applications to leverage scalability offered by the cloud

    Infrastructure Security

    Vulnerability Management

    # Security vulnerabilities introduced by cloud co-tenants and ecosystem partners

    Failure to protect against new vulnerabilities in virtualization technologies

    Lack of timely security patches for proprietary cloud components

    # Failure to patch vulnerabilities in virtual machine templates and offline virtual machines

    # Inadequate vulnerability testing of services obtained from cloud ecosystem partners

    Network Security

    Compromise of cloud management interfaces due to targeted attacks

    Failure to secure network traffic between distributed cloud components

    Exposure to distributed-denial-of–service attacks against public-facing cloud interfaces

    # Lack of defense against attacks originating from within the cloud environment

    System Security

    Compromise of cloud environment due to poor security practices by the customer

    # Lack of adequate cloud service security due to conflicting customer priorities

    Insecure end-user systems interacting with cloud-based applications

    # Failure to secure intra-host communications among multiple virtual machines

    Application Security

    Inability to independently test application security

    Circumvention of application access controls by cloud provider staff

    Failure to secure interfaces between variety of cloud-based and traditional applications

    Inadequate facilities to capture and store application logs

    Encryption

    Lack of controls to prevent cloud provider from accessing encryption keys

    Poorly implemented encryption and key management due to cloud service immaturity

    Identity and Access Management

    Identity Management

    # Insecure integration of internal and cloud-based identity management components

    # Inadequate due diligence prior to assignment of broad cloud management privileges

    Access Management

    Failure to implement proper access controls for cloud management interfaces

    Inadequate logical access control options due to cloud service immaturity

    Inability to restrict access or implement segregation of duties for cloud provider staff

    Data Management

    Data Acquisition

    Housing inappropriately collected data

    Data Storage

    Unauthorized access to data storage through underlying cloud technology

    # Inability to monitor data integrity inside cloud storage

    # Failure to properly retain data due to complexity of multiple cloud data stores

    Data Usage

    # Lack of clear ownership of cloud-generated data

    Unauthorized access or inappropriate use of sensitive data (e.g. personal data, intellectual property)

    Underutilization of data use due to restrictions on access to data in cloud

    Data Transfer

    # Noncompliance with data privacy laws due to cross-jurisdictional data transfer

    # Inability to integrate data loss prevention technology with cloud solution

    Data Disposal

    # Failure to remove data from multiple cloud data stores

    # Insecure deletion of data from multiple-use hardware resources

    Business Resiliency and Availability

    Technology Resiliency

    Cloud service failure due to oversubscription in peak usage periods

    # Inability to verify cloud infrastructure resiliency

    Single-points-of-failure due to addition of complex technology components

    # Increased complexity of data replication or backup to other clouds or back in-house

    Cloud Provider Continuity

    # Inability to test cloud continuity and disaster recovery plans

    # Lack of continuity plan for cloud provider failure, acquisition, or change in service strategy

    Failure to establish source code escrow agreement for proprietary software

    Supply Chain Continuity

    # Interruption of cloud services due to critical subcontractor failure

    IT Operation

    Asset Management

    # Failure to comply with software licenses due to ease of cloud resource provisioning

    # Insufficient tracking of virtual assets

    Project Management

    Poorly defined roles and responsibilities of cloud participants

    Unresponsiveness in cloud provider communications due to customer volume

    Incident Management

    # Delayed data breach notification due to complex identification of affected customers

    # Ineffective incident investigation due to impermanence of virtual systems

    # Failure to limit incident spill-over to other cloud tenants

    # Inability to troubleshoot performance issues due to continuous environment changes

    Change Management

    # Inadequate cloud migration planning

    # Inability to align business process changes with standardized cloud service options

    # Lack of coordination of system maintenance resulting in conflicting changes and difficult troubleshooting

    Operations

    Inadequate monitoring of cloud resource utilization

    IT operational processes not updated to reflect unique cloud computing risks

    Lower availability of cloud service than prescribed by the SLA due to provider oversubscription

    # Inability to provide adequate level of service globally

    Physical and Environmental

    # Inadequate physical and environmental safeguards for cloud locations

    # Increased data loss for multiple customers from physical machine theft

    Vendor Management

    Vendor Selection

    Inadequate due diligence of cloud security controls

    Lack of sufficient number of viable cloud providers

    Lack of performance track record due to cloud service immaturity

    Monitoring

    Lack of performance monitoring mechanisms beyond cloud provider reports

    # Inability to use third parties to assess cloud provider performance

    # Gap between provider’s nonperformance vs. business impact of service disruption

    Vendor Lock-in

    High cost of migrating cloud-resident technology due to proprietary architecture

    # Complexity in architecting technical solutions that minimize vendor lock-in

    # Failure to plan for cloud portability and interoperability

    # Lack of agreed upon exit obligations for both provider and customer

    Contracting

    # Inability to customize cloud contract and establish cloud provider liability

    # Failure to update cloud contract over time to reflect operating changes

    Resource Provisioning

    # Failure to formally define maximum available cloud resources

    Business Operations

    Human Resources

    Malicious insiders with administrative access to cloud components

    Inadequate IT skills to manage cloud-based technologies

    Failure to retain technical specialists upon cloud migration to oversee cloud operations

    Legal

    # Inadequate records management, preservation, retention, and disposal policies

    # Unauthorized exposure of data at cloud locations with unpredictable legal environment

    Failure to consider digital evidence and e-discovery issues in contracts

    Finance

    # Lack of internal controls for financial processes and transactions in the cloud

    # Failure to control cloud expenses due to ease of proliferation of cloud usage

    # Economic denial-of-service by exhausting metered cloud resources

    Tax

    # Failure to analyze and plan for tax considerations

    Souza NetoLively at 5/20/2011 5:14:34 PM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    The key characteristic of cloud computing is that the computing is "in the cloud"; i.e. processing is done on something which is Internet-like (this can be public or we can create a virtual internet-like environment). In Intenet like environment the infrastructure, data, applications etc are all distributed across many computers over wide-spread networks and users access it using a simple browser and/or minimal resources. I think cloud computing is very much like "Internet-computing" with the only difference being we create/define our own Internet and then offer various shared services (SaaS,Paas, IaaS etc) which the consumer/user can subsribe to. So "Cloud computing" = "Internet-Like Computing". Then there are terms like public and private clouds. Public cloud can be analogous to "Internet " and private cloud can be analogous to "Virtual Private Network(VPN)"

    Regarding Governance of Cloud Computing, I think it is similar to "Governance of Computing on Internet or Internet-Like environment" and this can be more difficult because we are referring to our corporate data anywhere on the cloud or virtualized environment and not specifically on our web-servers located in our data center.

    SKAEnergizer at 5/20/2011 2:59:04 PM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    Q1 - I don't have major comments on the first question other than it is an excellent challenge for some professionals with scientific background which don't like to lead with any kind of conceptual ambiguity. The concept is so abstract, virtualized, disperse, diffused and amorphous. How do you explain the concept to somebody in your Board with a non technical background, or more important, how do you provide them explanation of any available forms of assurance, if any?Q2- let's play roles. You are member of one of the governance bodies of your company. That is we are talking about when we refer to IT Governance, isn't? For example, you are member of the IT governance committee, or you are member of the audit committee. Your CXO is considering migrating a portion of the application portfolio to "the cloud". your company operate within a regulated industry.The first thing you should be aware is that "the cloud" could be (under my point of view) an ultimate kind of IT outsourcing, eventually in-sourcing, or co-sourcing, but more important eventually could be the most extreme case of off-shoring! Off-shoring? Yes, the cloud could be served here, there, and far from your location, eventually at the same time. To which country? Preliminary undefined. These are some comments just to illustrate that IT Governance of Cloud Computing may have some particular complexities. I invite you to play the role and launch question from a governance perspective.- which part of the apps portfolio you will migrate first, and why?- are these initiatives governed under CAPEX (capital projects) or OPEX/APEX (operating/administrative expenses) rules and procedures?- what kind of assurance the provider include in the contract/SLA?- what kind of audits we should provide to the stakeholders?- is SAS70 enough to provide assurance to "the cloud"? SSAE16?- there is any standard for "cloud computing"? Anything in draft mode?- what could be a reasonable contingency plan if the "cloud" fail? Can we use more than one " cloud" at the same time?- are we sure we are in compliance with laws and regulations?- there is any hidden cost of compliance?
    fnikitinLively at 5/19/2011 10:33:44 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    Q1. I agree with Souzaneto, definition of cloud computing in ISACA White paper is excellent. I just add something from Gartner related to a cloud computing definition: "Style of computing in which scalable and elastic IT-enabled capabilities are provided as a service to consumers using Internet technologies". For me the word "capabilities" makes the difference, a cloud model offers capabilities instead of a particular solution.

    Q2. Cloud computing is an emerging technology, it is full of questions and few responses about how the model will really work with complex business services. Cloud computing is different from old outsourcing and hosting models because its approach on the consumption model. Cloud providers must support the delivery of an elastically scalable service for multiple users. 
    The cloud model presents some governance challenges to address. Just the fact that some business unit can receive services directly from the cloud is a big issue.
    The first step since my point of view is that the information security policies has to be revised and updated to include cloud services.

     

    Salomon RicoLively at 5/19/2011 7:07:44 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    So , whatis “ Cloud Computing “ ? As we shall see , the experts disagree on its exactdefinition but most concur that it includes the notion of web based servicesthat are available on demand from an optimized and highly scalable , serviceprovider .

    Despite thetechnical sound of its characteristics , it has not garnered excitement fromtechnologists but has captured the attention of business leaders around theworld.

    We haveestablished that “ Cloud computing “ is one of buzzword , Everyone wants toknow more about it . All vendors are re-branding their products as beingaligned with the cloud . And still the most common question we hear – what doesit mean ? ( same is evidenced from response submitted in this discussion )-Some standard definition which are resonating in blogosphere are taken asstandard ones from – NIST , Cloud Security Alliance , Gartner , Forrester ,Wikipedia …

    The key tounderstanding common interpretations of term “ Cloud Computing “ is to examinethe assortment of attributes of typical cloud solutions . This doesn’t meanthat every cloud attribute is essential to cloud computing or even that thereis necessarily any which qualifies a given approach as fitting the cloudparadigm . But typically the more these attributes apply , the more likelyothers will accept it as cloud solution.

    Some keycomponents include ;

    • Off-premise
    • Elasticity
    • Flexible Billing
    • Virtualization
    • Service Delivery
    • Universal Access
    • Simplified Management
    • Affordable resources
    • Multi-tenancy
    • Service Level Management
    • Security !
    •  

     

    Madhav ChablaniSocial at 5/19/2011 2:33:14 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    Our early comments on what cloud computing is seemed to focus on the qualities of cloud such as convenient, on demand, network access, shared pool and so on.  It is interesting that these qualities are somewhat vague as John pointed out. It is also interesting that if this is the definition of cloud computing many organizations that claim to have launched a private cloud have only virtualized their servers.  Virtualization may be a tool within the cloud solution but by itself it does not meet all of the criteria.  Is there really such a thing as a private cloud?

    Souzaneto commented that while people look at cloud computing as being "outsourcing" there are differences.  Cloud differs from traditional outsourcing because of the high level of interoperabiity and interdependency that exists between the service provider and the tennant.  Perhaps a better way to look at cloud computing is as a supply chain.  This may be particularly true if we consider the impact brokers and integrators will have in designing and building more complex custom and packaged solutions.

    Austin presented the idea that cloud can be different from outsourcing because of the needed focus on an exit strategy.  He added that there may be a need for different governance tools and risk models.  Althoug we are not talking about the impact on organizations and professions, it may be good to mention that traditional audit which looks for evidence of past performance may need to focus on real time and continuous performance and conformance assessments.

    Another group also looking at cloud computing provided the notion that cloud computing is multi-dimensional.  We can look at a technical description or a funcational description, both are valid. We can also look at cloud from the perspective of the business which may come closer to providing a supply chain like definition.  Subodh commented that we need to define cloud from a consumer perspective or as a utility which may be closer to a business definition as well.

    Many of us have commented on what the differences are between cloud and other models for delivering IT services.  Mary concludes that cloud will require asking more questions and provides the example of privacy issues, UK - EU regulations, and the lack of specific guidance.

    I posted the Cloud Computing Risk Intelligence Map that Deloitte produced to the publications.  Look at this map and lets identify specific differences between cloud computing and traditional computing models that will have a governance impact.
    Ron Hale Ph.D. CISMEnergizer at 5/19/2011 9:02:21 AM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    Q1. I like the NIST definition already mentioned. While it does contain subjective terms that could be debated I don't think this devalues it as a definition. I particularly like the 'model' aspect without which descriptions of cloud tend to become product or service specific.

    Q2. Far too many organisations seem to have allowed a mentality of "the data is on our servers, in our data centre which is staffed by permanent employees so it must be safe" to develop - particularly amongst SMEs. To get the benefits of cloud they will have a very steep mountain of learning to climb. They will have to properly understand issues like supplier risk management, cross-border data protection etc. - perhaps for the first time! If they don't we can expect a dramatic increase in data leakage and availability incidents.

    Another challenge will be getting good advice that is not overly vendor driven - especially with regard to the EU and UK data protection legislation where the guidance from the regulators tends to be generalist rather than specific and often lags behind technology developments.  

    A further challenge will be controlling end-user procurement of cloud. I see this as a similar challenge to the one that the mainframe-centric organisations faced with the prolifiration of early PCs bought by individual departments. It took them a while to wake up the challenge and arguably some of the seeds of the governance challenges we still battle today were planted then. Although similar, the cloud is more of a governance challenge in that the barriers to entry are so low!
    RGN01Lively at 5/18/2011 2:31:11 PM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    Q1.  In my mind cloud computing is a repackaging of the old Application Service Providers (ASPs) or Remote Computing Option (RCO) offered by typically application vendors (in the past). The biggest difference is that in the past the services were provided by the vendor who sold you the software and in this rebirth the providers of the cloud service are not the same company who designs, develops and sells you the software. I like the utility model analogy. You connect up to the cloud and use as much or as little as you need.

    Q2. The governance implications of cloud computing, while the same as other types of deployments, are harder to achieve due to the many different cloud business models being offered. In order to make business sense, many of the vendors offering cloud services require a great deal of flexibility in how they provide their services that are largely transparent to the purchaser of the services.  Unless the buyer is diligent in asking the right types of questions and understands the provider's model well enough to ask the right questions, there may be aspects to the deployment that do not have the level of governance required. It makes the contracting process much more critical and complicated, but not impossible. Without paying careful attention to the contract and doing your research, it could be a case of "buyer beware".
    Mary SieroLively at 5/18/2011 7:39:51 AM Quote
    You must sign in to rate content.
    (2 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    I agree that the term "cloud computing" is vague and does not convey much meaning by itself. Also, given that this paradigm shift is being driven primarily vendors and service providers, most of the discussion is naturally centered around deployment models and service models which lack the consumer or user focus. I think we need to define Cloud Computing given the way its users see it rather than the way service providers deploy or manage it behind the scene.

    From the users perspective, I think cloud turns IT service in to a commodity or utility which is available when you need it, where you need it,  just like electricity or water. You use as much you need and you pay for what you use. The entire infrastructure, complexity, time, cost, management and operational efforts are borne by the specialist service provider who creates win win situation with the economies of scale.  Strictly from 'IT Service Delivery' perspective there are tremendous advantages of Cloud as we all know, mainly in terms of rapid provisioning, on-demand/anywhere access, and pay as you go cost model.

    But even though this arrangement is beneficial from purely IT and Business standpoint there are some spectacular gaps in the Governance, Security and Control aspects. These issues aren't new and in many cases solved for in-house IT situation but they need to be resolved again for the Cloud. I think we need to take these open questions one at time and discuss how best they could be addressed them bilaterally to build required level of transparency between vendor and consumer. I think getting both parties agree to certain set of Governance standards will tremendously boost the consumer confidence and consequently the adoption of the cloud.
    SubodhLively at 5/16/2011 2:26:48 PM Quote
    You must sign in to rate content.
    (2 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    I will post more during the week, but wanted to start with an initial view of question 1, what is cloud computing?

    Having read through much of the posted documentation, as well as numerous other articles/news stories, I am struck by how much we all think we know what cloud computing is, but how actually vague the definitions really are.  This is a point developed to some degree in the article 'The last cloud computinjg definition you'll ever need' (Giglia and  Lipinsky de Orlov), with their '"Cloud" has become a vague and flexible term that does not reference anything in particular' quote. 


    Going further and analysing the NIST definition within the Hutton consulting overview document was interesting.  Much of the definition is very open to individual interpretation.  Terms ‘rapidly provisioned’ and ‘minimal management effort or service provider interaction’ may be thought to be understood by all, but all may have a different view on what is rapid and what is minimal.  This will be driven by the perception of the person, built on their starting points, experience and expectations, and using the definition a wide variety of pre-existing IT/computing services could be (and are) being badged as cloud.  This is similar to the days of putting 'e' in front of everything (e-commerce etc).



    John LloydLively at 5/16/2011 10:03:54 AM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    I am in favor of adopting the NIST definition.  It is concise, avoids hyperbole and focuses on the defining attributes.  

    As to what makes Cloud Computing different than other models...  from my perspective there are two key comparisons, one commercially and one private.  The comparator I use for the 'commercial' model is a generic outsourcing model.    I pick that general model for the common theme of "paying someone else to do something that you could for yourself".   A purely privately operated model appears a more technical comparison.  let me get back to that.

    In a commercially cloud computing model, whether a completely implemented scenario or a partial scenario much of the same administrative governance (contract, oversight, compliance, etc.) are common to a conventional outsourcing model.  The same contract rigor is required going into and operating a cloud model as is required in a conventional outsourcing model.   The differences in cloud computing for me are additional diligence with respect to exit strategies, conformance to open standards,  clear understanding of how dynamic re-distribution of data/computing resources will affect regulatory compliance and maintain a conforming environment.  Add to that additional oversight to handle 'sub-contract' entities or 'brokered services'.   Right now many companies and governmental agencies are finding the persistance of time/place along with inter-operability to be issues with governance.

    A private implementation using cloud models doesn't carry the same contractual requirements as a commercially one.  However, the same level of diligence must be applied to insuring corporate governance standards are maintained when time/place persistence are now part of the environment.  As with a commercially model cross border data requirements become additional concerns.

    In either environment the financial governance and oversight require new tools and technical disciplines that may not yet be fully developed.  Similarly, the risk model associated with IT governance should not only be revisted but may also have to be resvisited more frequently than in other less dynamic models.  
    Austin HuttonLively at 5/15/2011 9:49:20 AM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    Answer #1: I like ISACA's White paper on Cloud Computing (Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives) definition -  it is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. I am particularly fond of "it is a model" and not just a platform or an infrastructure.

    Answer #2: Let me start with the Governance of Cloud Computing question - in order to guarantee consistent, predictable, compliant, and reliable Cloud services, we need policies and procedures on Cloud services management and risk management. 
    For me the main difference between the Cloud Computing approach and conventional outsourcing is the high interoperability and interdependency of the services in the Cloud(s) making it susceptible to other services failure or unauthorized change. 
    Souza NetoLively at 5/15/2011 8:58:31 AM Quote
    You must sign in to rate content.
    (2 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    I am in favor of adopting the NIST definition.  It is concise, avoids hyperbole and focuses on the defining attributes.  

    As to what makes Cloud Computing different than other models...  from my perspective there are two key comparisons, one commercially and one private.  The comparator I use for the 'commercial' model is a generic outsourcing model.    I pick that general model for the common theme of "paying someone else to do something that you could for yourself".   A purely privately operated model appears a more technical comparison.  let me get back to that.

    In a commercially cloud computing model, whether a completely implemented scenario or a partial scenario much of the same administrative governance (contract, oversight, compliance, etc.) are common to a conventional outsourcing model.  The same contract rigor is required going into and operating a cloud model as is required in a conventional outsourcing model.   The differences in cloud computing for me are additional diligence with respect to exit strategies, conformance to open standards,  clear understanding of how dynamic re-distribution of data/computing resources will affect regulatory compliance and maintain a conforming environment.  Add to that additional oversight to handle 'sub-contract' entities or 'brokered services'.   Right now many companies and governmental agencies are finding the persistance of time/place along with inter-operability to be issues with governance.

    A private implementation using cloud models doesn't carry the same contractual requirements as a commercially one.  However, the same level of diligence must be applied to insuring corporate governance standards are maintained when time/place persistence are now part of the environment.  As with a commercially model cross border data requirements become additional concerns.

    In either environment the financial governance and oversight require new tools and technical disciplines that may not yet be fully developed.  Similarly, the risk model associated with IT governance should not only be revisted but may also have to be resvisited more frequently than in other less dynamic models.  
    Austin HuttonLively at 5/15/2011 9:49:20 AM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    For the last task set by Ron Hale, I converted Deloitte’s Cloud Computing Risk Intelligence Map to text.

    The task was to identify specific differences between cloud computing and traditional computing models that will have a governance impact.

    I’ve put a # in front of those risks that I considered specific to cloud computing and not general in nature. For example, “inadequate management oversight of cloud adoption”, that can be found 5 lines below, deals with a general management problem, the one of inadequate management oversight. This is not exclusive of cloud computing !

    Here is the list with my marks:

    Governance, Risk Management and Compliance

    Governance

    Inadequate management oversight of cloud adoption

    Failure to evaluate and monitor usage of cloud

    Risk Management

    Inadequate analysis of incremental risks introduced by cloud

    Lack of independent assessment of cloud solution

    Insufficient expertise in auditing cloud environment

    Compliance

    Inability to demonstrate compliance with regulatory requirements

    Limitations on ability to monitor compliance of cloud components

    Changing compliance landscape due to evolving regulations and standards

    # Noncompliance with multijurisdictional data privacy laws due to lack of visibility into data location

    Delivery Strategy and Architecture

    Strategy

    Lack of a coherent cloud strategy and roadmap

    Cloud strategy not aligned with business needs or technology maturity

    Architecture

    # Lack of proper isolation for sensitive data due to multitenancy in cloud

    Lack of configurability and customization of cloud architecture

    Inability to use best-of-breed technologies

    Unacceptable performance degradation due to increased network or system latency

    # Failure to engineer cloud applications to leverage scalability offered by the cloud

    Infrastructure Security

    Vulnerability Management

    # Security vulnerabilities introduced by cloud co-tenants and ecosystem partners

    Failure to protect against new vulnerabilities in virtualization technologies

    Lack of timely security patches for proprietary cloud components

    # Failure to patch vulnerabilities in virtual machine templates and offline virtual machines

    # Inadequate vulnerability testing of services obtained from cloud ecosystem partners

    Network Security

    Compromise of cloud management interfaces due to targeted attacks

    Failure to secure network traffic between distributed cloud components

    Exposure to distributed-denial-of–service attacks against public-facing cloud interfaces

    # Lack of defense against attacks originating from within the cloud environment

    System Security

    Compromise of cloud environment due to poor security practices by the customer

    # Lack of adequate cloud service security due to conflicting customer priorities

    Insecure end-user systems interacting with cloud-based applications

    # Failure to secure intra-host communications among multiple virtual machines

    Application Security

    Inability to independently test application security

    Circumvention of application access controls by cloud provider staff

    Failure to secure interfaces between variety of cloud-based and traditional applications

    Inadequate facilities to capture and store application logs

    Encryption

    Lack of controls to prevent cloud provider from accessing encryption keys

    Poorly implemented encryption and key management due to cloud service immaturity

    Identity and Access Management

    Identity Management

    # Insecure integration of internal and cloud-based identity management components

    # Inadequate due diligence prior to assignment of broad cloud management privileges

    Access Management

    Failure to implement proper access controls for cloud management interfaces

    Inadequate logical access control options due to cloud service immaturity

    Inability to restrict access or implement segregation of duties for cloud provider staff

    Data Management

    Data Acquisition

    Housing inappropriately collected data

    Data Storage

    Unauthorized access to data storage through underlying cloud technology

    # Inability to monitor data integrity inside cloud storage

    # Failure to properly retain data due to complexity of multiple cloud data stores

    Data Usage

    # Lack of clear ownership of cloud-generated data

    Unauthorized access or inappropriate use of sensitive data (e.g. personal data, intellectual property)

    Underutilization of data use due to restrictions on access to data in cloud

    Data Transfer

    # Noncompliance with data privacy laws due to cross-jurisdictional data transfer

    # Inability to integrate data loss prevention technology with cloud solution

    Data Disposal

    # Failure to remove data from multiple cloud data stores

    # Insecure deletion of data from multiple-use hardware resources

    Business Resiliency and Availability

    Technology Resiliency

    Cloud service failure due to oversubscription in peak usage periods

    # Inability to verify cloud infrastructure resiliency

    Single-points-of-failure due to addition of complex technology components

    # Increased complexity of data replication or backup to other clouds or back in-house

    Cloud Provider Continuity

    # Inability to test cloud continuity and disaster recovery plans

    # Lack of continuity plan for cloud provider failure, acquisition, or change in service strategy

    Failure to establish source code escrow agreement for proprietary software

    Supply Chain Continuity

    # Interruption of cloud services due to critical subcontractor failure

    IT Operation

    Asset Management

    # Failure to comply with software licenses due to ease of cloud resource provisioning

    # Insufficient tracking of virtual assets

    Project Management

    Poorly defined roles and responsibilities of cloud participants

    Unresponsiveness in cloud provider communications due to customer volume

    Incident Management

    # Delayed data breach notification due to complex identification of affected customers

    # Ineffective incident investigation due to impermanence of virtual systems

    # Failure to limit incident spill-over to other cloud tenants

    # Inability to troubleshoot performance issues due to continuous environment changes

    Change Management

    # Inadequate cloud migration planning

    # Inability to align business process changes with standardized cloud service options

    # Lack of coordination of system maintenance resulting in conflicting changes and difficult troubleshooting

    Operations

    Inadequate monitoring of cloud resource utilization

    IT operational processes not updated to reflect unique cloud computing risks

    Lower availability of cloud service than prescribed by the SLA due to provider oversubscription

    # Inability to provide adequate level of service globally

    Physical and Environmental

    # Inadequate physical and environmental safeguards for cloud locations

    # Increased data loss for multiple customers from physical machine theft

    Vendor Management

    Vendor Selection

    Inadequate due diligence of cloud security controls

    Lack of sufficient number of viable cloud providers

    Lack of performance track record due to cloud service immaturity

    Monitoring

    Lack of performance monitoring mechanisms beyond cloud provider reports

    # Inability to use third parties to assess cloud provider performance

    # Gap between provider’s nonperformance vs. business impact of service disruption

    Vendor Lock-in

    High cost of migrating cloud-resident technology due to proprietary architecture

    # Complexity in architecting technical solutions that minimize vendor lock-in

    # Failure to plan for cloud portability and interoperability

    # Lack of agreed upon exit obligations for both provider and customer

    Contracting

    # Inability to customize cloud contract and establish cloud provider liability

    # Failure to update cloud contract over time to reflect operating changes

    Resource Provisioning

    # Failure to formally define maximum available cloud resources

    Business Operations

    Human Resources

    Malicious insiders with administrative access to cloud components

    Inadequate IT skills to manage cloud-based technologies

    Failure to retain technical specialists upon cloud migration to oversee cloud operations

    Legal

    # Inadequate records management, preservation, retention, and disposal policies

    # Unauthorized exposure of data at cloud locations with unpredictable legal environment

    Failure to consider digital evidence and e-discovery issues in contracts

    Finance

    # Lack of internal controls for financial processes and transactions in the cloud

    # Failure to control cloud expenses due to ease of proliferation of cloud usage

    # Economic denial-of-service by exhausting metered cloud resources

    Tax

    # Failure to analyze and plan for tax considerations

    Souza NetoLively at 5/20/2011 5:14:34 PM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    Answer #1: I like ISACA's White paper on Cloud Computing (Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives) definition -  it is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. I am particularly fond of "it is a model" and not just a platform or an infrastructure.

    Answer #2: Let me start with the Governance of Cloud Computing question - in order to guarantee consistent, predictable, compliant, and reliable Cloud services, we need policies and procedures on Cloud services management and risk management. 
    For me the main difference between the Cloud Computing approach and conventional outsourcing is the high interoperability and interdependency of the services in the Cloud(s) making it susceptible to other services failure or unauthorized change. 
    Souza NetoLively at 5/15/2011 8:58:31 AM Quote
    You must sign in to rate content.
    (2 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    Q1.  In my mind cloud computing is a repackaging of the old Application Service Providers (ASPs) or Remote Computing Option (RCO) offered by typically application vendors (in the past). The biggest difference is that in the past the services were provided by the vendor who sold you the software and in this rebirth the providers of the cloud service are not the same company who designs, develops and sells you the software. I like the utility model analogy. You connect up to the cloud and use as much or as little as you need.

    Q2. The governance implications of cloud computing, while the same as other types of deployments, are harder to achieve due to the many different cloud business models being offered. In order to make business sense, many of the vendors offering cloud services require a great deal of flexibility in how they provide their services that are largely transparent to the purchaser of the services.  Unless the buyer is diligent in asking the right types of questions and understands the provider's model well enough to ask the right questions, there may be aspects to the deployment that do not have the level of governance required. It makes the contracting process much more critical and complicated, but not impossible. Without paying careful attention to the contract and doing your research, it could be a case of "buyer beware".
    Mary SieroLively at 5/18/2011 7:39:51 AM Quote
    You must sign in to rate content.
    (2 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    I agree that the term "cloud computing" is vague and does not convey much meaning by itself. Also, given that this paradigm shift is being driven primarily vendors and service providers, most of the discussion is naturally centered around deployment models and service models which lack the consumer or user focus. I think we need to define Cloud Computing given the way its users see it rather than the way service providers deploy or manage it behind the scene.

    From the users perspective, I think cloud turns IT service in to a commodity or utility which is available when you need it, where you need it,  just like electricity or water. You use as much you need and you pay for what you use. The entire infrastructure, complexity, time, cost, management and operational efforts are borne by the specialist service provider who creates win win situation with the economies of scale.  Strictly from 'IT Service Delivery' perspective there are tremendous advantages of Cloud as we all know, mainly in terms of rapid provisioning, on-demand/anywhere access, and pay as you go cost model.

    But even though this arrangement is beneficial from purely IT and Business standpoint there are some spectacular gaps in the Governance, Security and Control aspects. These issues aren't new and in many cases solved for in-house IT situation but they need to be resolved again for the Cloud. I think we need to take these open questions one at time and discuss how best they could be addressed them bilaterally to build required level of transparency between vendor and consumer. I think getting both parties agree to certain set of Governance standards will tremendously boost the consumer confidence and consequently the adoption of the cloud.
    SubodhLively at 5/16/2011 2:26:48 PM Quote
    You must sign in to rate content.
    (2 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    I will post more during the week, but wanted to start with an initial view of question 1, what is cloud computing?

    Having read through much of the posted documentation, as well as numerous other articles/news stories, I am struck by how much we all think we know what cloud computing is, but how actually vague the definitions really are.  This is a point developed to some degree in the article 'The last cloud computinjg definition you'll ever need' (Giglia and  Lipinsky de Orlov), with their '"Cloud" has become a vague and flexible term that does not reference anything in particular' quote. 


    Going further and analysing the NIST definition within the Hutton consulting overview document was interesting.  Much of the definition is very open to individual interpretation.  Terms ‘rapidly provisioned’ and ‘minimal management effort or service provider interaction’ may be thought to be understood by all, but all may have a different view on what is rapid and what is minimal.  This will be driven by the perception of the person, built on their starting points, experience and expectations, and using the definition a wide variety of pre-existing IT/computing services could be (and are) being badged as cloud.  This is similar to the days of putting 'e' in front of everything (e-commerce etc).



    John LloydLively at 5/16/2011 10:03:54 AM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    Q1. I like the NIST definition already mentioned. While it does contain subjective terms that could be debated I don't think this devalues it as a definition. I particularly like the 'model' aspect without which descriptions of cloud tend to become product or service specific.

    Q2. Far too many organisations seem to have allowed a mentality of "the data is on our servers, in our data centre which is staffed by permanent employees so it must be safe" to develop - particularly amongst SMEs. To get the benefits of cloud they will have a very steep mountain of learning to climb. They will have to properly understand issues like supplier risk management, cross-border data protection etc. - perhaps for the first time! If they don't we can expect a dramatic increase in data leakage and availability incidents.

    Another challenge will be getting good advice that is not overly vendor driven - especially with regard to the EU and UK data protection legislation where the guidance from the regulators tends to be generalist rather than specific and often lags behind technology developments.  

    A further challenge will be controlling end-user procurement of cloud. I see this as a similar challenge to the one that the mainframe-centric organisations faced with the prolifiration of early PCs bought by individual departments. It took them a while to wake up the challenge and arguably some of the seeds of the governance challenges we still battle today were planted then. Although similar, the cloud is more of a governance challenge in that the barriers to entry are so low!
    RGN01Lively at 5/18/2011 2:31:11 PM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    The key characteristic of cloud computing is that the computing is "in the cloud"; i.e. processing is done on something which is Internet-like (this can be public or we can create a virtual internet-like environment). In Intenet like environment the infrastructure, data, applications etc are all distributed across many computers over wide-spread networks and users access it using a simple browser and/or minimal resources. I think cloud computing is very much like "Internet-computing" with the only difference being we create/define our own Internet and then offer various shared services (SaaS,Paas, IaaS etc) which the consumer/user can subsribe to. So "Cloud computing" = "Internet-Like Computing". Then there are terms like public and private clouds. Public cloud can be analogous to "Internet " and private cloud can be analogous to "Virtual Private Network(VPN)"

    Regarding Governance of Cloud Computing, I think it is similar to "Governance of Computing on Internet or Internet-Like environment" and this can be more difficult because we are referring to our corporate data anywhere on the cloud or virtualized environment and not specifically on our web-servers located in our data center.

    SKAEnergizer at 5/20/2011 2:59:04 PM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    The definition of Cloud Computing still has a lot of freedom in its conceptualization, being influenced by the experience of those who define it. In my case is on-demand access to a shared set of computing resources in a standardized way.

    Regarding the differences with other approaches, I consider that cloud computing can integrate more easily and rapidly with business applications and facilitates adaptation worldwide. However, it could result in a high dependency on the provider and Internet access. Additionally, sensitive data could be exposed if the customer relies their storage in the cloud and the provider has highly critical vulnerabilities.

    Romulo LomparteSocial at 5/23/2011 10:15:25 AM Quote
    You must sign in to rate content.
    (1 ratings)

    RE: Week 1 ISACA Cloud Governance Project

    Our early comments on what cloud computing is seemed to focus on the qualities of cloud such as convenient, on demand, network access, shared pool and so on.  It is interesting that these qualities are somewhat vague as John pointed out. It is also interesting that if this is the definition of cloud computing many organizations that claim to have launched a private cloud have only virtualized their servers.  Virtualization may be a tool within the cloud solution but by itself it does not meet all of the criteria.  Is there really such a thing as a private cloud?

    Souzaneto commented that while people look at cloud computing as being "outsourcing" there are differences.  Cloud differs from traditional outsourcing because of the high level of interoperabiity and interdependency that exists between the service provider and the tennant.  Perhaps a better way to look at cloud computing is as a supply chain.  This may be particularly true if we consider the impact brokers and integrators will have in designing and building more complex custom and packaged solutions.

    Austin presented the idea that cloud can be different from outsourcing because of the needed focus on an exit strategy.  He added that there may be a need for different governance tools and risk models.  Althoug we are not talking about the impact on organizations and professions, it may be good to mention that traditional audit which looks for evidence of past performance may need to focus on real time and continuous performance and conformance assessments.

    Another group also looking at cloud computing provided the notion that cloud computing is multi-dimensional.  We can look at a technical description or a funcational description, both are valid. We can also look at cloud from the perspective of the business which may come closer to providing a supply chain like definition.  Subodh commented that we need to define cloud from a consumer perspective or as a utility which may be closer to a business definition as well.

    Many of us have commented on what the differences are between cloud and other models for delivering IT services.  Mary concludes that cloud will require asking more questions and provides the example of privacy issues, UK - EU regulations, and the lack of specific guidance.

    I posted the Cloud Computing Risk Intelligence Map that Deloitte produced to the publications.  Look at this map and lets identify specific differences between cloud computing and traditional computing models that will have a governance impact.
    Ron Hale Ph.D. CISMEnergizer at 5/19/2011 9:02:21 AM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    So , whatis “ Cloud Computing “ ? As we shall see , the experts disagree on its exactdefinition but most concur that it includes the notion of web based servicesthat are available on demand from an optimized and highly scalable , serviceprovider .

    Despite thetechnical sound of its characteristics , it has not garnered excitement fromtechnologists but has captured the attention of business leaders around theworld.

    We haveestablished that “ Cloud computing “ is one of buzzword , Everyone wants toknow more about it . All vendors are re-branding their products as beingaligned with the cloud . And still the most common question we hear – what doesit mean ? ( same is evidenced from response submitted in this discussion )-Some standard definition which are resonating in blogosphere are taken asstandard ones from – NIST , Cloud Security Alliance , Gartner , Forrester ,Wikipedia …

    The key tounderstanding common interpretations of term “ Cloud Computing “ is to examinethe assortment of attributes of typical cloud solutions . This doesn’t meanthat every cloud attribute is essential to cloud computing or even that thereis necessarily any which qualifies a given approach as fitting the cloudparadigm . But typically the more these attributes apply , the more likelyothers will accept it as cloud solution.

    Some keycomponents include ;

    • Off-premise
    • Elasticity
    • Flexible Billing
    • Virtualization
    • Service Delivery
    • Universal Access
    • Simplified Management
    • Affordable resources
    • Multi-tenancy
    • Service Level Management
    • Security !
    •  

     

    Madhav ChablaniSocial at 5/19/2011 2:33:14 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    Q1. I agree with Souzaneto, definition of cloud computing in ISACA White paper is excellent. I just add something from Gartner related to a cloud computing definition: "Style of computing in which scalable and elastic IT-enabled capabilities are provided as a service to consumers using Internet technologies". For me the word "capabilities" makes the difference, a cloud model offers capabilities instead of a particular solution.

    Q2. Cloud computing is an emerging technology, it is full of questions and few responses about how the model will really work with complex business services. Cloud computing is different from old outsourcing and hosting models because its approach on the consumption model. Cloud providers must support the delivery of an elastically scalable service for multiple users. 
    The cloud model presents some governance challenges to address. Just the fact that some business unit can receive services directly from the cloud is a big issue.
    The first step since my point of view is that the information security policies has to be revised and updated to include cloud services.

     

    Salomon RicoLively at 5/19/2011 7:07:44 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    Q1 - I don't have major comments on the first question other than it is an excellent challenge for some professionals with scientific background which don't like to lead with any kind of conceptual ambiguity. The concept is so abstract, virtualized, disperse, diffused and amorphous. How do you explain the concept to somebody in your Board with a non technical background, or more important, how do you provide them explanation of any available forms of assurance, if any?Q2- let's play roles. You are member of one of the governance bodies of your company. That is we are talking about when we refer to IT Governance, isn't? For example, you are member of the IT governance committee, or you are member of the audit committee. Your CXO is considering migrating a portion of the application portfolio to "the cloud". your company operate within a regulated industry.The first thing you should be aware is that "the cloud" could be (under my point of view) an ultimate kind of IT outsourcing, eventually in-sourcing, or co-sourcing, but more important eventually could be the most extreme case of off-shoring! Off-shoring? Yes, the cloud could be served here, there, and far from your location, eventually at the same time. To which country? Preliminary undefined. These are some comments just to illustrate that IT Governance of Cloud Computing may have some particular complexities. I invite you to play the role and launch question from a governance perspective.- which part of the apps portfolio you will migrate first, and why?- are these initiatives governed under CAPEX (capital projects) or OPEX/APEX (operating/administrative expenses) rules and procedures?- what kind of assurance the provider include in the contract/SLA?- what kind of audits we should provide to the stakeholders?- is SAS70 enough to provide assurance to "the cloud"? SSAE16?- there is any standard for "cloud computing"? Anything in draft mode?- what could be a reasonable contingency plan if the "cloud" fail? Can we use more than one " cloud" at the same time?- are we sure we are in compliance with laws and regulations?- there is any hidden cost of compliance?
    fnikitinLively at 5/19/2011 10:33:44 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    All of your definition are correct.
    In my opinion,  the definition of Cloud Computing is like a Molecular Ubiquity Data interaction with computational systems.

    ramoncodLively at 5/23/2011 12:03:11 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    Regarding the definition of cloud computing I think the mentioned definitions (esp. ISACA) are a good foundation for future work. Though they might have certain differences or focus different areas they are sufficient to have a common understanding. To develop the one and only definition might be more of scientific value rather than practical importance.

    I think there are much bigger challenges in the area of governance, risk management and compliance. I work in a regulated, asset based industry which belongs to the national infrastructure. So risk is always a concern. Todays methods cover the usual IT demand/supply relations. Cloud computing in contrast comes with new challenges. For example: Data and data services. Today data is grouped around its logical coherence and dedicated services are definied to store, transform, archive ... that data. Looking forward the different setup of cloud services could lead to a completely different split of data into cloud ready data and data which has to be covered by the usual service relations. One reason to implement that split lies for example in the legislation regarding data protection.
    Michael.SemrauLively at 5/24/2011 2:17:49 PM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    There are many definitions about it but I think that all of them are incomplete because in each one has a part of the conditions for a cloud.

    Then for me cloud computing is a model who has three dimensions, first is a platform that contains the different levels that people can use (this are universe of services, for example of infrastructure, databases, application, etc).  Second dimension include SLA - Services Levels Agreements, this are conditions that users need for services contracted. At this point is important to know that in this model, users don´t have any information about details of the services that they need.  The third dimension include a group of conditions that providers need to ensure excellent services. This conditions are asociated to availability, integrity and confidentiality.

    For me the third dimension has the major considerations of control center and I believe that it is where the major interactions of government must be had.

    JpvargasLively at 5/26/2011 10:36:54 AM Quote
    You must sign in to rate content.
    (Unrated)

    RE: Week 1 ISACA Cloud Governance Project

    Yes, materials from are very good resources.
    Especially, results from NIST's open disucussion are very important for us.
    "the NIST Cloud Computing Collaboration Site"
  • Reference Architecture and Taxonomy
  • Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC)
  • Cloud Security
  • Standards Roadmap
  • Business Use Cases

    These may be very useful for our discussion base. I think.

    Though, there is no discussion about IT governance of Cloud Computing.
    Cloud Computing is one of our choices. Cloud Computing is not almighty.
    Cloud Computing brings us new benefits and new risks.
    Let's discuss together about the governance & guidelines of the Cloud Computing era.

  • Masatoshi Kajimoto,CISA, CRISCEnergizer at 5/29/2011 7:03:49 PM Quote
    You must sign in to rate content.
    (Unrated)

    Leave a Comment

    * required

    You must login to leave a comment.