cloud computing Ridwaan Boda Director | Technology, Media and - - PowerPoint PPT Presentation

cloud computing

Ridwaan Boda Director | Technology, Media and Telecommunications

Overview

• What is cloud computing?
• Types of cloud computing services
• Benefits of cloud computing
• Key risks associated with cloud computing
• technical, financial, contractual, regulatory and
• ther
• the long arm of the US lawman (the CLOUD Act)
• the South African Reserve Bank Circular on cloud

computing

• data privacy and cloud computing
• Developing a cloud strategy
• Use of AI in cloud computing

What is cloud computing?

• “cloud” refers to networks but primarily to the

internet.

• traditionally, when drawing network diagrams, networks were

cumbersome to depict so engineers represented them as clouds and in time the cloud shape was adopted as a symbol for all networks, including the internet.

What is cloud computing?

4

What is cloud computing?

• there is no universal definition for cloud computing
• refers to the provision of computing services over a

network, typically over the internet

• at its most basic it refers to users being able to

access software, data and/or IT services through the internet on supplier servers rather than having and maintaining their own IT infrastructure for this purpose

• everyday examples include Gmail, iCloud, YouTube

and Dropbox

Types of cloud computing services

• SaaS – Software as a Service
• IaaS – Infrastructure as a Service
• PaaS – Platform as a Service
• Cloud computing is offered through:
• public clouds
• private clouds
• hybrid clouds
• managed clouds
• Everything as a service

Why all the hype?

• 83% of enterprise workloads will be in the cloud by 2020.
• 41% of enterprise workloads will be run on public cloud

platforms (Amazon AWS, Google Cloud Platform, IBM Cloud, Microsoft Azure and others) by 2020.

• An additional 20% are predicted to be private-cloud-based
• Another 22% running on hybrid cloud platforms by 2020.
• On-premise workloads are predicted to shrink from 37%

today to 27% of all workloads by 2020.

(Source: Logic Monitor Cloud Survey as detailed by Forbes)

• It is now and the future!

Why all the hype?

Benefits of cloud computing (in theory)

• Potential cost savings / reduced IT spend
• Scalability / elasticity: cloud users pay for capacity

which they use, which can be adjusted due to fluctuations in resource demand

• Allows data to be portable and instantly accessible

from anywhere

• Collaboration efficiency / workforce mobility
• Business continuity / improved support and

maintenance

• Almost zero upfront infrastructure investment no

capex required?

• Just-in-time Infrastructure

Risks and challenges to embracing the cloud

• storm clouds?

Risks and challenges to embracing the cloud

• Technical including:
• lack of customisation
• network dependency
• lack of compatibility with existing systems
• Business continuity e.g. on insolvency of cloud providers
• lack of stability
• insufficient protection against malicious and unwanted software
• loss of control
• cybersecurity
• Contractual:
• Not always negotiable
• poor service levels
• nerous vendor contractual provisions
• supplier lock-in
• liability clauses not favourable

Risks and challenges to embracing the cloud

• Financial:
• Network costs
• Non-scalable models
• Bundled or “tied” purchases
• Professional services costs
• Data migration costs
• Licensing models not always favourable –

per user, per named user, volume-based

• Switching costs
• Hidden costs

Risks and challenges to embracing the cloud

• Other Risks:
• Supplier lock-in (non-contractual)
• lack of transparency
• sharing of infrastructure / mixing of data
• post termination transfers and risks
• IP issues when migrating
• lack of experience / knowledge
• Lack of audit rights / weak audit right rights
• Regulatory:
• access to data by foreign authorities (e.g. the Cloud Act)
• regulatory hurdles and constraints (e.g. The SARB Directive

and Guidance Note)

• data protection

Regulatory – US CLOUD ACT

• SA companies concerned about access by foreign governments
• Patriot Act already has far reaching implications
• The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) is a United

States federal law enacted in 2018

• Through the CLOUD Act, U.S. law enforcement officials at any level, from local

police to federal agents, can force tech and other companies to turn over user data regardless of where the company stores the data.

• The CLOUD Act also gives the US executive branch the ability to enter into

“executive agreements” with foreign nations, which could allow each nation to get its hands on user data stored in the other country, no matter the hosting nation’s privacy laws.

• Some larger cloud companies can appear to be trustworthy providers if they have

data centre's located in South Africa. But location means nothing if these companies are American-owned.

cloud computing directive D/3

Isaivan Naidoo Director | Technology, Media and Telecommunications

Directive D3/2018

• Directive issued by the SARB regarding Cloud Computing and

the offshoring of data

• The Directive sets forth the SARB requirements and related

considerations for cloud computing and for the offshoring of data and must be read with the guidance note 5/2018

• Definition of cloud computing under D3
• As a model for enabling convenient, on demand network

access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction

• Offshoring of data refer to the storage and/or processing
• f data outside of the borders of RSA

16

Directive 3

• The SARB expects banks to follow a risk based approach:
• Banks risk appetite
• Nature and size of the banks operations
• When implementing any cloud computing or offshoring of

data

• Banks are directed to :
• Comply with all the requirements set forth in this

directive

• Provide the SARB with material information related to

their cloud computing and offshore data arrangements

• Refer any uncertainty in respect of any matter under

this directive to the SARB for further clarification

17

• The Directive requires that:
• Banks must have in place a formally defined and board

approved data governance framework

• Clearly defined policy which is aligned to the banks

business strategy and linked to its risk appetite

• Oversight of cloud computing and offshoring of data must

be incorporated into governance structures and processes within the bank

• Risk and control frameworks must be designed to operate

efficiently in order to manage the risks

• Prior to implementing any cloud computing or offshoring
• f data the bank must assess whether the risk involved

falls within its risk appetite

18

• Prior to implementing any cloud initiative a due diligence

should be undertaken

• Measures must be instituted to ensure the confidentiality,

integrity and availability of its data

• Remain compliant with all applicable legislation both locally

as well as in any country where the cloud service or data is hosted

• The use of the cloud service or offshoring of data must in no

way infringe on a banks regulatory access to information nor must it prevent any bank regulators ability to fulfill there duty

• Banks must ensure that they have contingency plans to

continue to meet there core obligations despite any cloud services or offshoring of data

19

• IP rights and contractual rights to data must not be
• compromised. Data must always be in a usable, readable and

portable state even when the cloud contract is terminated

• Cloud computing arrangements or offshoring of data must

not prevent the bank from conducing any audit or investigation

• A legally binding agreement must document the cloud service
• r offshoring data service

20

Guidance Note

• The Guidance note was issued by the SARB to give guidance

to the banks in order to meet the directives identified above. Banks must consider classification of data, materiality of the activity outsourced, level of risk, mode and form of cloud computing and offshoring of data. A banks data strategy should include at the very least:

• 1.

the manner in which the bank classifies its data;

• 2.

which jurisdictions may the data be stored;

• 3.

which service and deployment models are applicable to the classifications of data;

• 4.

which security requirements will apply to the different data classifications; and

• 5.

the process in respect of the banks data loss and breach requirements.

21

Guidance Note

• Put simply, the bank must put in place a strategy as well as formal policies

and robust contracts to ensure that the service provider rendering the cloud services or offshoring of data takes steps to assist the bank in its compliance

• efforts. Some of the suggested proactive steps that banks should adopt are

set forth below:

• 1.

first conduct a due diligence of the supplier, know your supplier, cut through the sales talk and glossy marketing material;

• 2.

review the contract terms and ensure that such terms address inter alia data security, data sovereignty, security standards, data backups, audit rights and data recovery in addition to other negotiated terms that are best practice for cloud transactions;

• 3.

scrutinize the vendors standard terms; do not just accept what is put in front of you without checking how the vendor will assist with ensuring that the bank remains compliant. This is also in keeping with sound IT corporate governance;

• 4.

ensure that as an organization you are acutely aware of what data is being processed or offshored. This can only be accomplished by implementing an enterprise wide sound data strategy; and

• 5.

ensure as a bank sound policies and procedures exist in order to benchmark any vendor cloud offering against not only the aforementioned directive but also against the banks own risk appetite.

22

Your Cloud Strategy

Your Cloud Strategy

• First, take one step back:
• Reminder: IT Governance is a Board imperative
• Is Cloud a commodity?
• Your data is NOT a commodity
• Ingredients of a dangerous cocktail:
• Ignoring IT Governance
• The “I Accept” Button
• The Corporate Credit Card
• Supplier Terms and Conditions not vetted / no risk analysis conducted
• A “cowboy” IT guy

24

Your Cloud Strategy

• Know your supplier
• Deal with data risks
• Ensure that you receive a quality service
• Understand the total costs of the transaction
• Cyber Insurance
• Contracting process
• Understanding set up and migration risks

25

Your Cloud Strategy

know your supplier

• cut through the sales talk
• due diligence
• subcontractors
• client testimonials
• site inspections
• proof of concept
• review terms and conditions
• ther mechanisms
• policies and procedures

Your Cloud Strategy

data – the new oil!

• Migration and migration costs
• location
• data export restrictions / data sovereignty
• handling personal information
• integrity
• Security (including testing)
• back ups and retention
• Accessibility - authentication
• dealing with requests – regulatory, customer and PAIA
• regulatory compliance (including POPI)
• transfers upon termination (including metadata)
• policies and procedures – including sensitive databases,

cybersecurity / off-site hosting, remote access, password policies, data retention policies, BYOD, data request procedures, security compromises policy

• POPI – Operator Agreement / GDPR – Data Processor Agreement

Your Cloud Strategy

ensuring quality

• service levels –
• you get what you pay for!
• availability
• call logging?
• support?
• reporting?
• redundancy
• DR and BCP
• audit rights
• contractual mechanisms such as warranties

Your Cloud Strategy

• financials –
• Understand set up costs
• importance of negotiation
• minimum volume commitments?
• billing accuracy
• billing terms
• total cost - pay-as-you-go versus committed costs
• indirect costs
• Cloud / cyber insurance
• Other issues to be addressed
• audit rights – regulated industries such as banks
• pen source software
• IPR (including third party software restrictions)
• liability provisions and exclusion clauses
• termination provisions
• termination / expiration assistance….transition services

Your Cloud Strategy

Contracting Process

• importance of a strong contract
• vendor or customer’s paper?
• importance of backing up with your own policies and

procedures

• monitoring, governance and enforcement
• Reporting
• having your own risk matrix – essential!

ENSafrica’s Cloud Risk Matrix

• Developed on a compare, comply and explain basis – ie gap analysis
• Factors in risk assessment on all risks identified
• Factors in your companies specific policies
• Used as a basis for crafting own agreement or determining mark ups to

supplier agreement

• Documents your key risks

32

Artificial intelligence in Cloud Rakhee Dullabh

2019 predictions

Among companies that adopt AI technology, 70% will obtain AI capabilities through cloud- based enterprise software 65% will create AI applications using cloud- based development services By 2020, enterprise software with integrated AI and cloud- based AI platforms will reach an estimated 87%

What is artificial intelligence?

34

“The theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.”

35

Machine vision Speech processing Robotics Natural language processing Machine learning Expert System

The intersection of Cloud and AI

• Salesforce and Einstein – Learns from all that data to deliver

predictions and recommendations based on your unique business processes.

• SAP and S/4 Hana Cloud – AI system that can be integrated

with chat to offer automated support to customers by

• ffering in-context chat that utilizes SAP’s uniquely interlinked

system.

• Crowdstrike – Use cloud

analytics to stop advanced threats and harness the power of big data and AI to empower customers with instant visibility and protection across the entire threat lifecycle

36

Concluding Remarks

“(T)he rise of the cloud is more than just another platform shift that gets geeks excited. It will undoubtedly transform the information technology industry, but it will profoundly change the way people work and companies operate. It will allow digital technology to penetrate every nook and cranny

• f the economy and of society, creating some tricky political

problems along the way.” – The Economist

• loads of benefit in entering the cloud but not without

risk

• a well developed cloud strategy and risk management

practise is essential

• Importance of contracts, policies and procedures – ie

matrix

• training and awareness is critical before embracing the

cloud