Controlling the Internal Cloud

Recently, Gardner conducted a survey of 1,300 corporate software buyers and identified that about 11% of companies are deploying internal clouds or planning to do so. By 2012, Gartner predicts that private clouds will account for at least 14% of the infrastructure at Fortune 1000 companies, which will benefit from service-oriented, scalable and elastic IT resources. That may not seem like a huge amount, but it’s a sign that private clouds are real. Why? The benefits are just too great. We’ll let the virtualization vendors tell you all the business benefits of applying this technology.

 In this paper we will focus on the changes in the control structure that this technology brings. Whether you have to worry about Sarbanes Oxley , PCI, HIPAA, GLBA or just about any other regulation, there are some nuances you should consider if you make the decision to migrate to an “internal cloud”.

 For those less technical, think of an Internal Cloud as a physical computer(s) where you can define a  variable number of virtual servers (computers).

 There are generally eight IT General Controls that need to be addressed in any type of regulatory environment. Most of these areas are affected in one way or another by the Internal Cloud.

 Application Development – these controls address making and implementing changes to applications. Most controls still apply in non-cloud versus cloud environments. The cloud may force some additional controls or tests of the controls depending on the configuration options in your data center. Note that some legacy applications may never be compatible with a cloud environment.

 Data Backup – these controls assure that the data backups are taken regularly and the application can execute on the backup copy. These controls should be very similar in both environments except where server backups are used since application data can potentially cross multiple servers.

 Operations change management – these controls address event and performance monitoring, operating system and virus software and although are logically the same in both environments, the controls in the virtual environment are fundamentally different.

 Data Interface Controls – these controls address the transfer of information between applications and can be affected if the application was not built for operating in a cloud environment.

 Governance Controls – these controls address Policies and Procedures and dealing with third parties and apply in both environments, however the cloud environment is likely to introduce a few more policies. 

Logical Application Security – these controls address granting access (login and password) to applications. However, in the cloud environment application coding techniques can leave the applications more vulnerable than a non cloud environment. You may want to consider a third party vulnerability assessment for critical applications.

 Logical Network Security – these controls address granting access to the overall network. These controls should be similar in both environments. In the cloud environment, logging the people who actually had access and comparing it to who should have had access may be necessary.

 Physical Security – these controls address who has physical access and environmental controls for the computers and should be the same for both environments. 

In summary, controlling the internal cloud for regulatory concerns are fairly similar to traditional controls except for change management and potentially backup and recovery. There should be a few different and potentially more controls around performance monitoring and these controls should be addressed by your virtualization software. The information security controls should not be substantially different, only if the environment your application is “sharing” is controlled by you and has a similar security profile. If you are considering migrating to a virtual environment, make sure your information security inventory is accurate and you distribute the applications accordingly.

About Visage Solutions – www.VisageSolutions.com

Visage Solutions is a consulting company operating in the areas of regulatory compliance, risk assessment, information security, risk management and compliance processes. Utilizing our proprietary SingleVue™ and OpsAudit™ methodologies, the company focuses on assisting business entities in mitigating operational risk. Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. Our team is comprised of experienced executives, managers and consultants who can assist clients with the development, implementation and execution of their risk management and compliance strategy.

 
 


"The Visage Risk assessment tool and methodology allowed us to respond the risk assessment requirements of the FFIEC in a timely and cost effective manner ".
   Robert Kernodle, SVP and Risk Officer of Cornerstone Bank
 
"Although there is always a degree of subjectivity in any risk assessment, the Visage Risk Assessment tool and methodology is one of the best I've seen in removing subjectivity and providing the underlying support for the scoring system".
   Patrick Camblin Senior Partner in Camblin CPA, PLLC

if you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2009 Visage Solutions, LLC.