Course Description
Cloud Computing has been described as “the ultimate form of outsourcing”. This refers to the fact that moving into the cloud allows the enterprise to outsource or rent Infrastructure, IT services, or application software or any combination of these. In other words, IT services are purchased using a linear utility model.
Although the Cloud model is attractive, CIOs express near-universal concern about one issue: security. These concerns include unauthorized access to sensitive business data (by outsiders or insiders at the Cloud ISP); availability and performance, location of the data (certain sensitive data may be prohibited by law from being stored outside the enterprise’s country boundaries, ability to retrieve the data in the event of contract termination; auditability; physical security at the ISP; and more.
The Cloud model uses three models each having their own security, control, and operational concerns. This seminar addresses these issues and explores how to protect the enterprise assets.
In this seminar, we will discuss the critical issues to be considered:
- Before the Cloud contract is signed
- For the duration of the contract
- At contract change or renegotiation
- At the end of the contractual relationship.
Learning Objectives:
- Describe the benefits and corresponding risks associated with each Cloud Computing model
- Identify whom should be involved in negotiating the contract with the Cloud ISP
- Identify control issues to be included up-front in the contract
- Address the Cloud CIAA (Confidentiality, Integrity, Availability and Accountability)
- Identify metrics needed to maintain control of the outsourced Cloud environment
- Define the ongoing risk assessment process in a Cloud environment
Course Outline
Understanding the Cloud Model
- The PAYG (Pay-as-You-Go) model for IT services
- The 3 basic models: IaaS, PaaS, SaaS
- Business value of Cloud Computing
- Corporate goals for each model
- Motivation for each model
- Necessary partnership with ISPs and other vendors
Business Risks with the Cloud Models
- Contractual issues
- Strategic risk
- Standards and lack thereof
- Maintaining the same level of control
- Tactical issues
- Location, location, location
- Administration: theirs and ours
- Access control
- Privacy and confidentiality
- Data Integrity
- Availability and recoverability
- Risks with Virtual Machine environments
Managing the Cloud
- Encryption, encryption, encryption
- Scalability
- Data interchange
- Key management
- Meaningful Metrics
- SLAs
- Security and Risk Assessment
- Mutual Responsibilities
- Billing
Other issues
- Public vs. private clouds
- International: privacy, data location, data dispersal
- Litigation
- End of life / termination of agreement
- Compliance with laws and regulations
- Independent auditing
- Insurance
Additional Information
Who Should Attend
- Information security professionals
- Internal control professionals
- IT and operational auditors
- Risk managers
Learning Level
Intermediate
Delivery
Group-Live & Group Internet-Based
Field
Auditing
Advanced Preparation
None
Recommended Prerequisites
General understanding of IT processes, business, and accounting applications, IT outsourcing processes.
Session Duration
Online: Two 3-hour sessions
On Site: 1 day
CPE Credits: 7