Cloud Security

Audit and compliance issues can vary depending on the type of cloud computing you’re considering to implement. For example, infrastructure-as-a-service generally allows lot of control to the customer. On the other hand, software-as-a-service locks down processing on the vendor’s site, application features are mostly standard, and customization is generally limited.

So it is interesting to note that in a recent InformationWeek Analytics survey, more than half of the SaaS users (54%) indicated that, in terms of their comfort level with the service’s overall auditability and compliance features, they were “as comfortable as we are with our internal systems.” Another 8% claimed they were “more comfortable.”

Of course, a not insignificant percent, almost a third (31%), said they were “less comfortable” with the service’s audit and compliance features when compared with their own systems. (Puzzlingly, 7% answered, “don’t know,”).[i]

Cloud Risk Landscape?

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.[ii] The characteristics of cloud computing lead to enormous opportunities as well as risks. The key concerns are related to loss of control, security, integrity, privacy and availability. The auditor needs to understand cloud risk landscape for effective and efficient auditing.

Depending on whether the cloud provides SaaS, Platform as a Service (PaaS) or Infrastructure as a Service (IaaS), the risk and audit scenario could be different for each case. Also, a great deal depends on whether the cloud services are provided by an internal cloud or an external cloud. However, it is not too early for IT auditors to begin to monitor cloud developments to grasp in a timely manner the changing risks.

  • Authentication
  • Privileged User Access
  • Data security and privacy
  • Interfacing with internal systems
  • System availability
  • Business continuity
  • Ownership of content and other legal requirements
  • Regulatory compliance
  • Long term viability
  • Control Environment[iii]

Because clouds are “shared” by many customers using the electronic highway, it is crucial that IT auditors and control experts pay attention to not just protection and security within the perimeter, but also on the highway

[i] http://www.informationweek.com/cloud-computing/blog/archives/2010/05/auditability_an.html

[ii] Effectively and Securely Using the Cloud Computing Paradigm, Peter Mell & Tim Grance, NIST, Information Technology Laboratory, 10-7-2009

[iii] http://www.isaca.org/Journal/Past-Issues/2010/Volume-1/Pages/Risk-Landscape-of-Cloud-Computing1.aspx?Token=49EEC659-2F72-473C-B78C-0A85BFDD829B – V. Raval