cloud computing - cobit- group 1
TRANSCRIPT
-
8/12/2019 Cloud Computing - COBIT- Group 1
1/22
2014
03-Mar-14
Cloud Computing: Management of Risk using COBIT
Report Prepared by (Group 1):
Shubham Chandra- A013
Dipen Patani- A038
Saurabh Sharma- A047
-
8/12/2019 Cloud Computing - COBIT- Group 1
2/22
Cloud Computing: Management of Risk using COBIT
2
Table of Contents
Brief about Cloud computing ................................................................................................................... 3
Key characteristics of Cloud computing ................................................................................................... 3
Goals and Benefits ................................................................................................................................... 4
Risks and Challenges................................................................................................................................ 4
Service Models in Cloud Computing......................................................................................................... 4
Infrastructure as a service (IaaS) .......................................................................................................... 4
Platform as a service (PaaS) ................................................................................................................. 5
Software as a service (SaaS) ................................................................................................................. 5
Cloud Computing Deployment Methods .................................................................................................. 6
Private Cloud ....................................................................................................................................... 6
Public Cloud......................................................................................................................................... 6
Hybrid Cloud........................................................................................................................................ 6
Community Cloud ................................................................................................................................ 6
Market Overview of Cloud Computing ..................................................................................................... 7
Market Leaders: Clients, Vendors for these models ................................................................................. 7
Controls and Risks in Cloud environment ................................................................................................. 8
Mapping the benefits of Cloud computing to COBIT .............................................................................. 10
Cloud Implementation by AWS at Expedia Inc. ...................................................................................... 16
Organization brief .............................................................................................................................. 16
Cloud Computing: Model and Service (Requirements &Scope) .......................................................... 16
References ............................................................................................................................................ 20
Exhibits ................................................................................................................................................. 21
-
8/12/2019 Cloud Computing - COBIT- Group 1
3/22
Cloud Computing: Management of Risk using COBIT
3
Brief about Cloud computing
Cloud computing is a model for enabling on-demand access to shared pool of compute resources e.g.
server, application & service. In other words, cloud computing is a model for delivering IT services.
Instead of a direct connection to the server, the resources are retrieved from the Internet though web-
based tools and applications.
Cloud computing, the recent buzz word in the internet market, in simple terms is the process of
delivering hosted services through the internet. Though the concept is in its nave stage, it is generating
tremendous interest among users of all types, and has become a promising business opportunity to
venture in and explore.
The cloud computing services market which is currently valued at USD 79.60 billion for the year 2011 is
projected to grow steeply at a CAGR of 23.21% and reach a market size of USD 148.9 billion by year
2014. However, with rising competition and saturation and technology limitations, the market may see a
drop in CAGR, but still grow at a CAGR of 8.39% and reach USD 205.48 USD by year 2018.
Key characteristics of Cloud computing
1. Agility: Improves with users' ability to re-provision technological infrastructure resources.2. Application programming interface (API) accessibility to software:It enables machines to
interact with cloud software in the same way that a traditional user interface (e.g., a computer
desktop) facilitates interaction between humans and computers. Cloud computing systems
typically use Representational State Transfer (REST)-based APIs.
3. Cost: Cloud providers claim that computing costs reduce. A public-cloud delivery model convertscapital expenditure to operational expenditure. This purportedly lowers barriers to entry, as
infrastructure is typically provided by a third-party and does not need to be purchased for one-time or infrequent intensive computing tasks. Pricing on a utility computing basis is fine-grained,
with usage-based options and fewer IT skills are required for implementation (in-house).
4. Device and location independence: It enable users to access systems using a web browserregardless of their location or what device they use (e.g., PC, mobile phone). As infrastructure is
off-site (typically provided by a third-party) and accessed via the Internet, users can connect
from anywhere.
5. Virtualization technology: It allows sharing of servers and storage devices and increasedutilization. Applications can be easily migrated from one physical server to another.
6. Multitenancy: It enables sharing of resources and costs across a large pool of users thusallowing for centralization of infrastructure in locations with lower costs (such as real estate,electricity, etc.)
7. Reliability: Improves with the use of multiple redundant sites, which makes well-designed cloudcomputing suitable for business continuity and disaster recovery.
8. Maintenanceof cloud computing applications is easier, because they do not need to be installedon each user's computer and can be accessed from different places.
-
8/12/2019 Cloud Computing - COBIT- Group 1
4/22
Cloud Computing: Management of Risk using COBIT
4
Goals and Benefits
The common benefits associated with adopting cloud computing are:
Reduced investments and proportional costs
Increased scalability
Increased availability and reliability
Risks and Challenges
Several of the most critical cloud computing challenges pertaining mostly to cloud consumers that use IT
resources located in public clouds are:.
Increased security vulnerabilities
Reduced operational governance control
Limited portability between cloud providers
Multi-regional regulatory and legal issues
Service Models in Cloud Computing
Cloud computing providers offer their services (Refer Figure. 1 in Annexure) according to following
fundamental models:
Infrastructure as a service (IaaS)
In the most basic cloud-service model, providers of IaaS offer computersphysical or (more often)
virtual machinesand other resources. (A hypervisor, such as Hyper-V or Xen or KVM or VMware
ESX/ESXi, runs the virtual machines as guests. Pools of hypervisors within the cloud operational support-system can support large numbers of virtual machines and the ability to scale services up and down
according to customers' varying requirements.) IaaS clouds often offer additional resources such as a
virtual-machine disk image library, raw (block) and file-based storage, firewalls, load balancers, IP
addresses, virtual local area networks (VLANs), and software bundles. IaaS-cloud providers supply these
resources on-demand from their large pools installed in data centers. For wide-area connectivity,
customers can use either the Internet or carrier clouds (dedicated virtual private networks).
To deploy their applications, cloud users install operating-system images and their application software
on the cloud infrastructure. In this model, the cloud user patches and maintains the operating systems
and the application software. Cloud providers typically bill IaaS services on a utility computing basis; cost
reflects the amount of resources allocated and consumed.
Cloud communications and cloud telephony, rather than replacing local computing infrastructure,
replace local telecommunications infrastructure with Voice over IP and other off-site Internet services.
-
8/12/2019 Cloud Computing - COBIT- Group 1
5/22
Cloud Computing: Management of Risk using COBIT
5
Platform as a service (PaaS)
In the PaaS models, cloud providers deliver a computing platform, typically including operating system,
programming language execution environment, database, and web server. Application developers can
develop and run their software solutions on a cloud platform without the cost and complexity of buying
and managing the underlying hardware and software layers. With some PaaS offers like Windows Azure,
the underlying computer and storage resources scale automatically to match application demand so
that the cloud user does not have to allocate resources manually. The latter has also been proposed by
an architecture aiming to facilitate real-time in cloud environments.
Software as a service (SaaS)
In the business model using software as a service (SaaS), users are provided access to application
software and databases. Cloud providers manage the infrastructure and platforms that run the
applications. SaaS is sometimes referred to as "on-demand software" and is usually priced on a pay-per-
use basis. SaaS providers generally price applications using a subscription fee.
In the SaaS model, cloud providers install and operate application software in the cloud and cloud usersaccess the software from cloud clients. Cloud users do not manage the cloud infrastructure and platform
where the application runs. This eliminates the need to install and run the application on the cloud
user's own computers, which simplifies maintenance and support. Cloud applications are different from
other applications in their scalabilitywhich can be achieved by cloning tasks onto multiple virtual
machines at run-time to meet changing work demand. Load balancers distribute the work over the set
of virtual machines. This process is transparent to the cloud user, who sees only a single access point. To
accommodate a large number of cloud users, cloud applications can be multitenant, that is, any machine
serves more than one cloud user organization. It is common to refer to special types of cloud-based
application software with a similar naming convention: desktop as a service, business process as a
service, test environment as a service, communication as a service.
The pricing model for SaaS applications is typically a monthly or yearly flat fee per user, so price is
scalable and adjustable if users are added or removed at any point.
Proponents claim SaaS allows a business the potential to reduce IT operational costs by outsourcing
hardware and software maintenance and support to the cloud provider. This enables the business to
reallocate IT operations costs away from hardware/software spending and personnel expenses, towards
meeting other goals. In addition, with applications hosted centrally, updates can be released without the
need for users to install new software. One drawback of SaaS is that the users' data are stored on the
cloud provider's server. As a result, there could be unauthorized access to the data. For this reason,
users are increasingly adopting intelligent third-party key management systems to help secure their
data.
-
8/12/2019 Cloud Computing - COBIT- Group 1
6/22
Cloud Computing: Management of Risk using COBIT
6
Cloud Computing Deployment Methods
There are three main cloud deployment models (Refer Figure. 2 in Annexure), each on with its own set
of customers its targeting.
Private Cloud
Private cloud is cloud infrastructure operated solely for a single organization, whether managed
internally or by a third-party and hosted internally or externally. Undertaking a private cloud project
requires a significant level and degree of engagement to virtualize the business environment, and
requires the organization to reevaluate decisions about existing resources. When done right, it can
improve business, but every step in the project raises security issues that must be addressed to prevent
serious vulnerabilities. Self-run data centers are generally capital intensive. They have attracted criticism
because users "still have to buy, build, and manage them" and thus do not benefit from less hands-on
management, essentially "[lacking] the economic model that makes cloud computing such an intriguing
concept".
Public CloudA cloud is called a "public cloud" when the services are rendered over a network that is open for public
use. Technically there may be little or no difference between public and private cloud architecture,
however, security consideration may be substantially different for services (applications, storage, and
other resources) that are made available by a service provider for a public audience and when
communication is effected over a non-trusted network. Generally, public cloud service providers like
Amazon AWS, Microsoft and Google own and operate the infrastructure and offer access only via
Internet (direct connectivity is not offered).
Hybrid Cloud
Hybrid cloud is a composition of two or more clouds (private, community or public) that remain unique
entities but are bound together, offering the benefits of multiple deployment models. Hybrid cloud can
also mean the ability to connect collocation, managed and/or dedicated services with cloud resources.
Gartner, Inc. defines a hybrid cloud service as a cloud computing service that is composed of some
combination of private, public and community cloud services, from different service providers. A hybrid
cloud service crosses isolation and provider boundaries so that it cant be simply put in one category of
private, public, or community cloud service. It allows one to extend either the capacity or the capability
of a cloud service, by aggregation, integration or customization with another cloud service.
Community CloudCommunity cloud shares infrastructure between several organizations from a specific community with
common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-
party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but
more than a private cloud), so only some of the cost savings potential of cloud computing are realized.
-
8/12/2019 Cloud Computing - COBIT- Group 1
7/22
Cloud Computing: Management of Risk using COBIT
7
Market Overview of Cloud Computing
Cloud computing provides significant cost effective IT resources as cost on demand IT based on the
actual usage of the customer. Due to rapid growth, many companies are unable to handle their IT
requirement even after having an in-house datacenter. Cloud services helps to improve IT capabilities
without investing large amounts in new datacenters. This technology helps companies with much more
efficient computing by centralizing storage, memory, processing and bandwidth.
SaaS is the largest segment of cloud computing, having market size of USD 12 billion in 2011. On the
basis of geography the entire cloud service market is divided among the U.S, Europe, Asia and others.
In 2011, the cloud service market reported USD 41.2 billion globally which is estimated to grow up to
USD 205 billion in 2018 (Refer Figure. 3 in Exhibit) with CAGR of 26% from 2011 to 2017. The mobile
SaaS market in 2011 was about USD 1.2 billon which is expected to grow with CAGR 25% up to 2018. The
U.S federal government market entered into double digit growth which is expected to grow with CAGR
of 16.2% up to 2018. Also the U.S cloud computing market for medical imagery is expected to grow with
CAGR of 26.8% up to 2018.
The cloud computing services market growth would be influenced by the global demand for technology
based services, which in turn depends on the state of the global economy. Currently the growth is driven
by demand in developed nations in Western markets such as North America and Europe. The developing
nations are slow to adapt to the concept, and are expected to drive the growth towards the later part of
the decade.
Market Leaders: Clients, Vendors for these models
The current cloud computing services market leaders who are defining the growth path are:
Service Models Vendors Clients
SaaS (Service as a
service)
PaaS (Platform as
a service)
IaaS
(Infrastructure as
a service)
-
8/12/2019 Cloud Computing - COBIT- Group 1
8/22
-
8/12/2019 Cloud Computing - COBIT- Group 1
9/22
Cloud Computing: Management of Risk using COBIT
9
Outsourcing results in the loss of a level of control by becoming dependent on another party to fulfil the
enterprises needs and to provide adequate controls. Use of Internet technologies or wide area network
access to access IT capabilities and data creates dependency on these possibly more vulnerable access
paths. The main risks arising from these dependencies and vulnerabilities are risks relating to continuity
issues and security of information. Continuity is complicated by the fact that downtime of Internet or
network access, or downtime at the cloud service provider, could translate into unavailability of all IT
capabilities outsourced by the consumer enterprise. Security is complicated as the cloud service
provider utilizes a multi-tenant model and therefore stores various enterprises data at any one physical
location, creating the risk of the leakage of data belonging to one consumer to another, or to
unauthorized third parties. In addition, the fact that all data relating to the IT capabilities which are
outsourced travels on the Internet or network in order to be accessed or processed, creates the risk of
unauthorized access to, or manipulation or corruption of data.
Loss of GovernanceJust as in traditional IT outsourcing, using the services of a cloud provider requires
enterprises to give up control over their IT infrastructure. To make it easier for customers that take this
step, cloud providers should make management and maintenance more transparent and auditable by
customers. This should include recording logs and complete administrative sessions that affect the part of
the cloud infrastructure used by customers, and, if requested, making these records accessible to
customers There must be strong authentication and authorization for the staff of the cloud provider and
customers. This includes strong and possibly multifactor authorization methods, such as tokens or one-
time passwords, on the one hand and strong authorization methods, such as 4-eyes authorization, on the
other. Ideally, customers should be able to authorize and possibly monitor access to the system for the
key systems they use. Such monitoring could be as simple as following the logs on an online interface or
as sophisticated as watching a real-time audit trail of the administrators actions on the systembe it on a
specific virtual machine or the hypervisor of the entire system. Allowing access to the audit trails of the
hypervisor or providing 4-eyes authorization to customers may initially seem excessive, but it may be
necessary for customers for compliance reasons.
ComplianceCompliance requirements are becoming stricter almost every year, and a cloud provider
that can meet these requirements and offer hard evidence of this compliance can gain significant
advantage. Compliance usually covers the entire range of IT procedures, from system logging and log
analysis to user and administrator authentication, authorization and auditing, but can also include data
archiving, backups and recoverynot to mention the physical security of the servers in the cloud. The
trick here is to develop a system that can make the cloud compliant and that can prove the compliance of
individual customers during an inevitable compliance audit.
Data protectionData protection and data abuse prevention are traditionally handled via authorization
and strong access control and partly by using an intrusion detection system (IDS) and a data leakage
prevention (DLP) system. Authorization can be handled by strong and possibly multifactor authentication,
and access control and authorization can be enhanced by 4-eyes authorization methods. However, for
obvious reasons, users must access a remote cloud using secure connections, which makes the use of IDS
and a DLP system increasingly more difficult. Thus, a solution that can share the traffic of the encrypted
channels with clients IDS/DLP system is highly beneficial.
-
8/12/2019 Cloud Computing - COBIT- Group 1
10/22
Cloud Computing: Management of Risk using COBIT
10
Cloud provider selectionPublic clouds allow high-availability systems to be developed at service
levels often impossible to create in private networks, except at extraordinary costs. Compliance with
regulations and laws in different geographical regions can be a challenge for enterprises. At this time,
there is little legal precedent regarding liability in the cloud. It is critical to obtain proper legal advice to
ensure that the contract specifies the areas in which the cloud provider is responsible and liable for
ramifications arising from potential issues. Enterprises could leverage the global compliance
requirements that are becoming stricter and go for a cloud provider that can meet these requirements
and is able to offer hard evidence of its compliance.
COBITis a proven set of standards and processes that businesses can use to ensure that IT is working as
effectively as possible to minimize IT-related risks and maximize the benefits of cloud.
The security benefits of utilizing COBIT with the cloud include:
Customer complianceConnections from cloud customers using 4-eyes authorization to access a
service running in the cloud (e.g., a Windows Terminal Service) can be audited. This can be useful if
customers have specific compliance needs.
Selected authentication methodsThe use of selected authentication methods (e.g., certificates,
passwords, public keys) should be enforced.
Customizable access controlThere should be strict yet easily customizable access control granted for
users to have access only to selected log messages, e.g., messages related to the cloud services of a single
customer.
Enforcement of 4-eyes authorizationThe enforcement of 4-eyes authorization with real-time
monitoring and auditing capabilities effectively creates a strong auditing layer above the super user layer
accessing the devices, with the possibility to greatly increase the security of the cloud. For every security-
aware customer, or for customers with special security needs, it is possible to require the representative
of the customer to authorize cloud administrators, making the maintenance of the clouds infrastructure
that is relevant to the customer completely transparent, auditable and reviewable.
Forensics and contractsTamper-proof evidence for service level agreement (SLA) contracts and
forensic situations should be provided.
Mapping the benefits of Cloud computing to COBIT
All the points P, A, D are covered in the table below
-
8/12/2019 Cloud Computing - COBIT- Group 1
11/22
Cloud Computing: Management of Risk using COBIT
11
COBIT Process Possible Benefit
PO1 Define a Strategic IT plan Cloud services add a new dynamic to
strategic IT planning as the outsourcing of
capital expenditure in hardware,
operating platform and software as all
become viable options.New enterprises will incur significantly less
IT-related start-up costs to establish IT
capabilities.
PO3 Determine technological
direction
Cloud computing should support business
opportunities, such as expansion of
business (e.g. opening new branches), as
it enables expansion of IT capabilities with
minimal capital outlay in terms of IT
infrastructure.
The economies of scale of cloud
computing also have a positive
environmental impact. The adoption of
cloud computing may lower a CS consumer
enterprises carbon footprint (greener
business practice).
PO5 Manage IT investment Cloud computing enables the realisation of
economies of scale by CS providers, due to
the multi-tenant principle, that each CS
consumer enterprise would not be able to
realise on its own. In order to be
competitive in the future cloud computing
market, the CS provider would have to
pass some of the benefits of theseeconomies of scale through to the CS
consumers. This should enable a CS
consumer enterprise to achieve a better
return on IT investment.
PO7 Manage IT human resources The number of IT staff members required
by a CS consumer enterprise is likely to
decrease with the adoption of cloud
computing, thereby ensuring a savings in
operational expenditure relating to a
decrease in human resources.
PO8 Manage quality Most aspects of quality management areoutsourced to the CS provider. The CS
consumer enterprise should benefit from
economies of scale of the CS provider
relating to the cost and employment of
specialised IT professionals to ensure
adequate controls. The CS providers
reputation depends on the adequacy of
-
8/12/2019 Cloud Computing - COBIT- Group 1
12/22
Cloud Computing: Management of Risk using COBIT
12
controls.
PO9 Assess and manage IT risks Certain IT risks, previously managed solely
by the CS consumer enterprise, are now
part of the outsourced services, enabling
the enterprise to possibly benefit from the
CS providers superior ability to attract andemploy specialised IT risk mitigating
professionals, due to the CS providers
increased economies of scale.
AI1 Identify automated solutions Cloud services provide automated
solutions to satisfy infrastructure
(hardware) requirements that could not
traditionally be satisfied by automated
solutions (specifically Iaas and Paas).
Saas and PaaS are also subject to greater
automation than traditionally possible.
A CS consumer enterprise can experiment
with a larger array of different innovative
IT capabilities and technologies than it
would have been able to afford if it had to
purchase such technologies before
experimenting with them.
The usage of Internet technologies also
enables access, irrespective of location, as
an option.
AI2 Acquire and maintain software Patching and version upgrades of software
accessed as a cloud service by a CS
consumer enterprise, should be up to date
if a trustworthy CS provider (consider
including this in a service level agreement
(SLA)) is used who will benefit from
economies of scale regarding such
upgrading or patching. This can be
achieved without the usual capital
expenditure required on the CS consumer
enterprises side.
AI3 Acquire and maintain technology
infrastructure
Technology infrastructure accessed as a
cloud service by a CS consumer enterprise,
should be up to date if a trustworthy CS
provider (consider including this in an SLA)is used who will benefit from economies of
scale regarding such upgrading of
infrastructure. This can be achieved
without the usual capital expenditure
required on the CS consumer enterprises
side.
AI4 Enable operation and use Cloud computing is characterized by a
-
8/12/2019 Cloud Computing - COBIT- Group 1
13/22
Cloud Computing: Management of Risk using COBIT
13
multi-tenant model. Thus, the CS provider
should have standardized user manuals
and/or training available to all CS
consumers (tenants)
AI6 Manage changes Most cloud services-related changes, such
as patching and/or upgrading ofinfrastructure, are done by the CS provider,
significantly reducing the workload
regarding the management of changes on
the CS consumer enterprises side.
The level of IT capabilities required by the
CS consumer can be scaled up or down
through a self-service process. This
significantly decreases the number of
controls which were traditionally needed,
where changes to IT capabilities required
major changes such as the installation of a
new server, etc.
DS3 Manage performance and capacity Cloud services are characterized by rapid
elasticity on-demand, ensuring that IT
resource capacity can be rapidly scaled up
or down to meet the CS consumer
enterprises changing requirements at all
times.
DS4 Ensure continuous service Most aspects of ensuring continued IT
services are transferred to the CS
provider. The CS provider will be inclined
to ensure adequate controls relating to
continuity of services due to the fact thata significant number of the CS providers
CS customers may be affected by
downtime as a shared pool of resources is
used to provide services to all of the CS
providers CS customers.Any interruption
of services will have a major impact on the
CS providers reputation.
As cloud services are provided using broad
network access (Internet technologies),
continuation of service is not dependent
on the location of the CS consumerenterprises users. This means the CS
consumer enterprise can easily access the
IT capabilities from different locations
(enhanced mobility).
As cloud services are provided using broad
network access (Internet technologies),
continuation of service is not necessarily
-
8/12/2019 Cloud Computing - COBIT- Group 1
14/22
Cloud Computing: Management of Risk using COBIT
14
dependent on a specific access route to a
network or the Internet (.i.e. if the ADSL
line is not functioning, 3.5G wireless
access could, for example, be used to
continue service in the interim). This could
translate into fewer single points of failure(SPOF) risk than in the case of leased VPN
lines, for example.
DS5 Ensure systems security Most aspects of ensuring system security
relating to IT services are transferred to
the CS provider who will be inclined to
ensure adequate controls relating to
security due to the fact that a security
breach relating to inadequate controls on
the CS providers side will have a major
impact on the CS providers reputation.
DS6 Identify and allocate cost One of the defining characteristics of cloud
services is that the service is measured or
metered by use. The CS provider would
therefore already have such an
accounting/metering system in place. This
system could possibly meter use by
individual groups within the CS consumer
enterprise, making the allocation of IT-
related costs to different segments of the
CS consumer enterprise a vastly simpler
task.
DS7 Educate and train users Cloud computing is characterized by a
multi-tenant model. Thus, the CS providershould have standardized user manuals
and/or training available to all CS
consumers (tenants)
DS8 Manage service desk and incidents Most aspects of the IT service desk
management are outsourced to the CS
provider who would be required by all its
CS consumer enterprise clients to have an
adequate service desk to resolve user
queries and incidents. The adequacy of
this service will influence the CS providers
reputation.DS9 Manage configuration Most aspects of configuration
management are outsourced to the CS
provider. The CS provider should benefit
from economies of scale relating to the
cost and employment of specialised IT
professionals to ensure adequate controls.
The CS providers reputation depends on
-
8/12/2019 Cloud Computing - COBIT- Group 1
15/22
Cloud Computing: Management of Risk using COBIT
15
the adequacy of controls. (
DS10 Manage problems Most aspects of problem management are
outsourced to the CS provider. The CS
provider should benefit from economies of
scale relating to the cost and employment
of specialised IT professionals to ensureadequate controls. The CS providers
reputation depends on the adequacy of
controls.
DS11 Manage data Most aspects of data management are
outsourced to the CS provider. The CS
provider should benefit from economies of
scale relating to the cost and employment
of specialised IT professionals to ensure
adequate controls. The CS providers
reputation depends on the adequacy of
controls.
DS12 Manage the physical environment Most aspects of managing the physical
environment are outsourced to the CS
provider. The CS provider should benefit
from economies of scale relating to the
cost and employment of specialised IT
professionals, securing the physical
environment and ensuring off-site backup
(distributed data centres) to ensure
adequate controls. The CS providers
reputation depends on the adequacy of
controls.
DS13 Manage operations Most aspects of managing the physicalenvironment are outsourced to the CS
provider. The CS provider should benefit
from economies of scale relating to the
cost and employment of specialised IT
professionals, securing the physical
environment and ensuring off-site backup
(distributed data centres) to ensure
adequate controls. The CS providers
reputation depends on the adequacy of
controls.
-
8/12/2019 Cloud Computing - COBIT- Group 1
16/22
Cloud Computing: Management of Risk using COBIT
16
Cloud Implementation by AWS at Expedia Inc.
Organization brief
Expedia, Inc. is a leading online travel company, providing leisure and business travel to customers
worldwide. Expedias extensive brand portfolio includes Expedia.com , one of the worlds largest full
service online travel agency, with sites localized for more than 20 countries; Hotels.com , the hotel
specialist with sites in more than 60 countries; Hotwire.com , the hotel specialist with sites in more than
60 countries, and other travel brands.
The company delivers consumer value in leisure and business travel, drives incremental demand and
direct bookings to travel suppliers, and provides advertisers the opportunity to reach a highly valuable
audience of in-market travel consumers through Expedia Media Solutions. Expedia also powers bookings
for some of the worlds leading airlines and hotels, top consumer brands, high traffic websites, and
thousands of active affiliates through Expedia Affiliate Network.
Cloud Computing: Model and Service (Requirements &Scope)Expedia used AWS to develop standard deployment model for its development teams globally. Expedia
chose Amazon Web Services (AWS) because it was the only solution with the global infrastructure in
place to support Asia Pacific customers. From an architectural perspective, infrastructure, automation,
and proximity to the customer were key factors and AWS was the way to solve the problem .
Launching Expedia Suggest Service (ESS) on AWS
ESS uses algorithms based on customer location and aggregated shopping and booking data from past
customers to display suggestions when a customer starts typing. For example, if a customer in Seattle
entered sea when booking a flight, the service would display Seattle, SeaTac, and other relevant
destinations.
Expedia launched ESS instances initially in the Asia Pacific (Singapore) Region and then quickly replicated
the service in the US West (Northern California) and EU (Ireland) Regions. Expedia engineers initially
used Apache Lucene and other open source tools to build the service, but eventually developed
powerful tools in-house to store indexes and queries.
By deploying ESS on AWS, Expedia was able to improve service to customers in the Asia Pacific region as
well as Europe.
-
8/12/2019 Cloud Computing - COBIT- Group 1
17/22
Cloud Computing: Management of Risk using COBIT
17
By 2011, Expedia was running several critical, high-volumes applications on AWS, such as the GlobalDeals Engine (GDE). GDE delivers deals to its online partners and allows them to create custom websites
and applications using Expedia APIs and product inventory tools.
Expedia provisions Hadoop clusters using Amazon Elastic Map Reduce (Amazon EMR) to analyze and
process streams of data coming from Expedias global network of websites, primarily clickstream, user
interaction, and supply data, which is stored on Amazon Simple Storage Service (Amazon S3). Expedia
processes approximately240 requests per second. The advantage of AWS is that Auto Scaling can match
load demand instead of having to maintain capacity for peak load in traditional datacenters. Expedia
uses AWS CloudFormation with Chef to deploy its entire front and backend stack into its Amazon Virtual
Private Cloud (Amazon VPC) environment. Expedia uses a multi-region, multi-availability zonearchitecture with a proprietary DNS service to add resiliency to the applications.
-
8/12/2019 Cloud Computing - COBIT- Group 1
18/22
Cloud Computing: Management of Risk using COBIT
18
Risk analysis to cloud and Mapping with COBIT
There are several risks related to cloud usage for the firm. These include mainly the following risks:
a) Lack of control with security operations directly related to cloud-based IT resources used forinternal purposes.
b) Privacy concerns associated with sensitive and/or regulated data stored and/or processed by acloud infrastructure provider.
c) Lack of security visibility into cloud services infrastructure.d) Risk of a network breach between internal networks and cloud service providers.
Risk Management
AWS management has developed a strategic business plan which includes risk identification and theimplementation of controls to mitigate or manage risks for the clients. They re
evaluate the strategic business plan at least biannually.
This process requires management to identify risks
within its areas of responsibility and to implement appropriate measures designed to address
those risks.
-
8/12/2019 Cloud Computing - COBIT- Group 1
19/22
Cloud Computing: Management of Risk using COBIT
19
In addition, the AWS control environment is subject to various internal and external risk assessments. A
WSsCompliance and Security teams have established an information security framework and policies b
ased on the Control Objectives for Information and related Technology (COBIT) framework and have
effectively integrated the ISO 27001 certifiable framework based on ISO 27002 controls, American
Institute of Certified Public Accountants (AICPA) Trust Services Principles, the PCI DSS v2.0
and the National Institute of Standards and Technology (NIST) Publication 80053Rev 3.
Main Controls
AWS manages a comprehensive control environment that includes policies, processes and control activities
that leverage various aspects of Amazonsoverall control environment. This control environment is
in place for the secure delivery of AWSsservice offerings. The collective control environment encompasses
the people, processes, and technology necessary to establish and maintain an environment that supports t
he operating effectiveness of AWSscontrol framework. AWS has integrated applicable cloudspecific
controls identified by leading cloud computing industry bodies into the AWS control framework.
To simplify the management of GDE, Expedia developed an identity federation broker that uses AWS
Identity and Access Management (AWS IAM) and the AWS Security Token Service (AWS STS). The
federation broker allows systems administrators and developers to use their existing Windows Active
Directory (AD) accounts to single sign-on (SSO) to the AWS Management Console. In doing so, Expedia
eliminates the need to create IAM users and maintain multiple environments where user identities are
stored. Federation broker users sign into their Windows machines with their existing Active Directory
credentials, browse to the federation broker, and transparently log into the AWS Management Console.
This allows Expedia to enforce password and permissions management within their existing directory
and to enforce group policies and other governance rules. Additionally, if an employee ever leaves the
company or takes a different role, Expedia simply make changes to Active Directory to revoke or
changes AWS permissions for the user instead of inside of AWS.
Conclusion
Expedia uses AWS to develop applications faster, scale to process large volumes of data, and
troubleshoot issues quickly. By using AWS to build a standard deployment model, development teams
can quickly create the infrastructure for new initiatives. Critical applications run in multiple Availability
Zones in different Regions to ensure data is always available and to enable disaster recovery. Expedia
Worldwide Engineering is working on building a monitoring infrastructure in all Regions and moving to asingle infrastructure.
Generally, teams have more control over development and operations on AWS. When Expedia
experienced conversion issues for its Client Logging service, engineers were able to track and identify
critical issues within two days. Expedia estimates that it would have taken six weeks to find the script
errors if the service ran in a physical environment.
-
8/12/2019 Cloud Computing - COBIT- Group 1
20/22
Cloud Computing: Management of Risk using COBIT
20
References
All the below web pages were accessed between 25th Feb-1st March, 2014.
http://www.ibm.com/cloud-computing/in/en/what-is-cloud-computing.html
http://cloud.dzone.com/articles/introduction-cloud-computing
http://clean-clouds.com/
http://www.focus.com/articles/hosting-bandwidth/top-10-cloud-computing-trends/
http://architects.dzone.com/news/5-key-events-history-cloud http://www.transparencymarketresearch.com/
http://aws.amazon.com/solutions
http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf
http://clean-clouds.com/http://clean-clouds.com/ -
8/12/2019 Cloud Computing - COBIT- Group 1
21/22
Cloud Computing: Management of Risk using COBIT
21
Exhibits
Figure 1: Service Models
Figure 2: Deployment Models
Figure 3: Cloud Computing Market Forecast
-
8/12/2019 Cloud Computing - COBIT- Group 1
22/22
Cloud Computing: Management of Risk using COBIT
22
Figure 4 Framework for COBIT in cloud computing