Auditing in the Cloud

Auditing in the Cloud Can Technology improve Audit compliance ..... and how secure is it? Tony Carrucan CEO Mediasphere Rich Neal CEO Auditflow

HOW TO USE THE KEYPADS Choose your response from the corresponding keypad button(s). The light will go GREEN to confirm your response has been received. You can change your answer (whilst voting is open) simply by pressing your new response button(s). (The system will only count the last vote)

Keypad Responses Please note all responses for this session will be ANONYMOUS

Where are you from? Australia NZ Singapore China Other

Are you in public practice? Yes No

Do you understand what the Cloud is about? Absolutely Sort of Not really Clear as mud

Do you think the Cloud is secure? Yes I think so I don’t think so No

Do you think content and applications are more likely to be up to date if hosted in the Cloud? Yes I think so I don’t think so No

How many SME audits would you do annually? 1 - 5 6 – 10 11 – 15 16 – 20 21 – 50 51+

How many SMSF audits would you do annually? 1 - 5 6 – 10 11 - 26 27 - 50 51 - 100 101 – 500 500+

Why is Everyone Talking About the Cloud? Cloud Computing is a revolution that will change your business for the better, letting you work faster, cheaper and better…. and from anywhere, just about. Cloud Computing is one term for Internet-based software and hardware platforms – basically, instead of installing programs on your own computer, you access them over the Internet – Gmail is cloud computing, in fact most of what Google offers is cloud computing – you access it via a web interface.

Gartner Cloud Computing Research 2011

Your Company as a Social Enterprise During his Dreamforce keynote earlier this year, Mark Benioff, CEO of Salesforce spoke of the power and absolute inevitability of the social revolution and the need for companies to transform themselves into social enterprises . All of that is best achieved, he said, through the use of cloud technology and philosophy.

Queensland Premier’s Website Toward Q2: Tomorrow’s Queensland

www.myq2.com.au Gov 2.0 in the Cloud

Technical Cloud 101 = Software, Platform, Infrastructure-as-a-Service SaaS or Software-as-a-Service is the application allowing you to perform your daily activities/tasks on your desktop computer but on-demand. Software on-demand means you only use when you need, thus only pay and consume resources when you need anywhere anytime. PaaS or Platform-as-a-Service delivers computing platform allowing your application to consume computing resources as needed. IaaS or Infrastructure-as-a-Service is the infrastructure or environment where servers and resources are managed and securely monitored.

Where do Acronyms fit in? Though not all SaaS providers rely on PaaS and/or IaaS

Infrastructure-as-a-Service Virtualisation 2+ Virtual machines with HA Managed Firewall/Router/VPN etc. Hardware Dual quad-core Processors, DAS/SAN/NAS storage, redundant PSU and NIC, etc. Networking Routers, VLAN, Managed switches, etc Data comm Tier-1 Bandwidth, Public/WAN IP, etc Application Server Stack Application Server Stack Application Server Stack

Platform-as-a-Service Deployment Software deployment, customisation, Billing, Provisioning, Monitoring Development & API User Interface, Business Logic, Data Model Application Services Core computing platform, Queue Services, Scalability, High Availability, Resource Management Operating Systems RHEL, Solaris, Debian, Windows Server, Ubuntu, etc. Software Access Software Access Software Access Data and File Storage, Database Cluster, & Data warehouse

Software-as-a-Service User Interface User Interaction, Roles and Access, Customisation, Subscription-based Transaction-based Ad-based Application features User management, Customer management, online forms, reporting tools, etc. Data Access Controlled access to data directly from application or Web Service API Data and Files Storage, Database Cluster, & Data warehouse

Auditing-as-a-Service Engagement Partner Monitor firms audit workflow Review Partner See what review points are outstanding with clients Manager Working and managing audit engagements Junior Auditor Working on client audit assignments SME Audit Corporate Audit SMSF Audit Intermediate Auditor Working on client audit assignments

Current challenges with Data Data Confidentiality and Compliancy Data Segregation Data Integrity Lack of understanding about cloud technologies leads accountants and auditors to assume that data is safer on their own computers and servers. What would happen if you lost your laptop? – is your data encrypted or just protected by your password...how safe is your password. Lets explore the risks and mitigation strategies in the cloud.

Cloud Computing Adoption Is cloud computing just a trend or is it a technology that you seriously consider in your business?

Compliance requirements escalated Accuracy & responsibility in financial reporting Simplicity – amongst complexity of changing rules Financial Planners / Accountants alike require a full suite of reliable, compliant applications. GFC – What did we learn?

96% 4% 96% of Small / Medium Australian Company auditors fail compliance test ASIC Report - 2008/2009

Over 570,000 audits conducted in Australia per annum. 450,000 of these are SMSF audits Over 10 million audits conducted annually worldwide. International Auditing Standards have been adopted by 125 countries

Industry not keeping up with Changing regulations Enormous volume of requirements, Low margin for their fees, Time constraints, Lack of tools & knowledge

The average audit firm using traditional audit practice Every now and then, we run out of data storage space, buy more servers, update printer, replace ink, or revert backup because your junior has deleted the wrong folder. Then every year you need to update all your software licenses. Why for pay for software, servers, hire a team of IT professionals when all can be on the cloud Create / Setup Client files Preliminary work Audit planning process & Audit procedures Review process Audit complete and Archiving Email & Fax correspondence Folder and Files management through Windows Explorer Managing Client Contacts File versioning and Track changes Multi-user access

Cloud Easily and constantly updated Processes to guide compliance Secure access to data Unlocks the process Builds around the client Simplifies support Seamless upgrades Client centric Centrally managed

What does it mean to you and your Auditing team (Benefits) Do what you and your audit team excel at doing Reduce cost Mobility and accessibility No software upgrade hassle No tape backup and System backup to worry about Compliance and references up to date and automated Collaboration with audit engagement team Eco-friendly Lesser or no paper storage required Business continuity and high availability

Risks and Issues Security of information Contingency plan Disaster recovery plan Confidentiality of information Always connected Offshore Data Storage, legislation and jurisdiction

Cloud Security IT analyst firm, Gartner, identifies seven specific security issues that users should raise with app vendors before purchasing. Privileged user access . Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access," Gartner says. http :// www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853

Cloud Security 2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signalling that customers can only use them for the most trivial functions," according to Gartner.

3. Data location. When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises. Cloud Security

Cloud Security 4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. "Find out what is done to segregate data at rest," Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability," Gartner says.

Cloud Security 5. Recovery. Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. "Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure," Gartner says. Ask your provider if it has "the ability to do a complete restoration, and how long it will take."

Cloud Security 6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centres. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible."

Cloud Security 7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. "Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application," Gartner says.

Top security tips for you and what you can do As a end-user, we must consider the following: 1. Strong password – more than 8 characters, combination of alphanumeric and uppercase/lowercase characters. 2. Replacing alpha characters in your password with special characters; eg. a -> @, i -> !, b -> 6, q -> 9, s -> 5 or %, e -> 3 or # http://howsecureismypassword.net/ 3. Have a security question answer that has nothing to do with the question 4. Not to use remember me feature on your web browser 5. Ensure you login through and stay on HTTPS protocol. If your App vendor don’t provide it then question whether possible exposed data is acceptable in the type of work you are undertaking.

Common security practices by providers Application level Encrypted data transfer through VPN or HTTPS protocols Encrypted passwords Provide captcha after multiple login failure attempts Policy and role based access Uploading file restriction At the code-base level: SQL Injection proof, data defamation, Session management Platform level Firewall and IP tables Access log and Monitoring tools Infrastructure level DMZ and first level of Firewall Network Isolation (VLAN, domain (Ipsec) security, etc)

THANK-YOU! Please leave your keypad on the table or your chair, it won’t open your garage door or turn on your TV! I have programmed it to send an electric bolt if you take out of room … Thank you  www.keepad.com

References and future readings http://www.mindtouch.com/blog/2008/05/28/differences-between-saas-and-cloud-software / http:// www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853 http:// csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf http://cloudsecurity.trendmicro.com/tag/iaas / http:// blogs.oracle.com/gbrunett/entry/security_recommendations_for_iaas_providers http:// social.technet.microsoft.com/wiki/contents/articles/3794.aspx http:// social.technet.microsoft.com/wiki/contents/articles/security-implications-of-cloud-service-models.aspx http:// www.csoonline.com/article/660065/saas-paas-and-iaas-a-security-checklist-for-cloud-models http:// www.securityinfowatch.com/root%20level/7-requirements-saas http://www.saasblogs.com/saas/demystifying-the-cloud-where-do-saas-paas-and-other-acronyms-fit-in / http:// www.rightwaysolution.com/SaaS.html Charles, E. Getting your head around the cloud , In Practice Magazine, 2011, Issue 1

Keep in Contact Tony Carrucan CEO Mediasphere [email_address] www.mediasphere.com.au Richard Neal CEO Auditflow [email_address] www.auditflow.com.au

Auditing in the Cloud

More Related Content

What's hot (20)

Viewers also liked (15)

Similar to Auditing in the Cloud (20)

Recently uploaded (20)

Auditing in the Cloud