{source} <iframe vheight="3280px" height="500px" width="100%" src="/VirtualizationCloudImpacts/index.htm" ></iframe> {/source}

View this presentation full screen.  

People often want to capture some of the content from these slides.  Here's the text output of outline view. 

Virtualization and Cloud Essentials™  Readiness, An Auditor Spin
CompTIA™  & ITpreneurs Certification Readiness and Auditor Centric Discussion, Presented by Robin Basham
Your Context
Key cloud concepts & terminology
Standards and Frameworks for Cloud Implementation, Audit and Security
Implications for Information Technology Service Management (ITSM)
Security and legal aspects of governance
Outline steps to:
Increase success rate implementing cloud computing,
improve in-house cloud competencies,  decrease dependence on external consultants and services  
Cloud and virtualization project components
Cloud will create 14 Millions Jobs by 2014
Cloud Computing Definition
National Institute of Standards and Technology 
(NIST Special Publication 800-145 (Draft)
Model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services)
Rapidly provisioned and released with minimal management effort or service provider interaction
Composed of 5 essential characteristics, 3 service models, and 4 deployment models.
Source: http://www.nist.gov/itl/csd/cloud-020111.cfm
What Is Cloud Computing? Essential Characteristics
3 Service Models, SaaS, PaaS, IaaS
4 Deployment Models
1.Private cloud. The cloud infrastructure is operated solely for an organization.
2.Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations).
3.Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
4.Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
The Test Answer: What is Cloud?
1.On-demand self-service: A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.
2.Broad network access: Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
3.Resource pooling: The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location-independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
4.Rapid elasticity: Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out, and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
5.Measured Service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
To Have a Conversation about Cloud, there are Three Terms We Will Say A Lot
Virtualization: Abstractions compute services away from their physical hardware and allow them to be treated as data. (The technology)
Cloud: Builds on this abstraction by allowing services to be flexibly sourced from a number of providers and delivered over a number of channels. (The business)
Asset Efficiency: Resulting savings from buying, housing, and supporting fewer devices, (a.k.a benefit of Virtualization)
Camps Debate Over The Safety Of Cloud Computing

Auditors and the business must

Refine existing risk scenarios,
Address new areas of configuration management,
Modify change policies
Align with new regulations

Cloud and Virtualization pose unprecedented business value

Companies that rush to leverage cost savings, however, are also likely to experience our next biggest losses of all time.
Business and Government are already heavily invested
You’re Already in the Cloud 
– Let’s Talk About What that Means to IT Audit
Security and Legal Aspects Issues Affecting Privacy
Privacy and Security In US & Global Laws, Frameworks and Standards
Who’s Working on This?
Cloud Security Alliance Training
National Institute of Standards and Technology (NIST)
European Network and Information Security Agency (ENISA)
Common Assurance Maturity Model (CAMM)
International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) Joint Technical Committee 1 / Subcommittee 27 and 38 (ISO/IEC JTC1/SC 27 and 38)
Information Systems Audit and Control Association (ISACA)
ITU Telecommunication Standardization Sector (ITU-T)

(reprinted from August 2011 – Becky Swain, Co-Founder/Chair, CSA CCM, Board Member, CSA Silicon Valley Chapter)

Critical ISACA Resource enable Cloud Audit
Planning and Scoping the Audit
Governing the Cloud
Operating in the Cloud
ISACA Cloud Audit Methodology, in three domains, 17 controls, and 140 detail testing objectives.  Every test is mapped to CobiT
Mapping Cloud Assurance to Existing CobiT Assessment
Standards Referenced – Refresh ITIL Lifecycle Stages, ISACA, NIST and CSA
Service Management - (ITIL):
Cloud computing as a set of technologies and an approach to IT service delivery
Governance – (COBIT):
Detailing ways that risks should be mitigated such that investments generate value
Information Security- (ISO/IEC 27001):
“Risk Management or Governance” through specific “Policy” where information security ensures that information in the cloud is safe and secure
NIST http://www.enterprisegrc.com/index.php?option=com_wrapper&view=wrapper&Itemid=160
Cloud Security Alliance Https://Cloudsecurityalliance.Org/
ISACA -  Controls Assurance In The Cloud  http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/IT-Control-Objectives-for-Cloud-Computing-Controls-and-Assurance-in-the-Cloud.aspx
Virtualization is an enabling technology
Virtualization is an enabling technology for cloud computing and cloud computing services.
For cloud computing to occur, it is necessary to separate resources from their physical location. Without virtualization, the cloud becomes very difficult to manage.
Cloud computing is a business model where ownership of physical resources rests with one party, and the service users are billed for their real use. An organization can use virtualization for internal customers. Cloud computing presupposes external service users.
The Cloud Model is a transformation in how IT is delivered.
Business Impact
Business value can be something positive that has been added, but it can also be something negative that is reduced.
When considering Cloud and Virtualization, here are some of the business and IT concerns.
CapEx and OpEx – Reasons for Using Cloud Providers
Cloud providers can deliver lower cost because they enjoy economies of scale. Clients don't have to purchase large amounts of hardware; instead, they are able to invest in cost-saving operational procedures, which are easy to justify.
Business Value in Virtualization
Discussion Perspectives: User, Vendor, and Technology
User Perspective: involves some of the following goals of technology and business:
New Tools, New Processes, New RunBooks
 – Asset, Release, Patch, Backup Restore, and Monitor
The introduction of virtualization brings many changes that need to be reflected in the tools that administrators use to manage systems. Some examples of the types of changes that need to be addressed include:
Servers and workstations no longer are tied to a particular, known location.
Releasing software patches is different in a virtual environment.
Backup and restore  -  central location as opposed to execution on the machine.
Monitoring tools that are used to correlating hardware and software events may no longer understand where dependencies lie.
In addition, each virtual platform has its own management tools, which need to be integrated into operations.
Virtualization Simplifies Application Development Process
Cloud Journey – IT Operational Viewpoint
Types of Infrastructure, Network and Site Risk
Risks and Actions to Mitigate in Enterprise Virtualization
Strategic Drivers
Programmers are no longer able to take advantage of this much power with conventional programming techniques. This was earthshaking news back in 2005 when it seemed that programmers would all have to be retrained, or the new hardware would remain underutilized.
Applications increasingly need to be concurrent in order to fully exploit the continuing exponential CPU throughput gains. Concurrent programming is complicated, subtle, and requires both training and experience.
Virtualization allows us to keep these incredibly fast machines busy with programs written by normal programmers without these specialized skills. In large part, this factor is what is behind the recent acceleration of virtualization.
Concerns and Solutions - Three Camps
When introducing adoption of virtualization, people should have some concerns.
Enabling  the Technology Journey

Virtualization and cloud computing are steps on a journey towards a more flexible and cost-efficient way of delivering IT. To move physical hardware and software to the cloud, a transition in IT Delivery must be made. The move will require new expertise, processes, and technologies.

Cloud & Virtualization Concerns and Solutions
IT Delivery Requirements and Strategic Consideration
Moves from physical to virtual space requires changes in people and technology, mandating virtualization specialists, shared hardware, and hypervisors.  (People and Technology)
Physical to Virtual Space – IT Delivery  (People)
You need Sourcing Expertise and Common IT Business Strategy, as well as Federation and Security processes. Cloud management platforms must be adopted, and people should think about service and not hardware.
Physical to Virtual Space – IT Delivery 
Common Challenges, Federation, Security  (Process)
Common Benefits: Service Model for Platforms and  the overall Service Catalogue (Technology)
Virtualization and cloud computing share  People Benefits
Virtualization and cloud computing share the need for cross-silo expertise, dynamic environments, usage metering, self-service, automation, and management tools.
Virtualization and cloud computing share Process Benefits
Virtualization and cloud computing share Technology  Challenges and Benefits
Virtualization is Not Appropriate for All Cases
There are a number of considerations when evaluating a candidate for virtualization, and for determining whether the time is right for making the leap.  Organizational considerations for assessing virtualization readiness include the need for:
Organizational Readiness
Virtualization is Not Appropriate for All Cases
Process considerations for assessing virtualization readiness include a service management culture, difficulty sharing among business units, and weak processes and controls.
Process Readiness – CobiT Maturity DS3, DS1, DS8
Virtualization is Not Appropriate for All Cases
Technological considerations for assessing virtualization readiness include:
Endemic poor utilization,
lifecycle management problems,
highly utilized infrastructure,
input/output – intensive application,
third-party support issues, and
custom hardware dependency.
Technology Readiness
Data Center Virtualization Characteristics
Regardless of whether the applications need the resources at any given time,
the typical corporate data center is full of expensive equipment, most of which is dedicated to specific applications. 
Workplace Virtualization Characteristics
In the workplace, virtualization also applies to the familiar workplace environment of personal computers and desktop applications. A typical workplace has a large number of computers scattered throughout the premises, each needing to be managed and kept current with the latest software.
It is important to note that when we say workplace we are focused on the desktop and mobile data applications in the workplace. While concepts in virtualization also apply to other aspects of the workplace such as the physical office, telephones, and meeting rooms, those are not specifically covered in this course.
Return on Investment in Adopting Virtualization
Underpinned by common management tools and processes
All aspects of systems management must account for virtualization. Not only must the chosen set of virtualization technologies itself be managed as a platform, but the enterprise tools associated with
Incident And Problem Management
Inventory Management, and
Software Development And Releases, must all be integrated to ensure that they work well in a virtual environment.
Although it is possible to treat virtual infrastructure as if it were only physical infrastructure and not change the organization's way of working, this eliminates much of the benefits of virtualization in the first place.
Adopting a new, virtual, infrastructure operating model is critical to achieving Return on Investment (ROI).
Audit Watch for Migration Problems
IP addresses might need changing in configuration files and certificates might need to be updated.
Issues that are expressly problematic for virtualization include requirements for particular hardware, such as hardware dongles or RS232 connections. 
Applications with very high I/O requirements, life-critical applications, and real-time applications, such as applications that have interfaces to special hardware with demanding time requirements.
If an application is consuming a large amount of CPU or memory resources, it might not be a candidate for consolidation even if it can be virtualized.
Benefits likely to still outweigh the risk: downtime avoidance, disaster recovery, and increased availability.
ITIL Glossary
Vendor Landscape
Virtualization was a new software category a decade ago when VMware introduced its first products. Today, there are a number of leaders on the market, providing software suites that help virtualized data centers. VMware remains the market leader today, with Microsoft and Citrix rounding off the top three in terms of the number of licenses shipped.
It is important for corporate users to understand the competitive landscape to select the right vendor for their needs and to negotiate the best terms for the total cost of the new capability.
Many vendors provide the virtualization technology and solutions, and all of them both compete and cooperate to a great extent. Recently, there has been a tremendous run of acquisitions as major players fortify their virtualization capabilities. As you learn about the details of data center and workplace virtualization, keep in mind that this industry is immature and evolving rapidly. Learn about the vendors and educate yourself so that you can make the right decisions about where to invest your company's efforts.
Since we only had one hour, there were a lot of topics we couldn’t discuss.  Let’s keep the dialogue going on Facebook, LinkedIn, and Twitter.

Thanks for your time

Some of this presentation was a sample of content found in Cloud Essentials™  and Virtualization Essentials™  Curriculum.  Some views and all graphics are the copyright of EnterpriseGRC Solutions™ .  For more information about copyrighted content from CompTIA™  and ITpreneurs™ , please visit  enterprisegrc.com
EntepriseGRC Solutions™ is an Itpreneurs partner, Member of the Cloud Credential Council and  (ten years) sponsor to the ITGI™.  EnterpriseGRC Solutions is also recently named to the education board of Holistic Information Security Practitioners hisp.org
Counterfeit Reader Access Performance CRAP
Controlling Risk in Virtualized Environments
Controlling Risk in Virtualized Environments session points to a few practical education and Information Technology approaches providing strategies for effective risk management in Virtualization and Cloud adoption. 
Please visit www.enterprisegrc.com to find more.
If there was something you missed, check out our facebook page, because many ideas and images will also be there.