The session was actually led by two speakers: Lisa Johnson & Geni Whitehouse.

Lisa Johnson is the CFO at TWM Associates, Inc. and IT security engineering and IA boutique. She has 26 years of experience in the combined areas of public accounting, private industry, and government contracting focusing in the area of financial auditing, IT auditing, Information Assurance and Treasury activities. Lisa serves on the AICPA National Accreditation Commission and previously on the AICPA Board of Examiners and AICPA CITP Credential Committee.

Geni Whitehouse is a former software company executive, she has implemented solutions from Peachtree to Peoplesoft, and was instrumental in getting XBRL implemented in Navision Software. Geni is the author of “How to Make a Boring Subject Interesting: 52 Ways Even a Nerd Can Be Heard.”

What is Cloud Computing?

Cloud computing started with virtualization – “software machines within hardware machines” – Randy Johnston

As virtualization increased, it expanded out of software operating systems to include applications, services, platforms, and infrastructures, but is NOT Cloud. Cloud computing is a combination of information systems resources that provide web online services, said Lisa.

According to Lisa, the Clouds are geographically dispersed data centers where a computing grid strives to maximize individual platform performance. The cloud consists of three different service models: PaaS, IaaS, and SaaS.

Here are the definitions on the 3 service models:

  • PaaS (Platform as a Service): ability to distribute applications created using programming languages and tools supported by the provider
  • IaaS (Infrastructure as a Service): provides processing, storage, networks, and other computing resources where the user can then distribute operating systems and applications
  • SaaS (Software as a Service): ability to use a provider’s applications through a interface such a web browser

There are typically 4 service models for cloud services:

  • Public Cloud: available to the general public
  • Private Cloud: available to a single organization
  • Community Cloud: shared by several organizations
  • Hybrid Cloud: combination of two or more

Some of the concerns with Cloud Computing that Lisa and Geni went over were: Security, Ownership of data, Business Continuity, E-Discovery, and Compliance.

Before I go any further, I would like to mention a great comment that Lisa made:

“Before implementing Cloud computing, every IT manager need to first identify the requirements and look at the business reason for the move”

It is very important to know where you are now and where you will be after getting into the Cloud!

In a recent survey by BDO Sideman, 44% of CFOs responding have resisted the shift to Cloud Computing due to security concerns, hassle, expense, and limited application features.

When evaluating Cloud Computing vendors you need to make sure you do your own GOOD research. Do not simply believe on others and their recommendations. Your business may be different in many ways. In that perspective, your demands, expectations and comfort levels are also going to be different.

Find out where your data is going to be stored, who will have access to it, and how long will it be retained on the vendor’s storage.

Make sure you ask for SAS 70 reports, Third party data center reports, ownership of data, DR procedures and promises, audit ability, determine the desired physical security controls and make sure you read all contractual documents!!!

Make sure that everything you want is in the final version of the contract!

When planning for the evaluation you should:

  • Define the objective and what is desired to be in the Cloud
  • Define the benefits
  • Define your trust boundaries inside and outside the Cloud
  • Determine the impact on legal, compliance, security, service agreements
  • Determine impacts on items not moving in the Cloud
  • Determine impacts on interactions to/from the Cloud
  • Determine impacts on future development SDLCs
  • Determine the impacts on communications to/from the Cloud
  • Determine security strategy for data in transmission/rest
  • Determine the impact on your Business Continuity and Contingency planing
  • Determine impacts on any non-employee interaction with your programs and data
  • Review contracts to ensure benefits are true
  • Prepare your preliminary testing strategies to ensure these are also included in your cost/benefit analysis
  • Determine the type of Cloud that is reasonable for your business
  • Evaluate Cloud service providers and their potential for longevity and movability between providers

In summary, both speakers (Lisa & Geni) wanted to imply how important it is to have a really good understanding of Cloud computing and services that reside in the Cloud before jumping into it blindly. Cloud computing is generating a big hype right now, but it could be a really bad business investment for a lot of businesses.