1

IPA Victorian Congress 20163-4 March, Torquay

Data in the cloud,head in the sand?

Presented byDavid Sauer

2

Disclaimer

© David Sauer, Chartered Accountant March 2016 – all rights reserved

This presentation is intended for instructional purposes only to be used in conjunction with a spoken presentation.  It is general information only, and is not specific business advice, legal advice or financial product advice and no person should rely on the contents without first obtaining advice from a qualified professional person acting in that role or reference to source materials such as accounting standards.  Nevertheless, all care has been taken in preparing this information to the time of its distribution at the training event. David Sauer Chartered Accountant and related entities, officers and employees do not accept any contractual, tortuous or other form of liability for this content or for any consequence arising from its use or for omissions or errors, including responsibility to any person by reason of negligence.

What is the cloud?

3

4

5

What is the cloud … really?

Store and access data and programs over the internet instead of building and maintaining 

infrastructure

Store and access data and programs over the internet instead of building and maintaining 

infrastructure

Use third-party suppliers to provide shared IT services and resources, as much as you want, when you want it

Use third-party suppliers to provide shared IT services and resources, as much as you want, when you want it

Shifting to the cloud is nothing less than a complete transformation of business processes

Shifting to the cloud is nothing less than a complete transformation of business processes

Cloud models

• Infrastructure as a Service (IaaS)– you use the provider’s hardware: processing, storage, networks

– you provide your devices and your software

• Platform as a Service (PaaS)– the provider’s hardware, plus

– programming languages and tools to support software you have created or acquired

• Software as a Service (SaaS)– provider’s hardware and software applications provided

6

Familiar? All SaaS.

Cloud models

• Infrastructure as a Service (IaaS)– you use the provider’s hardware: processing, storage, networks

– you provide your devices and your software

• Platform as a Service (PaaS)– the provider’s hardware, plus

– programming languages and tools to support software you have created or acquired

• Software as a Service (SaaS)– provider’s hardware and software applications provided

• Business Processes as a Service (BPaas)– combines elements of IaaS, PaaS, SaaS

– combines the other models to deliver business processes, eBay, PayPal

7

Cloud deployment models

• Private cloud– for one organisation; can be run by a provider off premises

• Community cloud– supports a specific community that has shared concerns (eg mission, security requirements, policy and 

compliance considerations); can be run by a provider off premises

• Public cloud– owned by a provider and available to the (paying) general public: multi‐tenancy

• Hybrid cloud– individual clouds (of any deployment) bound together by standardized or proprietary technology that 

enables data and application portability (eg cloud bursting for load‐balancing between clouds)

Cloud deployment models

Private

Community

Public

Private Public

Community

Hybrid

8

How would you use the cloud?

Cloud‐gazing

Three tenets of cloud computing: it must be

accessible

reliable

secure

9

Accessible• Data maintained in (agreed) usable form• Ready access to backup for recovery• Maintenance outages scheduled, reported• Technical support, help desk (24/7)• Immediate response to unscheduled outages• Provider's infrastructure capacity• Resource democratisation (multi‐tenancy)• Only ever an internet connection away• Web front ends, portals• File sharing, eg Dropbox• Mobile devices: access any time, any place, any device

Reliable

• Data integrity is essential

• Services continuously monitored– including constant updates on software and applications

• ISP reliability: yours and theirs

10

Secure

• Small businesses and individuals are increasingly targeted by cybercriminals

• Provider can devote more resources:– continuous monitoring

– continuous upgrade of operating, application and anti‐virus software, including patches

– rapid detection and flexible response to security breaches

• NIST Cybersecurity framework (ASIC Report 429):– Core: identify, protect, detect, respond, recover 

– Implementation Tier: degree of sophistication and rigour an organisation employs:• Tier 1  Partial: ad hoc or reactive basis

• Tier 4  Adaptive: Practices updated 'in real time'; immediate response

Secure

• Provider now handling backup, disaster recovery– automatic and continuous

– with no need to change media

– services

• partial‐file backup

• backing up multiple drives

• capacity to test retrievals periodically

• to avoid heavy internet usage initially and on recovery:

– seeded backup ‐ the initial backup is sent to the provider on disk

– restore to door – large amounts of recovered data are returned on disk via courier

11

The silver lining

• Infrastructure costs– hardware: pay only for what you use

– ‘instant’ scaling up and down

– licensing latest software, no upgrade time or costs

– software and applications are generally cheaper; some are even free

– operating expenditure, not capital expenditure

$ ¥ €

Cloud‐gazing for the accountant

• General‐ledger applications, eg Reckon Xero– accessed by the client, eg via your browser‐based portal

• Superannuation, eg Class Super, BGL

• Licensing office software, eg Microsoft 360

• Client communication, for document review and authorisation

• Specialist apps• constantly developing, expanding and refining

• increasing attention to interoperability, linking apps

12

Cloud danger

13

Cloud questions

• Is it legal?

– Privacy legislation

– Am I breaching record‐keeping obligations?

• Is it professional?

– Should I tell people?

• Is it an acceptable risk?

Getting it right

14

In summary, you can…

Plan

•What you are willing to have in the cloud?

•Accessibility

•Reliability / integrity

•Security

Can’t control risks?  Can you contract out?

Can’t contract out?  Can you insure?

David SauerB. Com. FCAPrincipal

David Sauer, Chartered Accountant

David offers a sounding board and resource for all matters relating to technical financial reporting, audit, reporting legislation and professional standards.  David uses 30 years of experience in professional services to help you understand what you need to do in a changing world.

Specialisations: • Training tailored for all levels of professional experience• Conversion of the complex into clear messages• Professional services firms and their client relationships• Financial reporting advice

david.sauer@davidsauer.com.au+61 3 9431 0518

• LinkedIn:  au.linkedin.com/pub/david‐sauer/18/386/159/

15

IPA Victorian Congress 2016 Page 1 of 6

Data in the cloud: Head in the sand?

PLANNING FOR THE CLOUD 1. Consider your move to the cloud in the bigger picture of information security and cyber resilience.

a. Understand your trigger point - moving premises, business acquisition, rapid expansion, cyber attack on in-house IT.

b. Understand the operational side of your business and how the tools and procedures currently in use enhance or diminish your cyber security and resilience.

c. Understand your governance and compliance obligations; use enhanced security to drive compliance, not vice-versa.

d. Transform your current IT practices by determining how your information-security strategy aligns with your business strategy and the overall desired results for your business.

2. When you've decided what needs to be done, study the new technologies and design your cyber architecture framework to break down barriers and remove existing biases that may hamper fundamental change. a. Identify the real risks: focus on critical functions and high-value data; determine your acceptable

level of risk; chart how information flows in your organisation and how to optimise that flow with combinations of cloud models (eg BPaas) and deployment models (eg public, private and community hybrids).

b. Make change management an integral part of the transition. c. Assume security breaches will occur and balance operational efficiency with threat management d. Build information security into the culture of your organisation, aligning all aspects of security,

especially investing in employee awareness and ownership of responsibility e. Sustain your commitment, giving security high priority at board and managerial level, solid

resourcing, and follow-up. MANAGING RISK IN THE CLOUD 1. GOVERNANCE, LEGAL DISCOVERY, COMPLIANCE AND AUDIT

a. Governance and enterprise risk management The loss of physical control of data in moving from in-house infrastructure to the cloud affects governance in complex ways. Agreements, contracts and cloud-provider documentation play a much larger role in risk management. In the multi-tenancy environment of public and community clouds, some of your audit and assessment practices and internal controls will no longer be available. Exposure to risk and capability of managing it has to be aligned with the risk tolerance of the organisation. Cloud computing has been described as "gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties." i. Determine risk exposure before development requirements for a cloud-computing project.

ii. With SaaS, most information will have to come from the cloud provider. Include clear and comprehensive analytical information reporting in your contract. Providers should include metrics and controls to assist customers with their information risk management requirements.

iii. Cloud services can be seen as supply-chain security issues, requiring assessment of the providers' supply chain and third-party management. Assess the provider's incident management, business continuity, disaster recovery policies and procedures, including review of co-location and backup facilities. Obtain clear documentation on risk assessment, auditing, mitigation of control weaknesses, definitions of critical services and KPIs and how these are measured.

iv. Consider how cyber risks affect your directors' duties and annual director report disclosure requirements

b. Legal and electronic discovery The provider now forms a third party between the organisation and its data which differs from traditional outsourcing in timing of service (on-demand and intermittent), potential anonymity of identify of third-party provider(s), and potential anonymity of the geographical location of the server(s) housing the data and backups. Knowing the geographical location of data is essential to ensure compliance with local laws restricting the cross-border flow of data, yet geographical

IPA Victorian Congress 2016 Page 2 of 6

Data in the cloud: Head in the sand?

location can shift rapidly as the provider maximises use of the resource pool, the very flexibility which underlies the cloud's financial viability. Courts are now considering information-security management systems to be critical in determining whether digital information may be accepted in evidence. Legal requests for data need a unified response from customer and provider, and providing data must not compromise the security and privacy obligations of other information during its extraction. Critical to this is the question of who owns the data: the customer must ensure that it retains ownership of the data in its original and authenticable format and that this will be recovered by the customer on termination of the relationship, especially if the provider goes out of business. Bear in mind that the laws governing the sovereignty of data can vary depending on geographical location.

c. Compliance and audit Understand the regulatory framework governing cloud services, the compliance responsibilities of each party, and the provider's ability and willingness to produce evidence needed for the customer's compliance. Verify whether the provider's audit statement meets your requirements, including appropriate provider certifications such as ISO/IEC 27001 certification or ISO 27002 practices, and include a 'right to audit' clause wherever possible. Where possible, use an auditor who is 'cloud aware'. Bear in mind that some regulatory controls are difficult or impossible to achieve in certain types of cloud services. For example, although data is the responsibility of the customer and not the provider, source pooling risks the customer having no knowledge or control over the data's physical location. In 2012, Ernst & Young (Ready for takeoff: Preparing for your journey into the cloud) reported that an unidentified company breached data-protection laws when the provider moved its data centres outside the permitted geographical location without notifying the company. The company incurred penalties and had to change provider.

d. Information life-cycle management In their life, data are created, stored, used, shared, archived and ultimately destroyed. Using the cloud raises challenges of data security, their geographical location, their persistence, the commingling of confidential and non-confidential data within and between customers, backup and recovery processes, and data aggregation and interference (such as in relational databases). It is imperative to understand how data integrity is protected and how any compromise is to be detected and reported to the customer. Compliance demands that the customer knows the geographical location of data, and this must be stipulated in the contract. Responsibility for controls throughout the life cycle must be clearly allocated between customer and provider. Understand when data may be disclosed by the provider to a third-party, including seizure by government entity, as well as the provider's capacity to search and view inside the dataset. Encryption of data in storage, backup and transit is essential, with different keys in multi-tenancies. For all security issues, negotiate penalty clauses to ensure the provider is accountable for breaches.

2. SECURITY AND PRIVACY a. Identity and access management is one of the greatest challenges facing IT today. It includes the

adding and removing of users, authentication of users as they log in, and user-profile management. Cost savings in using the cloud must be balanced against the costs of managing identification risks. Passwords are a significant source of vulnerability: - unimaginative and easily guessed passwords, - using the same or similar passwords for multiple logins, and - not changing passwords frequently. Password rigour is enhanced by: - enabling two-factor authentication, eg a code sent on login by SMS to the user's phone, - giving bogus but memorable answers to security questions (not the genuine information on your facebook and LinkedIn pages, and - using exclusively for password recoveries a unique, secure email address with an obscure username.

IPA Victorian Congress 2016 Page 3 of 6

Data in the cloud: Head in the sand?

Users are also susceptible to social engineering (the psychological manipulation of people into performing actions or divulging confidential information on or about an information system), such as phishing emails, bogus security alerts, and sharing personal information that compromises organisational security (such as the IT staff members who tweeted about holidaying without computer access, triggering an increased number of hacking attempts on the organisation).

b. Encryption underlies the viability of all electronic storage and transfer. Customer and provider must clearly identify who is responsible for encryption key schemes. This is influenced by the cloud model in use: responsibility usually lies with the customer in IaaS and with the provider in SaaS providers. However, although mobile devices are increasingly used to access the cloud, a survey by Ernst & Young in 2012 found that just 40% of organisations used some form of encryption on mobile devices, despite a report by Symantec in 2014 that 38% of mobile users have experienced cybercrime.

c. Mobile devices now routinely access and download data traditionally secured behind a network firewall. Given the anticipated increase in mobile-device access, and the increased use of employee BYO devices, Gartner recommended managing device diversity by introducing a two-tier system of organisation-preferred and organisation-tolerated devices, the latter having access only to skeleton corporate functions. Alternatively, a parallel guest network could provide internet access to employees. Consider also a policy of apps such as MyIT which allow the IT department to monitor mobile-device use or turn off cameras, applications or access to social media sites. Most mobile devices have built-in security features such as: - PIN and/or password, - facial or voice recognition locks, - the ability to erase data remotely on a device if it is lost or stolen, and - the ability to disable the device remotely. The simple habit of logging out of systems when they are not in use is a major protection, as is ensuring that, at the end of a session, no corporate data are left on the mobile device.

d. Viruses and malware can be introduced via unsecured mobile devices, such as memory sticks, which are rarely encrypted, or by the unstoppable urge of employees to circulate 'funny' emails. Vulnerabilities can also be introduced by apps provided by the provider's third-party suppliers.

e. A Virtual Private Networks (VPN) allows secure connection to a remote network via the internet and is particularly useful for connecting multiple networks together securely. It encrypts internet traffic, protecting when on a public or untrusted network such as an internet café. It can also circumvent regional restrictions on certain websites by using a VPN of the appropriate region.

f. Multi-tenancy architecture in the public and community clouds can compromise security if encryption keys and access management are lax or compromised. For example, data from one company can be compromised if another company on the same cloud service is being hacked.

g. Data loss and leakage can result from sophisticated cyber attacks but more often derive from employees losing unencrypted memory sticks, access devices and laptops. A survey by Ernst & Young found 37% of respondents saw careless or unaware employees as the greatest increase in risk, with the number of actual incidents of data loss due to employees rising by 25%.

h. Security governance of the provider. The provider must secure data against not only external but also internal threat. Providers should demonstrate all traditional security procedures for personnel, from background checks to limiting data access and knowledge to that needed to carry out their duties. As well as scrutinising the provider's internal and external security controls, their adherence to industry standards and legal requirements, and their disaster recovery and business continuity plans, customers should inspect the provider's physical facilities wherever possible. It should be noted that providers generally do not guarantee the security of data in their cloud. It should also be

IPA Victorian Congress 2016 Page 4 of 6

Data in the cloud: Head in the sand?

noted that the development of standards is driven by consensus and is thus a lengthy process. The development of standards for cloud computing has barely begun.

i. Auditing information security: - assessments performed by internal audit function - internal self-assessments by IT or information security function - assessment by external party, and - monitoring and evaluation of security incidents and events.

j. Notifying a cyber attack i. How would you notify law enforcement and other businesses of a cyber attack?

1. If you are a small- to medium-sized business, the Australian Cybercrime Online Reprting Network (ACORN) allows you to report securely cyber attacks that may be in breach of Australian law.

2. If you are a large business, the Australian Cyber Security Centre (ACSC) through CERT Australia [Computer Emergency Response Team] allows you to report securely cybersecurity incidents to the Australian Government.

ii. How would you notify your customers or clients of a breach of their personal data? You should consider any obligations that you may have under privacy law. Refer to The Data Breach Notification Guide: A guide to handling personal information security breaches, by the Office of the Australian Information Commissioner.

k. Cyber resilience is an ongoing focus in ASIC's surveillance of entities that it regulates (see for example in Report 429). These include: - Australian Financial Services licensees, who must have an adequate risk management system and resources. Some of you hold an AFS licence, and others are auditing the compliance of licensees - both groups have issues to address. For example, ASIC expects regular reviews of the adequacy of your technological resources, such as IT system security, disaster recovery systems and business resumption capacity - Credit licensees - Entities disclosing risks when they issue financial statements, prospectuses or continuous disclosure announcements - Entities who are subject to the 2009 Privacy Act and must take reasonable steps to protect personal information.

3. SERVICES

a. Provider operations By effectively pooling IT resources, cloud customers gain efficiencies and economies of scale over in-house, stand-alone infrastructure which has historically been sized to meet peak demand. Providers seek to maximise resource usage. Customer and provider, therefore, do not share the same perspective. Customers must determine how to evaluate the provider's capacity to deliver services which are secure and meet the customer's IT needs whilst being competitively priced. In maximising profitability, some providers might compromise customer data integrity and security. The customer needs to understand how the provider implements the five essential characteristics of the cloud (broad network access, rapid elasticity, measured service, on-demand self-service, and resource pooling) whilst meeting agreed service levels and security requirements.

b. Contract conditions Cloud-provider contracts often include non-negotiable terms regarding: - customer's ability to audit - legal recourse of incidents - which party owns data stored, and - key elements of service, eg level or percent of availability and storage space allotted.

IPA Victorian Congress 2016 Page 5 of 6

Data in the cloud: Head in the sand?

c. Service-level management The service-level agreement is one of the major considerations for cloud customers, negotiating the agreed level of service that the provider will supply and the enforceable penalties for failure to comply. Although a key factor is the uptime percentage, there are many more elements. Aspects to consider include: - the time period included in the calculation of uptime and availability - performance degradation as opposed to hard downtime - the penalties for failing to meet the agreed level of service - how to request a credit for downtime - provider's exclusions and caveats which can indicate how and how often the provider anticipates its service to fall below its contracted level of service.

d. Incident management Customers and providers must agree on the difference between a notifiable incident such as a security breach and a mere event such as an attempted intrusion. Many insignificant reports can overwhelm or dull incident responses. In the event of a security breach, both parties must clearly understand the incident response process, with clear communication paths. There may be a need to restore the system to an earlier configuration, possibly even several months earlier, bearing in mind legal requirements and the need to support forensic recording of incident data. All of these issues can differ according to geographical location; knowing the geographical location of the customer's data and backup is vital. A complicating factor can be if the provider has subcontracted storage or backup responsibilities to a third-party. The conditions for use of third parties must be carefully considered in the contract.

e. Changing provider It may be necessary or desirable to change provider for various reasons, perhaps due to cost increases or decrease in service quality or because the provider closes one or more services. However, changing provider on all cloud models except IaaS can be difficult. When migrating between SaaS providers, the key challenges are extracting data and metadata in a format compatible with the new provider's software, assuring consistency of controls from old to new provider, and assuring total erasure of data and backups from the old cloud. A cloud-provider contract should define minimum criteria for service termination, including data ownership, asset return, data privacy, destruction and migration.

4. TECHNOLOGY a. Infrastructure capability

As noted under 'Provider operations', it is in the provider's financial interest to minimise the idle time of computing resources. This conflicts with the customer's instant scalability of computing resources and may lead to outages or overload of the provider's infrastructure in times of peak demand by multiple tenancies.

b. Application development and support Just as data have a lifecycle, so do software and applications. The effect depends on the cloud model in use. Data must be protected in all stages, from application design to operation to ultimate decommissioning. New security vulnerabilities inadvertently introduced in updated versions of software and newly discovered vulnerabilities in software no longer being updated are well known risks which can apply equally to cloud-based SaaS. Particularly in SaaS, there can be little capacity to adapt or customise applications, and multiple applications may have problems with integration. Customer and provider systems must be able to communicate with each other, but industry standards are lagging behind the rapid growth of cloud services.

IPA Victorian Congress 2016 Page 6 of 6

Data in the cloud: Head in the sand?

c. Internet service provision: limits and reliability Migration to the cloud makes internet access for both customer and provider critical, both speed and bandwidth. Bear in mind that speeds are asymmetrical: upload speeds (writing to the cloud, backing up data) are often substantially slower than download speeds. Large data transfers and times of peak usage can slow down speed of access for all users. Bear in mind also that different devices access different speeds: internet speeds on some mobile wireless devices may be effectively unworkable for large volumes of data.

5. ORGANISATIONAL a. Cyber risk insurance

ASIC's Report 429 notes the "increasing appetite for, and developments in, targeted cyber insurance liability cover." ASIC notes that current forms of business continuity or professional indemnity cover might not adequately cover the losses of a cyber attack. Cyber risk insurance can cover risks such as: i. data or privacy breach.

ii. media liability, such as defacement of a website or infringements of intellectual property, iii. extortion liability, such as Ransomware, and iv. network security liability, such as denial-of-service or theft of data.

b. Financial value of the investment (ROI)

A major challenge for IT leadership is weighing the total cost of an IT service against its potential return. This challenge is perhaps even harder for cloud computing. Assessment must include short, medium and long term goals, termination costs, and tangible and intangible benefits. The July 2012 ISACA white paper Calculating cloud ROI: From the customer perspective contains a framework for calculating ROI for the cloud.

© David Sauer, Chartered Accountant May 2015 – all rights reserved This presentation is intended for instructional purposes only to be used in conjunction with a spoken presentation. It is general information only, and is not specific business advice, legal advice or financial product advice and no person should rely on the contents without first obtaining advice from a qualified professional person acting in that role or reference to source materials such as accounting standards. Nevertheless, all care has been taken in preparing this information to the time of its distribution at the training event. David Sauer Chartered Accountant and related entities, officers and employees do not accept any contractual, tortuous or other form of liability for this content or for any consequence arising from its use or for omissions or errors, including responsibility to any person by reason of negligence.