cloud computing Ridwaan Boda Director | Technology, Media and Telecommunications
Overview • What is cloud computing? • Types of cloud computing services • Benefits of cloud computing • Key risks associated with cloud computing • technical, financial, contractual, regulatory and other • the long arm of the US lawman (the CLOUD Act) • the South African Reserve Bank Circular on cloud computing • data privacy and cloud computing • Developing a cloud strategy • Use of AI in cloud computing
What is cloud computing? • “cloud” refers to networks but primarily to the internet. • traditionally, when drawing network diagrams, networks were cumbersome to depict so engineers represented them as clouds and in time the cloud shape was adopted as a symbol for all networks, including the internet.
4 What is cloud computing?
What is cloud computing? • there is no universal definition for cloud computing • refers to the provision of computing services over a network, typically over the internet • at its most basic it refers to users being able to access software, data and/or IT services through the internet on supplier servers rather than having and maintaining their own IT infrastructure for this purpose • everyday examples include Gmail, iCloud, YouTube and Dropbox
Types of cloud computing services • SaaS – Software as a Service • IaaS – Infrastructure as a Service • PaaS – Platform as a Service • Cloud computing is offered through: • public clouds • private clouds • hybrid clouds • managed clouds • Everything as a service
Why all the hype? • 83% of enterprise workloads will be in the cloud by 2020. • 41% of enterprise workloads will be run on public cloud platforms (Amazon AWS, Google Cloud Platform, IBM Cloud, Microsoft Azure and others) by 2020. • An additional 20% are predicted to be private-cloud-based • Another 22% running on hybrid cloud platforms by 2020. • On-premise workloads are predicted to shrink from 37% today to 27% of all workloads by 2020. (Source: Logic Monitor Cloud Survey as detailed by Forbes) • It is now and the future!
Why all the hype?
Benefits of cloud computing (in theory) • Potential cost savings / reduced IT spend • Scalability / elasticity: cloud users pay for capacity which they use, which can be adjusted due to fluctuations in resource demand • Allows data to be portable and instantly accessible from anywhere • Collaboration efficiency / workforce mobility • Business continuity / improved support and maintenance • Almost zero upfront infrastructure investment no capex required? • Just-in-time Infrastructure
Risks and challenges to embracing the cloud • storm clouds?
Risks and challenges to embracing the cloud • Technical including: • lack of customisation • network dependency • lack of compatibility with existing systems • Business continuity e.g. on insolvency of cloud providers • lack of stability • insufficient protection against malicious and unwanted software • loss of control • cybersecurity • Contractual: • Not always negotiable • poor service levels • onerous vendor contractual provisions • supplier lock-in • liability clauses not favourable
Risks and challenges to embracing the cloud • Financial: • Network costs • Non-scalable models • Bundled or “tied” purchases • Professional services costs • Data migration costs • Licensing models not always favourable – per user, per named user, volume-based • Switching costs • Hidden costs
Risks and challenges to embracing the cloud • Other Risks: • Supplier lock-in (non-contractual) • lack of transparency • sharing of infrastructure / mixing of data • post termination transfers and risks • IP issues when migrating • lack of experience / knowledge • Lack of audit rights / weak audit right rights • Regulatory: • access to data by foreign authorities (e.g. the Cloud Act) • regulatory hurdles and constraints (e.g. The SARB Directive and Guidance Note) • data protection
Regulatory – US CLOUD ACT • SA companies concerned about access by foreign governments • Patriot Act already has far reaching implications • The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) is a United States federal law enacted in 2018 • Through the CLOUD Act, U.S. law enforcement officials at any level, from local police to federal agents, can force tech and other companies to turn over user data regardless of where the company stores the data. • The CLOUD Act also gives the US executive branch the ability to enter into “executive agreements” with foreign nations, which could allow each nation to get its hands on user data stored in the other country, no matter the hosting nation’s privacy laws. • Some larger cloud companies can appear to be trustworthy providers if they have data centre's located in South Africa . But location means nothing if these companies are American-owned.
cloud computing directive D/3 Isaivan Naidoo Director | Technology, Media and Telecommunications
16 Directive D3/2018 • Directive issued by the SARB regarding Cloud Computing and the offshoring of data • The Directive sets forth the SARB requirements and related considerations for cloud computing and for the offshoring of data and must be read with the guidance note 5/2018 • Definition of cloud computing under D3 • As a model for enabling convenient, on demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction • Offshoring of data refer to the storage and/or processing of data outside of the borders of RSA
17 Directive 3 • The SARB expects banks to follow a risk based approach: • Banks risk appetite • Nature and size of the banks operations • When implementing any cloud computing or offshoring of data • Banks are directed to : • Comply with all the requirements set forth in this directive • Provide the SARB with material information related to their cloud computing and offshore data arrangements • Refer any uncertainty in respect of any matter under this directive to the SARB for further clarification
18 • The Directive requires that: • Banks must have in place a formally defined and board approved data governance framework • Clearly defined policy which is aligned to the banks business strategy and linked to its risk appetite • Oversight of cloud computing and offshoring of data must be incorporated into governance structures and processes within the bank • Risk and control frameworks must be designed to operate efficiently in order to manage the risks • Prior to implementing any cloud computing or offshoring of data the bank must assess whether the risk involved falls within its risk appetite
19 • Prior to implementing any cloud initiative a due diligence should be undertaken • Measures must be instituted to ensure the confidentiality, integrity and availability of its data • Remain compliant with all applicable legislation both locally as well as in any country where the cloud service or data is hosted • The use of the cloud service or offshoring of data must in no way infringe on a banks regulatory access to information nor must it prevent any bank regulators ability to fulfill there duty • Banks must ensure that they have contingency plans to continue to meet there core obligations despite any cloud services or offshoring of data
20 • IP rights and contractual rights to data must not be compromised. Data must always be in a usable, readable and portable state even when the cloud contract is terminated • Cloud computing arrangements or offshoring of data must not prevent the bank from conducing any audit or investigation • A legally binding agreement must document the cloud service or offshoring data service
21 Guidance Note • The Guidance note was issued by the SARB to give guidance to the banks in order to meet the directives identified above. Banks must consider classification of data, materiality of the activity outsourced, level of risk, mode and form of cloud computing and offshoring of data. A banks data strategy should include at the very least: • 1. the manner in which the bank classifies its data; • 2. which jurisdictions may the data be stored; • 3. which service and deployment models are applicable to the classifications of data; • 4. which security requirements will apply to the different data classifications; and • 5. the process in respect of the banks data loss and breach requirements.
Recommend
More recommend