CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

Transcription

1 CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE Douglas W. Barbin, CPA, CISSP, PCI QSA, CCSK BrightLine CPAs & Associates, Inc. November 4, 2011

2

3

4 Divorced after 72 Days

5

6 AGENDA ANDOVERVIEW What is the hype that is cloud computing? What are the opportunities for a CPA firm to utilize cloud services? What are the risks and challenges associated with cloud computing?

7 THEFLAVORS ANDFEATURES OF THECLOUD Cloud computing is defined by how it is delivered. If a provider cannot not articulate this clearly, be concerned

8 Infrastructure-as-a-Service SERVICEMODELS Provider hosts physical hardware Customer manages operating platform and application Platform-as-a-Service Provider hosts hardware, operating platform Customer manages application Software-as-a-Service Service provider hosts hardware, operating platform, & application

9 OPPORTUNITIES FORYOU ANDYOURCLIENTS Business Value Pay-per-use Lower technology barrier to entry Grows with the firm Lower risk* Infrastructure failure Laptop failure Security Cloud providers compete on price and ease of use Functional Opportunities Finance and accounting Sales and marketing automation Human resources and recruiting Time and expense reporting Travel planning / coordination Business process enablement Client collaboration * Denote risks that must be evaluated

10 RISKS OFCLOUDCOMPUTING Not all cloud providers are created equal! It is critical that a CPA firm understand: 1. Where data/equipment is located 2. How data/equipment is secured Physical security Access control Administrative management Data Protection (encryption) 3. How availability is maintained Environmental controls (fire, power, etc.) Network and systems availability Backup services 4. How the service and controls are monitored stories/risk-evaporation-part-1 Most importantly, you must understand what YOUR responsibilities are as the customer (a.k.a user controls)

11 USINGAICPA SOC REPORTS FOREVALUATION SOC = Service Organization Controls SOC 1 = SSAE 16 (the new SAS 70) SOC 2 Used when services do not impact controls for financial reporting Uses Trust Services Principles (Security, Availability, Processing Integrity, Confidentiality, and Privacy) Includes auditors opinion, management assertion, description of system/controls and test results SOC 3 = SysTrust Result is the SysTrust/SOC 3 seal Also uses Trust Services General purpose also used for services that do not impact financial report controls

12 Type 2 operating effectiveness qualification

13 Control objectives Controls and tests

14 PERFORMING YOURDUEDILIGENCE Identify and review other forms of assurance/ compliance PCI validation ISO certification TRUSTe privacy certification Cloud Security Alliance Consensus Assessment Questionnaire BITS Supplemental Information Gathering (SIG) Questionnaire Search for customer testimonialsand online statements related to reputation and performance Visit the provider (if practical) Review service descriptions (including product marketing descriptions) Review your agreement for: Uptime guarantees / SLA Audit clauses Confidentiality assertions Compliance requirements

15 INSUMMARY Like it or not, cloud computing is a paradigm shift for IT Accompanying the shift is significant visibility and hype There are innovators and pretenders! Cloud services are only real when they developed around operational and delivery models Significant opportunity for CPAs to flexiblyoutsource non-core functions Firms must understand the service and perform proper due diligence

16 THANKYOU! Douglas W. Barbin Director BrightLine E: T: ext. 139 F: