Embed Size (px)
Citation preview
cloud computing
Ridwaan Boda
Director | Technology, Media and Telecommunications
Overview
• What is cloud computing?• Types of cloud computing services• Benefits of cloud computing• Key risks associated with cloud computing
• technical, financial, contractual, regulatory and other
• the long arm of the US lawman (the CLOUD Act)• the South African Reserve Bank Circular on cloud
computing• data privacy and cloud computing
• Developing a cloud strategy• Use of AI in cloud computing
What is cloud computing?
• “cloud” refers to networks but primarily to the internet.
• traditionally, when drawing network diagrams, networks were cumbersome to depict so engineers represented them as clouds and in time the cloud shape was adopted as a symbol for all networks, including the internet.
What is cloud computing?
4
What is cloud computing?
• there is no universal definition for cloud computing
• refers to the provision of computing services over a network, typically over the internet
• at its most basic it refers to users being able to access software, data and/or IT services through the internet on supplier servers rather than having and maintaining their own IT infrastructure for this purpose
• everyday examples include Gmail, iCloud, YouTube and Dropbox
Types of cloud computing services
• SaaS – Software as a Service
• IaaS – Infrastructure as a Service
• PaaS – Platform as a Service
• Cloud computing is offered through:
• public clouds
• private clouds
• hybrid clouds
• managed clouds
• Everything as a service
Why all the hype?
• 83% of enterprise workloads will be in the cloud by 2020.
• 41% of enterprise workloads will be run on public cloud platforms (Amazon AWS, Google Cloud Platform, IBM Cloud, Microsoft Azure and others) by 2020.
• An additional 20% are predicted to be private-cloud-based
• Another 22% running on hybrid cloud platforms by 2020.
• On-premise workloads are predicted to shrink from 37% today to 27% of all workloads by 2020.
(Source: Logic Monitor Cloud Survey as detailed by Forbes)
• It is now and the future!
Why all the hype?
Benefits of cloud computing (in theory)
• Potential cost savings / reduced IT spend
• Scalability / elasticity: cloud users pay for capacity which they use, which can be adjusted due to fluctuations in resource demand
• Allows data to be portable and instantly accessible from anywhere
• Collaboration efficiency / workforce mobility
• Business continuity / improved support and maintenance
• Almost zero upfront infrastructure investment no capex required?
• Just-in-time Infrastructure
Risks and challenges to embracing the cloud
• storm clouds?
Risks and challenges to embracing the cloud
• Technical including:• lack of customisation
• network dependency
• lack of compatibility with existing systems
• Business continuity e.g. on insolvency of cloud providers
• lack of stability
• insufficient protection against malicious and unwanted software
• loss of control
• cybersecurity
• Contractual:• Not always negotiable
• poor service levels
• onerous vendor contractual provisions
• supplier lock-in
• liability clauses not favourable
Risks and challenges to embracing the cloud
• Financial:• Network costs• Non-scalable models• Bundled or “tied” purchases• Professional services costs• Data migration costs• Licensing models not always favourable –
per user, per named user, volume-based• Switching costs• Hidden costs
Risks and challenges to embracing the cloud
• Other Risks:
• Supplier lock-in (non-contractual)
• lack of transparency
• sharing of infrastructure / mixing of data
• post termination transfers and risks
• IP issues when migrating
• lack of experience / knowledge
• Lack of audit rights / weak audit right rights
• Regulatory:
• access to data by foreign authorities (e.g. the Cloud Act)
• regulatory hurdles and constraints (e.g. The SARB Directive and Guidance Note)
• data protection
Regulatory – US CLOUD ACT
• SA companies concerned about access by foreign governments
• Patriot Act already has far reaching implications
• The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) is a United States federal law enacted in 2018
• Through the CLOUD Act, U.S. law enforcement officials at any level, from local police to federal agents, can force tech and other companies to turn over user data regardless of where the company stores the data.
• The CLOUD Act also gives the US executive branch the ability to enter into “executive agreements” with foreign nations, which could allow each nation to get its hands on user data stored in the other country, no matter the hosting nation’s privacy laws.
• Some larger cloud companies can appear to be trustworthy providers if they have data centre's located in South Africa. But location means nothing if these companies are American-owned.
cloud computing directive D/3
Isaivan Naidoo
Director | Technology, Media and Telecommunications
Directive D3/2018
• Directive issued by the SARB regarding Cloud Computing and the offshoring of data
• The Directive sets forth the SARB requirements and related considerations for cloud computing and for the offshoring of data and must be read with the guidance note 5/2018
• Definition of cloud computing under D3
• As a model for enabling convenient, on demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction
• Offshoring of data refer to the storage and/or processing of data outside of the borders of RSA
16
Directive 3
• The SARB expects banks to follow a risk based approach:
• Banks risk appetite
• Nature and size of the banks operations
• When implementing any cloud computing or offshoring of data
• Banks are directed to :
• Comply with all the requirements set forth in this directive
• Provide the SARB with material information related to their cloud computing and offshore data arrangements
• Refer any uncertainty in respect of any matter under this directive to the SARB for further clarification
17
• The Directive requires that:
• Banks must have in place a formally defined and board approved data governance framework
• Clearly defined policy which is aligned to the banks business strategy and linked to its risk appetite
• Oversight of cloud computing and offshoring of data must be incorporated into governance structures and processes within the bank
• Risk and control frameworks must be designed to operate efficiently in order to manage the risks
• Prior to implementing any cloud computing or offshoring of data the bank must assess whether the risk involved falls within its risk appetite
18
• Prior to implementing any cloud initiative a due diligence should be undertaken
• Measures must be instituted to ensure the confidentiality, integrity and availability of its data
• Remain compliant with all applicable legislation both locally as well as in any country where the cloud service or data is hosted
• The use of the cloud service or offshoring of data must in no way infringe on a banks regulatory access to information nor must it prevent any bank regulators ability to fulfill there duty
• Banks must ensure that they have contingency plans to continue to meet there core obligations despite any cloud services or offshoring of data
19
• IP rights and contractual rights to data must not be compromised. Data must always be in a usable, readable and portable state even when the cloud contract is terminated
• Cloud computing arrangements or offshoring of data must not prevent the bank from conducing any audit or investigation
• A legally binding agreement must document the cloud service or offshoring data service
20
Guidance Note
• The Guidance note was issued by the SARB to give guidance to the banks in order to meet the directives identified above. Banks must consider classification of data, materiality of the activity outsourced, level of risk, mode and form of cloud computing and offshoring of data. A banks data strategy should include at the very least:
• 1. the manner in which the bank classifies its data;
• 2. which jurisdictions may the data be stored;
• 3. which service and deployment models are applicable to the classifications of data;
• 4. which security requirements will apply to the different data classifications; and
• 5. the process in respect of the banks data loss and breach requirements.
21
Guidance Note
• Put simply, the bank must put in place a strategy as well as formal policies and robust contracts to ensure that the service provider rendering the cloud services or offshoring of data takes steps to assist the bank in its compliance efforts. Some of the suggested proactive steps that banks should adopt are set forth below:
• 1. first conduct a due diligence of the supplier, know your supplier, cut through the sales talk and glossy marketing material;
• 2. review the contract terms and ensure that such terms address inter alia data security, data sovereignty, security standards, data backups, audit rights and data recovery in addition to other negotiated terms that are best practice for cloud transactions;
• 3. scrutinize the vendors standard terms; do not just accept what is put in front of you without checking how the vendor will assist with ensuring that the bank remains compliant. This is also in keeping with sound IT corporate governance;
• 4. ensure that as an organization you are acutely aware of what data is being processed or offshored. This can only be accomplished by implementing an enterprise wide sound data strategy; and
• 5. ensure as a bank sound policies and procedures exist in order to benchmark any vendor cloud offering against not only the aforementioned directive but also against the banks own risk appetite.
22
Your Cloud Strategy
Your Cloud Strategy
• First, take one step back:
• Reminder: IT Governance is a Board imperative
• Is Cloud a commodity?
• Your data is NOT a commodity
• Ingredients of a dangerous cocktail:
• Ignoring IT Governance
• The “I Accept” Button
• The Corporate Credit Card
• Supplier Terms and Conditions not vetted / no risk analysis conducted
• A “cowboy” IT guy
24
Your Cloud Strategy
• Know your supplier
• Deal with data risks
• Ensure that you receive a quality service
• Understand the total costs of the transaction
• Cyber Insurance
• Contracting process
• Understanding set up and migration risks
25
Your Cloud Strategy
know your supplier
• cut through the sales talk
• due diligence
• subcontractors
• client testimonials
• site inspections
• proof of concept
• review terms and conditions
• other mechanisms
• policies and procedures
Your Cloud Strategy
data – the new oil!
• Migration and migration costs
• location
• data export restrictions / data sovereignty
• handling personal information
• integrity
• Security (including testing)
• back ups and retention
• Accessibility - authentication
• dealing with requests – regulatory, customer and PAIA
• regulatory compliance (including POPI)
• transfers upon termination (including metadata)
• policies and procedures – including sensitive databases, cybersecurity / off-site hosting, remote access, password policies, data retention policies, BYOD, data request procedures, security compromises policy
• POPI – Operator Agreement / GDPR – Data Processor Agreement
Your Cloud Strategy
ensuring quality
• service levels –
• you get what you pay for!
• availability
• call logging?
• support?
• reporting?
• redundancy
• DR and BCP
• audit rights
• contractual mechanisms such as warranties
Your Cloud Strategy
• financials –
• Understand set up costs
• importance of negotiation
• minimum volume commitments?
• billing accuracy
• billing terms
• total cost - pay-as-you-go versus committed costs
• indirect costs
• Cloud / cyber insurance
• Other issues to be addressed
• audit rights – regulated industries such as banks
• open source software
• IPR (including third party software restrictions)
• liability provisions and exclusion clauses
• termination provisions
• termination / expiration assistance….transition services
Your Cloud Strategy
Contracting Process
• importance of a strong contract
• vendor or customer’s paper?
• importance of backing up with your own policies and procedures
• monitoring, governance and enforcement
• Reporting
• having your own risk matrix – essential!
ENSafrica’s Cloud Risk Matrix
• Developed on a compare, comply and explain basis – ie gap analysis
• Factors in risk assessment on all risks identified
• Factors in your companies specific policies
• Used as a basis for crafting own agreement or determining mark ups to supplier agreement
• Documents your key risks
32
Artificial intelligence in CloudRakhee Dullabh
2019 predictions
Among companies that adopt AI technology, 70% will obtain AI capabilities through cloud-based enterprise software
65% will create AI applications using cloud-based development services
By 2020, enterprise software with integrated AI and cloud-based AI platforms will reach an estimated 87%
What is artificial intelligence?
34
“The theory and development of computer systems able to perform tasks normally requiring human intelligence,
such as visual perception, speech recognition, decision-making, and translation between languages.”
35
Machine vision
Speech processing
Robotics
Natural language
processing
Machine learning
Expert System
The intersection of Cloud and AI
• Salesforce and Einstein – Learns from all that data to deliver predictions and recommendations based on your unique business processes.
• SAP and S/4 Hana Cloud – AI system that can be integrated with chat to offer automated support to customers by offering in-context chat that utilizes SAP’s uniquely interlinked system.
• Crowdstrike – Use cloud analytics to stop advanced threats and harness the power of big data and AI to empower customers with instant visibility and protection across the entire threat lifecycle
36
Concluding Remarks
“(T)he rise of the cloud is more than just another platform shift that gets geeks excited. It will undoubtedly transform the information technology industry, but it will profoundly change the way people work and companies operate. It will allow digital technology to penetrate every nook and cranny of the economy and of society, creating some tricky political problems along the way.” – The Economist• loads of benefit in entering the cloud but not without
risk• a well developed cloud strategy and risk management
practise is essential• Importance of contracts, policies and procedures – ie
matrix• training and awareness is critical before embracing the
cloud
