HIPAA AUDITING IN CLOUD COMPUTING ENVIROMENT Improving Health Through Research

Transcription

1 HIPAA AUDITING IN CLOUD COMPUTING ENVIROMENT Improving Health Through Research The purpose of this Thesis is to explain the importance of HIPAA and research whatit takes for Healthcare data to be HIPAA Compliant. Also, explaining what isexpected of Healthcare industries if there is an audit and how does HIPAA Auditingplay a big part in HIPAA compliance. PARSHANT TYAGI 7/1/2013

2 HIPAA AUDITING IN CLOUD COMPUTING ENVIROMENT A DISSERTATION Submitted in partial fulfilment of the requirements for the award of the degree of MASTER OF TECHNOLOGY in COMPUTER NETWORK ENGINEERING by PARSHANT TYAGI (En. No. GE ) DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING GRAPHIC ERA UNIVERSITY, DEHRADUN DEHRADUN (INDIA) JULY, 2013

3 DEDICATED TO, My beloved Parents, Shri. Anand Tyagi Smt. Trishla Tyagi And My Elder Brother Vinay Kumar

4 566/6, Bell Road, Clement Town, Dehradun, Uttarakhand, Web Site : CANDIDATE S DECLARATION I hereby certify that the work which is being presented in the dissertation entitled HIPAA AUDITING IN CLOUD COMPUTING ENVIROMENT in partial fulfillment of the requirements for the award of the Degree of Master of Technology in Computer Network Engineering and submitted in the Department of Computer Science and Engineering of the Graphic Era University, Dehradun is an authentic record of my own work carried out during a period from August 2012 to July 2013 under the supervision of Mr. Bhanu P. Dubey, Assistant Professor, Department of Computer Science and Engineering of the Graphic Era University, Dehradun. The matter presented in this dissertation has not been submitted by me for the award of any other degree of this or any other Institute. (PARSHANT TYAGI) This is to certify that the above statement made by the candidate is correct to the best of my knowledge. Signature Head of Department (Mr. Bhanu P. Dubey) Supervisor The Viva-Voce examination of Mr. Parshant Tyagi, has been held on Signature of Internal Examiner Signature of External Examiner i

5 ABSTRACT The rise of cloud computing has been driven by the benefits, the cheapest purveyor of application hosting, storage, infrastructure, huge cost savings with low initial investment, elasticity and scalability, ease of adoption, operational efficiency, on-demand resources. With all the security and Privacy Laws in the Health Care field today anyone that works with confidential information should know how to protect that information. The Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations are two crucial provisions in the protection of healthcare data. Governance, compliance and auditing are becoming as important pedagogical subjects as long established financial auditing and financial control. Designing sound IT governance, compliance, and auditing is a challenging task. This Thesis elaborates the concept of HIPAA compliance in cloud computing by taking a look at the history and dynamics and how Cloud computing changes the astir of certain parts of HIPAA Security requirements. We briefly describe the cyber warfare as a premise to enforce the reasons for complying with government regulations for information systems. The purpose of this Thesis is to explain the importance of HIPAA and research what it takes for Healthcare data to be HIPAA Compliant. Also, explaining what is expected of Healthcare industries if there is an audit and how does HIPAA Auditing play a big part in HIPAA compliance. The Cloud is a platform where all users not only store their data but also used the services and software provided by Cloud Service Provider (CSP). As we know the service provided by the cloud is very economical due to which the user pay only for what he used. This is a platform where data owner remotely store their data in the cloud to enjoy the high quality services and applications. The user can access the data, store the data and use the data. In a Corporate world there are large number of client who accessing their data and modifying a data. To manage this data we use third party auditor (TPA), that will check the reliability of data but it increases the data integrity risk of data owner. Since TPA not only read the data but also he can modify the data, therefore a novel approach should be provided who solved this problem. We first examine the problem and new potential security scheme used to solve this problem. Our algorithm encrypt the content of file at user level which ensure the data owner and client that there data are intact. ii

6 ACKNOWLEDGMENTS By the grace of God, the most benevolent and merciful, I have completed the dissertation work entitled HIPAA Auditing in Cloud Computing Environment. It is a fact that to achieve any grand success, one needs proper guidance. For this, I would like to express my whole hearted feeling and special thanks to all those who have been associated with the accomplishment of this work and helped me directly or indirectly to complete this dissertation work. I wish to express my most sincere and profound gratitude to Mr. Bhanu P. Dubey, my honorable supervisor. His constructive criticism, constant encouragement, whole-hearted generosity and selfless interest help me in all my endeavors. Without his help, the completion of this dissertation would not have been possible. At the same time, I am grateful to my cosupervisor, Prof. Emmanuel Shubhakar Pilli, for his timely help and suggestions regarding my dissertation. I would like to extend my gratitude to Mr. D. Bordoloi, HOD, and Dr. Santosh Kumar, Coordinator Department of Computer Science & Engineering, G.E.U., Dehradun, for providing various facilities during the study. Last but not the least, I express my deep regards and thanks to my family and my friends for their sustained inspiration and encouragement. (Parshant Tyagi) iii

7 CONTENTS Candidate s Declaration Abstract. Acknowledgements Contents. List of Abbreviations List of Figures List of Publications i ii iii iv vi vii viii Chapter 1 INTRODUCTION HIPAA in cloud environment Compliance and Audit HIPAA Problem statement... 5 CHAPTER 2 LITERATURE SURVEY Motivation Security Compliance in cloud Why Security Compliance Challenges in Automating Security Compliance Check Compliance and Audit in cloud Research Gaps CHAPTER 3 HIPAA HIPAA Background HIPAA Titles HITECH Act Cyber Warfare Compliance Issues Cyber Attacks iv

8 Governance and regulations in HIPAA Data Disclosure Business Continuity HIPAA and Network Security The HIPAA Security Rule Health Care Providers HIPAA Compliance HIPAA Audits Role of audit CHAPTER 4 DESIGN AND IMPLEMENTATION Proposed Work Eucalyptus Setup Accessing Admin Eucalyptus Account Eucalyptus User Console Log Forensic Fault Logs Log Format Eucalyptus Log files Third party auditor model for HIPAA data security Algorithm when modify records Comparison Results CHAPTER 5 CONCLUSION AND FUTURE WORK. 47 Reference 48 v

9 LIST OF ABBREVIATIONS CIA CSA CSM CSM CSP DHHS EHR E-PHI FISMA HITECH PCI SOX TPA Confidentiality, Integrity and Availability Cloud Security Alliances Cloud Security Monitoring Cloud Control Matrix Cloud Service Provider Department of Health And Human Service Electronic Health Record Electronic Protected Health Information Federal Information Security Act Health Information for Technology for Economical and Clinical Health Payment Card Industry Sarbanes Oxley Act Third Party Auditor vi

10 LIST OF FIGURES HIPAA Titles Objective of HIPAA Audit and Evaluation for Compliance Cloud Audit Architecture Audit information is accessible from several different sources Eucalyptus Architecture Confirm security exception Sign in eucalyptus cloud First time login AdminConsole Confirmation User Console Eucalyptus Boot Log CC Logs Audit Logs Model For TPA, Client and Cloud service provider Algorithm for TPA, Client and Cloud Service Provider Authors and paper detail description Client request to csp CSP ask client for authentication Verify password if correct send a file that he wants to access 46 vii

11 PUBLICATION [1]. Parshant Tyagi, Navdeep Aggarwal, Bhanu P Dubey and Emmanuel S Pilli. Article: HIPAA Compliance and Cloud Computing. International Journal of Computer Applications 70(24):29-32, May Published by Foundation of Computer Science, New York, USA. [2]. Navdeep Aggarwal, Parshant Tyagi, Bhanu P Dubey and Emmanuel S Pilli. Article: Cloud Computing: Data Storage Security Analysis and its Challenges. International Journal of Computer Applications 70(24):33-37, May Published by Foundation of Computer Science, New York, USA [3]. Parshant Tyagi, Divya Kapil, Emmanuel S. Pilli, Ramesh C. Joshi: Virtual Machine Portability: A Novel Approach in IEEE Cloudcom 2013 is communicated [4]. Divya Kapil, Parshant Tyagi Live Virtual Machine Migration- A New Mechanism in IWCA2013 is comunicated viii

12 CHAPTER 1 INTRODUCTION This research is about understanding privacy HIPAA auditing objectives in the cloud computing environment for ensuring cloud privacy and security. As the number of cloud service providers is increasing fast as the widely used pay-per-use business model has attracted millions of customers over the world. This increasing number of cloud vendors facilitates the potential customers to get more options to meet the requirements of their product. The customer has to compare and evaluate many different cloud vendors to select the most suitable vendor for their products. Since, these cloud vendors today are using proprietary solutions to deliver cloud based services it is difficult to compare different cloud vendors under common evaluation criteria. Cloud Computing is considered as one of the herald arenas of computer science in recent times. The problem arises when several important issues residing in the cloud computing arena. The most important issue is that the abstraction to build the cloud services. The most important fact behind this are that the cloud computing work is still ongoing and that there exist many solutions today that have been launched even before the standards were developed. Another most important issue is the cost, implementing cloud services according to standards. Cloud vendors will not willingly incur There is also lack of motivation for some vendors to be open and compliant with standards rather than using their closed proprietary solutions. One of the unique things happening with the cloud vendors are use open standards, then the bottom problem would be to analyze the features provided by a cloud vendor against those standards. In reality, the use of non-standard solutions has made the auditing procedure very complex and challenging. The same problem arrive when it comes to analyzing the security measures of a cloud vendor for compliance with codify rule and regulation. While the security issues associated with cloud computing have been under continuous research to make the cloud computing more and more secure, there is no apparent mechanism available today to compare the security features provided by the different cloud vendors against the standardization. In 1

13 addition, there is no mechanism to verify the security features implemented by cloud vendor in real time. This is identified as one of the topmost demand by the users in the Martin Kuppinger Top Trends Report.[1] In this report, there will still be a lack of tools and standards in the areas of authorization and auditing it is also mentioned that since the Cloud is beyond the immediate control of IT. Also, cloud computing is the lack of real-time audit ability or nearreal time, is one of the major obstacles for large scale adoption of cloud computing.[2] This Dissertation explores the possibility to develop an automated security compliance tool for cloud computing that will collect the logs from the system, network and server and allow a cloud user to verify the security measures against the standards in an on demand basis. However, cloud computing itself is a broad topic with hundred of considerations like threats, infrastructure, compliance etc and there are several different cloud platforms with different properties to work with. Therefore, in this work, we aim to develop a proof-of-concept security compliance tool focusing on one cloud platform HIPAA in cloud environment Today the most important challenge with cloud computing is the various security issues. Although cloud vendors present today provide many security measures for their clients, they want to a secure cloud playground for their cloud players it is impossible for a client to verify or compare the security measures provided by different cloud service vendors under a common security evaluation platform. Being aware of this issue, Cloud Security Alliance (CSA) [3] has developed some guidelines and frame- works to facilitate an extensible, common open and a secure interface through which a cloud provider is able to provide security assurance to its customers Cloud Audit [4] is one such framework developed by CSA. As customers move to the cloud, they may turn to you for a cloud computing audit. Cloud Audit provide work as a verification tool and common interface that allows enterprises who are interested in streamlining their audit processes as well as cloud providers to automate the audit, Assessment, Assertion, and Assurance of their software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS) environments and allow consumers extensible and secure interface and methodology. Cloud Audit providing a common interface for the auditing process for a cloud service provider, Cloud Control Matrix (CCM) [5] is developed to 2

14 provide fundamental security principles to guide cloud vendors and its customers to assess the risks related to a particular cloud service provider. The CCM provides a detailed guideline incorporating industry accepted security regulations, standards, and controls such as ISO 27001/27002 [6, 7], HIPAA[8, 9], ISACA COBIT [10], PCI DSS [11], NIST security standards [12]. so, if the cloud vendors present today implement their systems by the regulations summarization in the CCM and provide a common Interface, by the help of Cloud Audit framework, for a client to verify the security Measures, then a client can confidently verify, analyzing, assess and compare the risks from different cloud vendors. Although the services provided by the CCM and Cloud Audit are better to facillate the security compliances related information flow inside a cloud vendor, but how to generates the automatically generates the compliance related information is still under the research. If a cloud service provider advertisement it has implemented all security according to the standards, then there is no way to verify the claim on demand by user. To overcome these situations we aim to automate the security and risk assessment tool in cloud that captures the all information. In order to automate the security assessment tool, we plan to use various techniques that will allow us to generate the desired information on demand without any human intervention. In this dissertation we aim to build the intelligent engine that acquires the all information from the machines and networks on demand from a target cloud system, the captured information tested by the intelligence tool for compliance, finally the results passed to the dashboard for further display work. To accomplish this task we have chosen the open source cloud computing platform Eucalyptus [13], which supports the Infrastructure as a Service (IAAS) cloud service model. Before started the actual development, we need to find answers to a few questions. The first question is, as it is not possible to automate everything so which part of the cloud auditing can be automated. The second challenging question is how to integrate the intelligent tools in the target cloud infrastructure as a service (Eucalyptus) Compliance and Audit The regulatory environment has changed drastically over the past decade. As more and more business has been conducted online, regulations have cropped up to protect individuals and 3

15 their personal information. Sarbanes-Oxley, GLBA, and HIPAA are all regulations designed to ensure best practices and due diligence on the part of business and organizations. At first, there was a significant amount of confusion over exactly what to actually do ; regulations commonly required organizations to secure their network, for example, but rarely gave specific, actionable information. This was certainly true in the early days of HIPAA. Some of this was by design due to the rapidly changes occurring in the threat landscape as well as protective technology. Over time, organizations have developed a clearer picture of what best practices are reasonable and acceptable to protect themselves and their patient information. Technology has also improved and become more tailored to automating regulatory requirements. Organizations are also finding that compliance with the HIPAA Security Rule is providing additional benefits. The Security Rule is designed to be best practice to protect ephi, and when implemented correctly, those best practices also serve to protect the network and all IT assets in general. With proper planning, documentation, and the right solutions in place, HIPAA compliance can be greatly simplified and automated, saving time and expense and also serve to improve overall IT security. This Dissertation project is focused on HIPAA security compliance, with the following goals: 1. Analyze the cloud audit for cloud security, the cloud security refer to the interface definitions, cloud security controls, relation with different standards, etc. 2. Analyze different type of approaches to automating to check the compliance process in light of the Eucalyptus cloud computing platform. 3. Design architectural algorithm for building a security compliance tool for the cloud incorporating Cloud Audit HIPAA The Health Information Technology for Economic and Clinical Health (HITECH) Act supports the concepts of Electronic Health Record (EHR) and Health Information Exchange (HIE). Even though HIPAA has been around since 1996 it wasn t taken seriously until HITECH was put into place in HITECH extended the HIPAA that was put into place in 1996 which contained two parts: Title I and Title II. 4

16 Title I to protect people in case they lost their job or switched jobs so that they could still have healthcare coverage. Title II called Administrative Simplification was about data protection. From an IT Departments aspect HIPAA/HITECH is to control who can see what data depending on their job position, tracking data, and monitoring data. Also protecting stored data and data while it is being transferred through encryption. Access controls and processes also need to be set up. A person s privacy is very important and with all the technology in today s world a lot of people can gain access to a lot of information easier than in the past. This will protect the privacy and also security of that based on certain rules that were established by the HHS (Health and Human Services) Department. HIPAA has changed how things work in the health care field. There are now requirements that need to be followed. With all the new technology and companies striving to move to being paperless a lot has changed in the health care field and computers are being used more often to store confidential information. This increases the risk of security. The Security and Privacy Rule Title: 45 Public Welfare Part 164 Subpart C Technical Safeguards states the required and addressable parts: Required to have a unique identity assigned. Required to have an emergency process for accessing information. Addressable to have your computer screen logoff after a certain amount of time that no one is using it. Addressable to encrypt computer information and decrypt computer information. Addressable to have something in place for encryption when necessary [14] Problem statement The main contribution of this dissertation to build a HIPAA compliance audit, captures the logs from the front end, backend, and network for the cloud although our architecture is focusing on the specific cloud platform, eucalyptus and an algorithm for HIPAA data security while using third party auditor. We have also implemented a proof of solution using this architecture integrated with specific cloud platform eucalyptus. While build this architecture, we have found 5

17 two possible ways to found the data from the cloud to build the security compliance check. The first way access the all logs from the server, client and from the network and the second most challenging way, use the third party auditor to provide the security of healthcare data. Above contribution is main, another more contribution can be point out here. During this dissertation work, we conclude that many of the compliance check cannot do automatically. Some of the security controls need to check manually. So we also try to develop architecture in such a way that a cloud administrator can add these manual entries in the tool for the security controls. This will help to create a trust issue between the cloud client and vendor. 6

18 CHAPTER 2 LITERATURE SURVEY 2.1. Motivation This chapter introduces the necessary background information that is essential for understanding the rest of this thesis project. Since our thesis project is about security compliance, we start this chapter by describing briefly what security compliance is. Later, we move on to cloud computing, related security terms, frameworks and standards Security Compliance in cloud In order to understand the security compliance, we have to distinguish it from security itself. While security refers to a mechanism that have to be used in order for a system to be in a safe state from prospective threats, security compliance refers to a state of compliance with a given set of security requirements. Therefore, while security itself is used to protect a system from threats, security compliance has nothing to do with this protection. Rather, security compliance ensures that the security measures taken to protect the system are compliant with the necessary requirements. In general, the audit and compliance refers to the process that an organization implements to achieve the followings [15]. Identifying the set of requirements that the organization must abide with. Acting accordingly so that the requirements are met. Monitoring the systems that the processes are followed consistently. To focus more on the security side of the compliance procedure, Klaus Julisch from IBM Research has denied the security compliance as follows [16]. Security compliance, in IT systems, is the state of conformance with externally imposed functional security requirements and of pro-viding evidence (assurance) thereof." 7

19 Now we can summarize the security compliance as to comply, for a system, with external security requirements. This external security requirements can be the government issued regulations, industry accepted best practices or any internal company policies. However, these days security compliance generally indicates the compliance with industry accepted security standards such as NIST, ISO /27002, HIPAA, PCI, etc. This is the compliance that we have targeted to achieve in this thesis project. Although there is a human behavioural side of the security compliance whether an employee wants to comply with the policy or not [17]. We, in this project, focus only in the technical part of the security compliance Why Security Compliance Cloud computing can be seen as a new term for an old trend. This viewpoint arises from the fact that cloud computing is generally used to deliver the same old products such as service or web service using a different mechanism. It is important to realize that we already have well defined protocols and standards for these sorts of services for many years. Therefore, the question arises why it is important to have the security compliance for cloud infrastructure while it is providing the same set of services. Nathaniel Borenstein and James Blake from Mimecast [18] have answered this question by saying that this compliance is important to gain the trust of the nervous users [19]. This is understandable as the companies willing to move towards a cloud service provider to deliver their product, looses the control over the underlying system and do not know the inner workings of the cloud systems. Hence, the clients opt for a cloud vendor to be compliant with standards that they can trust. While compliance helps drive security, it does not equal actual security. Nonetheless, if a system is compliant with a well-established security standard, it can survive the most common security threats. The 2012 Data Breach Investigation Report [20]presented by Verizon [21] outlines the fact that non-compliance is one of the main reasons for data breaches in the Payment Card Industry. In this report, it was stated that 96% of the companies that suered the breach have not achieved compliance with the PCI DSS. Only the remaining 4% of companies were still under attack despite having achieved the compliance with PCI DSS. This is a clear indication of how much difference can it make to have the security compliance. 8

20 There are several other important reasons for security compliance in general. The first important and essential use of security compliance is the auditing procedure. It is because of the fact that what is being audited and enforced is compliance, not security. The second important aspect of compliance is that despite extensive research [22], it is difficult to measure the security, in general, for a system. However, measuring for compliance is feasible and there are matrices published for this purpose [23, 24]. The third importance of compliance, specially the security compliance, is that it plays a significant role in ensuring governance and service level agreements (SLA) between the cloud vendor and the client as indicated in [25]. Finally, in today's world, security compliance or auditing plays a significant role for a security tool to be successful in business. If there is a new security tool that pops out of some research lab which is not recognized or used by any security auditor, there may be no value or business for that tool Challenges in Automating Security Compliance Check Security compliance check refers to verifying a system against some security standards to determine whether the system complies with the standard or not. So far, there have been manual auditing procedures for this purpose. This manual auditing process involves data collection and decision making by security experts and generally costs a lot of money and time. In contrast, using automated security compliance check procedures, human intervention can be reduced to a great extent which can be very time and cost efficient. However, we have identified several challenges that need to be overcome in order to build an automated security compliance tool for a system. These challenges are listed in the following: The first challenge in automating the security compliance is to formalize the set of external requirements with which the system has to comply. The requirements determination is difficult due to having a large number of standards and the fact that not all standards are suitable for all types of systems. At a more granular level, even every security control of a standard may not be appropriate for all systems. Unfortunately, the standards that we have at our disposal today, are very abstract with no or minimal guidance for implementation. This property of the standards has made the automation process extremely difficult, as for the implementation of some controls, heuristic values need to be chosen to verify the compliance status. 9

21 Third challenge is to determine what data or information needs to be extracted from the system to verify the security controls. Fourth challenge is to determine a feasible way to extract these data. Some of the information required for verification can be obtained externally while there are some information that can only be extracted internally by the system itself. To extract these data, the system may need to be modified which can be challenging for an already deployed and functional system. Data must be delivered in a secure way to the authorized compliance tool so that it does not fall into the hands of an attacker. Finally, providing assurance for the compliance status determined by the automated tool is also a big challenge. Since there may be some heuristic values to determine the compliance status, client needs to be assured about the decision or needs to be given more information about the compliance check procedure. Another barrier for automating the security compliance is that many of the controls stated in the standards require manual intervention which cannot be automated. For example, the physical security (personnel physical entry Or exit to the facility, hardware security, etc.) Related controls cannot be verified using the automated security compliance tool. All the above mentioned challenges are generic in nature and apply to automating the security compliance check for any system. There are even more challenges in the cloud computing platforms to achieve the same security compliance check. Based on the State of Enterprise Security Report 2010 [26] by Symantec Corporation [27], the most problematic areas from the security perspective are (most problematic on the top): Platform as a Service Infrastructure as a Service Software as a Service Server Virtualization Endpoint Virtualization All of the above areas are inherent to cloud computing making the automation of security compliance check much more challenging in the cloud computing arena. 10

22 2.3. Compliance and Audit in cloud With the rapid growth of cloud computing, it is very easy to access computing resources without the burden of purchasing, updating, managing and maintaining the resources. Cloud computing provides the illusion of infinite computing resources which are available from anywhere, anytime, on demand. Cloud service provider manages computing resources at data centre and provides these resources to the consumer. Infrastructure, software, platform are offered as service in a pay-as-you-go manner to users. Cloud computing makes better use of distributed resources and put them together to solve the complex computational problems. Most cloud platforms use virtualized data centres which maximize the computing resources utilization. Cloud computing is a new paradigm which provides utility services over shared virtualized resources and enables users to access computing resources placed at a remote location which they do not necessarily own in a pay as you go model. More and more services providers and users are getting added to the cloud environment because of its essential characteristics like on-demand self-services, broad network access, resource polling, rapid elasticity, and measured services. As the estimate of cloud computing market are set to reach more than 150 billion dollars this year, it is attracting more cybercriminals to perform malicious activities with financial implication. IaaS providers allow their customers access to different kinds of infrastructure. The provider typically provides this service by dividing a very large physical infrastructure resource in to smaller virtual resources for access by the consumer. Sometimes the service provides is a complete virtual machine with operating system. In other instance the service provided is simply for storage, or perhaps a bare virtual machine with no operating system. Example: Amazon Ec2. The most common definition used by the researchers to define cloud computing is the definition provided by NIST which is quoted in the following [28]. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable com- putting resources (e.g., networks, servers, storage, applications, and services) that can be rapidly Provisioned and released with minimal management effort or service provider interaction." The characteristics that have made cloud computing exalted are: on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service [28]. All of these 11

23 characteristics are of utmost importance for a company that does not want to have the hassle of maintaining its own computing infrastructure. Therefore, the company can only concentrate on its products while offloading the setup of the computing infrastructure, maintenance, security, etc. to the CSP by paying a fee. Mirko Montanari et al, proposed a framework for verifying the trust of the log based on a small amount of evidence data. the cloud security monitoring (CSM) API, made available on the cloud service that allow organization to capture the information evidence about their system. Such information evidence is used to analyze system compliance against the policies that is set by the regulatory authorities. Also proposed a scheme for randomly auditing and resource compliance [29]. Frank Doelitzscher et al, define a prototype demonstration of the security as a service, a cloud audit service that aims to provide the trust in a cloud based infrastructure by defining the some codify transparency to user and cloud provider (CSP) the demonstration shows, How autonomy agents detect this change, concurrent IT security audit can be useful to increase user trust in cloud environment [30]. Dileepa Jayahilake analysis a depth study of cloud logs domains and types of common problems, a practical guide of available audit tools. due to the lack of proper structured analysis, describes a framework for structured log analysis. The strength of this to handle the various log formats that are not served by existing tools [31]. David Brand define how the internal audit provide the assurance function to the management and the user by which board identify the risk factor in cloud computing technology and determine those risks are being appropriately mitigated. Organizations should establish process to re-evaluate and monitor risks routinely once a business working in cloud. David Brand proposed an implementing model of cloud computing and monitoring vendors [32]. Joon s. park et al, discuss security and privacy concern in cloud computing, current status of cloud computing and a case study on Amazon cloud watch that is the cloud monitoring application programming interface (API).With the widespread movement of cloud computing security and privacy to be a major concern. A near real time monitoring the resources, the monitoring information is reported to the subscribers according to their subscription [2]. Jing Liu et al, discuss the security audit system for compliance, Audit systems have been promoted as cost-effective ways to detect and contain worm and virus threats, record information related to observed events, assist in compliance requirements, and to act as a network sanitizing agent. Liu introduce the system model and components of a log based network security audit system for compliance. Architecture is based on the network security 12

24 model contain two components unified agents and audit centre (analyzed the logs collected by the agents) [33]. Irfan Gul et al focused on cloud security issues and auditing mechanism. The literature review analyzed the different cloud security auditing protocols for data integrity and privacy through a trusted third party auditor (TPA). Also discuss a data access management architecture using audit trails and a IDS technique that make cloud accountable [34]. Bhagyaraj Gowrigolla et al, discuss how the cloud computing is the long dream vision of computing as a utility the main pointer of this paper point the privacy issues and some unique factors considered when data centre the cloud and finally proposed a public auditing scheme that will addressed of these factors, where data to be encrypted in cloud without loss of accessibility or functionality for authorized parties that provide a greater degree of confidence in the adoption of new and cost saving Cloud computing technologies [35]. M. Venkatesh et al, proposed a RSASS system that use the RSA algorithm and generate the signature which support large and different size of files and provide better security to storing the data on cloud,this scheme ensure the possession of data on remote server using frequent integrity checking [36]. Xiaomeng Chen et al, proposed HIPPA s compliant Auditing System for Medical Imaging System in which Audit controls proposed by HIPPA Security Standards are audit trails, which audit activities, to assess compliance with a secure domain s policies, to detect instances of non-compliant behaviour, and to facilitate detection of improper creation, access, modification and deletion of Protected Health Information (PHI). Although current medical imaging systems generate activity logs, there is a lack of regular description to integrate these large volumes of log data into generating HIPPA compliant auditing trails. The paper outlines the design of a HIPAA s compliant auditing system for medical imaging system such as PACS and RIS and discusses the development of this security monitoring system based on the Supplement 95 of the DICOM standard: Audit Trail Messages [37]. Zhixiong Chen et al, define the IT governance, auditing and compliance are becoming as important pedagogical subjects as longestablished financial control and financial auditing. Designing sound IT governance, compliance and auditing curriculum is a rewarding as well as challenging task. In this paper the author discuss the experiences from teaching IT governance, compliance and auditing both in the graduate and undergraduate level and examine lessons learned. The authors also provide curriculum design strategy, student assessment and outcomes. Our goal is to cultivate a kernel so that graduates can apply their understanding in the subjects to a wide spectrum of industries 13

25 that are increasingly dependent on technology advancement [38]. David Brand define the collaboration with management, internal audit can help to Proactively identify and understand relevant risks before signing a contract and committing to a cloud hosting implementation with the ultimate goal of ensuring data security, adhering to compliance demands, and meeting the needs of customers. Management may also elect to use internal audit as a mechanism for assessing key risks and controls associated with cloud services. Internal audit is well positioned through its role as an assurance function of the organization to help management and the board identifies and considers the key risks of leveraging cloud computing technology. This article discusses steps internal audit can take, including: (1) Defining a cloud strategy; (2) Evaluating vendors; (3) Implementing a cloud computing model; and (4) Monitoring vendors. Defining a cloud strategy; (2) Evaluating vendors; (3) Implementing a cloud computing model; and (4) Monitoring vendors [32] Research Gaps For years the health care industry has dealt with the daunting challenge of understanding and determining how to comply with privacy and security rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA). Still, some health care entities have been slow in preparing for a potential audit, which can be partially attributed to the lack of details around what requirements will be assessed during an audit. However, with the OCR s publication of its audit protocol, the entire health care industry has been given a wakeup call. In order to ensure the protection of personal health information in the cloud, we argue that it is important to understand patients privacy values and their cloud privacy objectives. Understanding and identifying individuals privacy values with respect to cloud privacy objectives is important for the development of an organization s cloud technology strategy. Organizations need to recognize their patient s cloud privacy expectations in order to develop socially responsible privacy practices. A benefit from this understanding is that organizations utilizing cloud technologies could create privacy policies that meet customers expectations of cloud privacy objectives. There is a lack of clarity in what organizations need to do in order to protect patient privacy. This is a result of not having well defined objectives for ensuring personal security and 14

26 privacy. Parshant Tyagi et al, suggest the need for auditing, researchers to study; how organizations should handle personal health [39]. Information, what are organizations responsibilities towards information privacy protection, the moral duties organizations have to protect their customers and stakeholders privacy needs. Conducting research along these lines would help organizations and researchers develop comprehensive privacy policies to ensure information privacy. This study uses an auditing approach to identify patient privacy values with respect to emerging cloud technologies, and to develop an understanding of how cloud security and privacy objectives are shaped by patient HIPAA rule values. Researchers claims that values are important for many aspects the decision making process including, guiding information collection process, evaluating alternatives, creating alternatives and identifying and resolving conflicts. One goal of this study is to develop an understanding of the relationship between healthcare privacy values and cloud privacy objectives. Another goal is to develop an mock audit framework for ensuring cloud privacy. The focus of the research leads to the following research questions: 1) What are privacy objectives for HIPAA in cloud computing? 2) How can an audit for cloud privacy be designed? 3) Design a framework for HIPAA Audit. 4) Design an algorithm for Audit framework. 5) Implement the algorithm for audit issuance of the increased fines. 15

27 CHAPTER 3 HIPAA 3.1. HIPAA The Healthcare Insurance Portability and Accountability Act [40] is US federal law, enacted by united congress and passed by Bill Clinton that aim to safeguard protected health information (PHI) by regulating healthcare providers. HIPAA came in 1996 but has never been taken seriously before the new act called HITECH (The Health Information Technology for Economic and Clinical Health act) was enacted in HIPAA indicate that patient s privacy should be emphasized and applied to the whole health industry [41]. Healthcare data generated by the numerous type system that can be collected in to the various type of formats-custom application LOGS, XML, SYSLOG, HL7 and MYRIAD and other formats [4]. It s no surprise that most of the healthcare application do not conform the single data format, the breath of this data is one of the challenging facet for the healthcare organization. Obama administration executes order signed in 2009 that provide bounty on healthcare fraud have begun to change this $ 2.5trillion industry. This order execute challenge the healthcare sector on three fronts, improving patient s outcome, reducing fraud, and supporting regulations [42]. Cloud computing is a hot item in the sequence of high performance computing. Many organizations including government agencies have invested in cloud based services to handle the day-to-day operation of the organization [43]. Cloud computing provide the many benefits to an organization due to the rapid increase of online services and application. The healthcare data rely on the cloud for most of their day-to-day task, and personally identifiable information (PII) will also be stored and proceed on the cloud [44]. The main advantage of this cloud setup, we can access this data anywhere within the world with the internet connectivity, and protect our data on the high configurable cloud data centre. The major concern with cloud computing is the uncertainty of the security same as the other technology is used by the organization including government agencies. Healthcare and other 16

28 type of patient data are permanently or temporarily stored in the back-end database beyond the patient control, in this configuration, data confidentiality one of the major concern for patient of the cloud hosted services, when taking in to account the data breaches and recent security incidents [45-47]. patient lack of confidence is actually affected the patient s [48]. in the lack of alternative option, most patients eventually share their data on with cloud services, rely on the legal agreement and trust the efforts of services providers in securely handling and protecting their data. In order to place the measure are place in to the secure system, cloud computing must adhere to government regulations, this paper will focus on cloud computing and the issues that affect it with HIPAA compliance. Compliance is one of the greatest challenges faced by organizations today. To help healthcare organization comply with HIPAA, security standard have been created to help organizations protect personally identifiable information. Sensitive enterprise data is always at a risk of being compromised; therefore it has become a mandate to secure sensitive information by establishing network security processes and meeting the guidelines of regulatory bodies. Regulatory compliance standards such as PCI DSS.FISMA [49]. GLBA [50]. SOX [51] and HIPAA require organizations to monitor their network in real-time, ensure high levels of security for their confidential enterprise assets and provide network compliance audit reports to auditors when demanded. It is critical for organizations to observe the regulatory compliance audit guidelines since being non-compliant to the regulatory standards can result in severe penalties [52]. To meet all compliance requirements, organizations are required to take proactive measures to establish network security processes for detecting network anomalies, attacks and other vulnerabilities that can cause harm to the sensitive information of the enterprise. Organizations must fulfil the requirements of the compliance auditor by producing compliance reports such as PCI DSS, FISMA, GLBA, SOX, HIPAA, etc. also demonstrate the security measures taken to curb their network from being compromised. Regulatory bodies also require organizations to retain log data, of their network devices and applications, for long periods, thereby allowing the auditors to authenticate security incidents by checking the audit trails from the log data. 17

29 BACKGROUND HIPAA is an acronym for the Health Information Portability and Accountability Act. To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), included Administrative Simplification (AM), administrative simplification privilege the security and privacy of health data, the standard are mean to improve the security, efficiency, and effectiveness of the nation health care system. HIPAA requires that consent be obtained before protected health information medical information that identifies a particular person can be shared in certain circumstances. Once health information is de-identified, the information is no longer subject to the Privacy Rule s restrictions and can be shared without consent. Organizations required to comply with HIPAA regulations are termed covered entities. [40]. Common examples of covered entities include, Health insurers, Healthcare clearing houses, Hospitals, Home healthcare agencies, Nursing homes, Pharmacies, Laboratories, Physicians, physiotherapists and general practitioner s offices HIPAA TITLES HIPAA provide a range of requirements for organizations handing healthcare insurance and PHI. This paper is primarily concerned with HIPAA requirements governing data security and privacy. There are five titles: TITLE 1: Healthcare Access Title I of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs [9]. Title I works with group and individual health insurance plans to ensure availability to you. TITLE 2: Fraud, Privacy, Security and Administration Title II lists health care system rules and penalties but is most well known for its "Administrative Simplification" rules. The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. Also addresses the security and privacy of health data. 18

30 Adopting these standards will improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care. The U.S. Department of Health and Human Services (DHHS) develops and publishes the rules pertaining to the implementation of HIPAA and standards to be used. All health care organizations impacted by HIPAA are required to comply with the standards within two years of their adoption [53]. TITLE 3: Tax Related Health Provisions Established medical savings accounts and increased the deduction for health insurance costs of self- employed individuals and makes other changes to health insurance law. TITLE 4: Application and Enforcement of Group Health Plan Requirements Title IV specifies conditions for group health plans portability, access and renewability for those with pre-existing conditions, and modifies continuation of coverage requirements. It also clarifies continuation coverage requirements and includes COBRA clarification. This amends COBRA's 1985 Act to include language for group health plans. TITLE 5: Revenue Offsets Title V Includes provisions related to company -based life insurance plans and it includes taxdeduction mandates for company-owned life insurance premiums. It also explains federal code changes that generate more revenue to offset the additional costs caused by HIPAA implementation. 19

31 Fig HIPAA Titles HITECH Act The HITECH Act stands for Health Information Technology for Economic and Clinical Health, enacted as part of the American Recovery and Reinvestment Act of This act establishes notification requirements on what DHHS defines as covered entities (insurance carriers, providers and employees and contractors, and clearinghouses, etc.), vendors, and business associates. If Protected Health Information is compromised, the HITECH Act establishes the requirements of those who are responsible for the information. HITECH extends the data privacy and security requirements of HIPAA to business associates of covered entities and stipulates that these requirements be included in agreements and 20

32 contracts between covered entities and business associates [54]. This Act also inflict additional requirements relating to protected health information security breaches and extends these to not only covered entities, but business associates and vendors of personal health records. Finally, the Act also implements changes in the rules governing disclosures of PHI when an organization uses an electronic health record Cyber Warfare A definition of cyber warfare is not easy to understand. In fact the cyber and warfare are both under debate we touches the cyber warfare in the movies started with war games in 1983 where a small kid who loves to play games, breaks into a military network and accidently almost starts World War III to Sneakers in 1992 where all data encryption is compromised to Swordfish where intelligence agencies use hacking to support their activities to the epic Die Hard 4: Live Free or Die Hard in 2007 when criminals pose as terrorists and take down the Internet and all the critical infrastructure it supports [55]. Some experts limit cyber warfare only to military operations that are held in cyberspace, other experts describe cyber warfare as hostile action taken on by an aggressor to attack the computer networks of an adversary, still others say cyber warfare can be used to describe various aspects of defending and attacking information and computer networks in cyberspace my extensive research is that cyber warfare is a new form of nonconventional warfare that exploits the vulnerabilities in computer networks to gather sensitive information from an enemy and or using cyber attacks to cripple or destroy the critical infrastructures of other nation states or independent organizations. Cyber laws is a growing field that define the policies and rules for how the activities in the cyber world take place Cyber policy is an issue that is discussed readily in the United States and in the international community especially with the increased use of cyber attacks as a form of nonconventional warfare. The hop topic issues include but are not limited to determining the jurisdiction of cyberspace, how plaintiffs and defendants should respond in cyber incidences whether those actors are nation states or independent groups. 21

33 COMPLIANCE ISSUES Compliance is a Conformance with an established standard, specification, regulation, or law. Various types of privacy regulations and laws exist within different countries at the local and global levels, making compliance a potentially complicated issue for cloud computing. The HIPAA in the US is just compliance issues affecting cloud computing, based on the type of data and application for which the cloud is being used. Maintaining and proving compliance when using cloud computing. Issues dealing with evaluating how cloud computing affects compliance with internal security policies, as well as various compliance requirements (legislative, regulatory, and otherwise) are discussed here. This domain includes some direction on proving compliance during a cyber attack, data disclosure, audit, and business continuity Cyber Attacks As the estimate of cloud computing market are set to reach more than 150 billion dollars this year, it is attracting more cybercriminals to perform malicious activities with financial implication. The methods that used to carry out cyber attacks include: denial of service attacks, logic bomb, malicious programs, digital manipulation, and IP spoofing. DoS attacks are when a Hacker floods a system with so much traffic that the system cannot process all the information. This is the main source of cyber attacks because someone wanting to carry these attacks out can do so on limited resources. Logic bombs are the equivalent to time bombs for a computer. They set off attacks, such as a DoS attack, at a predetermined time or if specific events take place on a system. Malware is used to disrupt the normal operations of a computer system or to give someone access to a computer system. Types of malware include Trojan horses, worms, and viruses. Digital Manipulation is when hackers use computer programs to edit videos and photographic images. IP Spoofing is when hackers redirect traffic from a trusted host to the address of their choosing. If users interact with the content on the page they were redirected to they leave their system vulnerable to attack by the hacker [56] Governance and regulations in HIPAA IT infrastructure manages complex set of hardware and software environments and these services are provided to a customer with a guaranteed service level. Governance means to have 22

34 proper control over policies, measures and principles for IT service achievement [57]. If governance is compromised then the policies and measures for security can be ignored. Compliance refers to the responsibility of an organization to work under a specific agreement with established laws, standards and regulations. Compliance become complex issue for cloud service provider because of varying security and privacy laws administrated in different countries [57]. Even though cloud service providers are becoming aware of different laws and regulations, and may store data in specific control and apply required protection for security and privacy. Laws such as SOX and HIPAA etc. require the customer to be responsible for the security and privacy of data hosted in cloud Data Disclosure Another major concern with cloud computing deals the HIPAA s privacy and security regulations are abstract, wide, and often not fully known by the staff of hospitals and clinics, almost all healthcare organizations are unable to completely comply with the regulations protecting the data in the cloud is more difficult task because the data in the cloud is potentially spread out of servers over various locations. The issue here is that the information can be mishandled by the user and disclosed to a insecure source. The issue is here that the information mishandled by the various users and disclosed in to an insecure connection. The cloud provider may have multiple employees dealing with the data the risk for human error increases with cloud computing Business Continuity Business continuity and disaster recovery plans become even more important in a cloudcomputing environment. The disaster recovery plan is a required implementation specification defined within the HIPAA Contingency Plan standard in the Administrative Safeguards section of the HIPAA Security Rule (a)(7)(ii)(B) [58]. The service provider must have redundancies in place for not only data backups but for the everyday use of the services. if the cloud goes down then organizations will have unacceptable downtown that their IT departments cannot control causing a stop to the critical services that the organization uses to conduct its daily operations. 23

35 3.2. HIPAA AND NETWORK SECURITY Years ago it wasn t really a big deal if an employee looked at patient data even if they had nothing to do with that patient but now with HIPAA employees cannot do that anymore. It has become more of a CIA (Confidentiality, Integrity, and Availability) model. Not everyone is authorized to see patient data and network security plays a big role. Network security consists of keeping the data secure on the network, protecting the network from malicious attacks and tracking and reviewing reports of the network to see the behaviour and to determine if someone is trying to gain access that should not have access. Access should be based on an employee s role and security must be implemented. Updates must also be applied. If there is an intrusion on the network then civil and criminal charges could result and remember a company can be investigated anytime to see if they meet the regulations required. Documentation must be kept otherwise fines could occur and reports and event logs can help keep track of what is going on with the network [59] The HIPAA Security Rule Risk Management needs to be done on a regular basis. This can help reduce the Organization s risks and audit controls put in place to help to see if there is anything going on in the computer system that shouldn t be. Are users accessing information that they shouldn t? Are there vulnerabilities on the system? Organizations must evaluate their security and document any changes. This can be done internally or through an external company or both. As shown in the table below there needs to be administrative and technical safeguards. Risk management, evaluation, and audit controls are all required under HIPAA for compliance. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level [60]. Some questions to ask may be. What are the chances of vulnerability? How would this affect the company? As far as audit controls there should be something in place to track what is happening on the system. Be able to track both devices and users and make sure to keep logs for a certain period of time so if there is a legal issue you could present those as evidence if needed. Make sure to document and re-evaluate especially when changes in the company have been made. 24

36 The Security Rule applies to protected patient health information in electronic formats. This is protected patient information either transmitted by electronic media or maintained on electronic media. Covered entities that maintain or transmit protected health information are required by the Security Rule (see 45 C.F.R ) to: Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. Ensure compliance with this subpart by its workforce. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. According to the HIPAA regulations, Covered Entities are allowed to use a flexible approach when implementing the above requirements. Specifically, Covered Entities may use any security measures that allow the Covered Entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. In deciding which security measures to use, a covered entity must take into account the following factors: The probability and criticality of potential risks to electronic protected health information. The size, complexity, and capabilities of the covered entity. The costs of security measures. The covered entity s technical infrastructure, hardware, and software security capabilities. With this information in mind, organizations must adhere to the Security Rule s standards and specifications for backing up and safekeeping electronic data. Covered Entities also need to institute a contingency plan to be prepared for an emergency, such as a natural disaster or computer virus attack that results in a major data loss. The contingency plan must Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information (Administrative Safeguards - 25

37 (a)(7)(i)). Covered Entities must also have certain physical safeguards, such as facility access controls. They must: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed (Physical Safeguards (a)(1)). The contingency operations should establish and implement procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency ( (a)(2)(i)). In addition, Covered Entities must implement specific technical safeguards ( ) to, among other things: Encrypt and decrypt electronic protected health information. Put into place audit controls that record and examine activity in information systems that contain or use electronic protected health information. Limit access to and electronic protected health information. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. These regulations are in place to ensure that healthcare organizations properly secure their electronic protected health information. Based on these directives, an organization should evaluate their system and then implement a secure backup, archiving and recovery solution to comply with HIPAA standards. 26

38 Fig 3.3 Objective of HIPAA Audit and Evaluation for Compliance [61] The HIPAA audits started in November 2011 and will end at the end of Companies really need to make sure they are HIPAA compliant. There have been a lot of breaches reported. Also, make sure that mobile devices are protected. There was a study done by the Ponemon Institute showing that in healthcare mobile devices are being used by 81% of the company and contain patient data and no security is being considered by 49% percent of those companies [62]. Jackson & Coker also included in the report below shows the top three users of mobile devices in healthcare. Companies should put a policy in place that requires a password be set on mobile devices so that way no one else can gain access to the information on that device in case it gets lost [62] Health Care Providers Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS 27

39 has established standards under the HIPAA Transactions Rule. Using electronic technology, such as , does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction. The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all providers of services (e.g., institutional providers such as hospitals) and providers of medical or health services (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care HIPAA Compliance There are companies that provide HIPAA compliant messaging. According to an articlein Business Wire on May 29, 2012 the #1 in HIPAA compliant messaging is TigerText. This allows PHI information to be exchanged quickly and securely. This can be used on any mobile device that an employee may own and is easy to implement [63]. Some companies use what is called a Business Associate Agreement (BAA) to help them be in compliance. This is when a contract is signed by an outside vendor stating each of their responsibilities in protecting that Company s data. According to the data below not all companies sign this agreement. Companies really need to do their research when choosing an outside source to host their data. This is where a lot of the data breaches occur. Although a lot of breaches occur with the outside vendor it happens internally also. Training of employees is very important according to a survey done by PricewaterhouseCoopers [62]. If a company is dealing with patient data and needs to be compliant or thinking about choosing a hosting company they really should make sure they are also HIPAA compliant. Redundancy is included to be able to access data at all times and disaster recovery is also provided Ask the hosting company questions such as have they been audited and are they HIPAA Compliant? Find out what policies and procedures are in place in case there is a breach. Are the HIPAA standards for protecting sensitive health information such as using certain encryption standards met? What about HIPAA requirements and firewalls? Also what servers are being used for production? Find out if all employees have been trained on being HIPAA Compliant. Make sure to have a Business Associates Agreement with them. How does physical and network security play a role in HIPAA? There must be 28

40 safeguards in place to meet HIPAA compliance such as physical access controls to your workstations and networks, hardware and software installation and removal procedures, protection of data, backups of the system, and detection of an intruder or intruders. Also workstations should log off automatically [64] HIPAA Audits Audit is well positioned through its role as an assurance function to help management and the board identifies and considers the key risks of leveraging cloud computing technology. Audit also can help the business determine whether those risks are being appropriately mitigated. Internal audit s role and level of effort to support and/or assess cloud computing processes likely will be related to the organization s maturity and experience in this area (i.e., every organization is unique and internal audit departments must adapt accordingly [34]. Auditing is the process of tracing and logging significant events that could take place during a system run-time. It can be used for analysis, verification and validation of security measures to achieve overall security objectives in a system. Since advantages of cloud computing are obvious, but the security risks associated with each cloud service model hinder its widespread adoption According to a survey in 2009, cloud security was revealed as the top most challenge/ issue of cloud computing among others like availability of services, performance, lack of interoperability standards and so on [32]. 29

41 Fig 3.6 Cloud Audit Architecture Role of audit Information System Audit should help in planning and organizing, acquisition and implementation, delivery and support, monitoring and evaluation of technology selection, regulatory compliance, selection and performance of third party service providers and suppliers and contract compliance. Information system audit checks should be used to test confidentiality, data integrity, availability, security, authentication, reliability etc. It should take increasing responsibility and ensure value addition in key strategic domains such as brand protection, mergers and acquisitions, customer relations, cost reduction and revenue maximization, fraud detection, control and prevention, data governance and quality, keeping in pace with rapidly changing business environment and the way business is carried out in a cloud service environment. Audit should focus on value addition by supporting strategic initiatives, providing high quality business insights as an integral part of the process and should also actively involved in continuous monitoring, evaluation and improvement of control environment and regulatory compliance. 30

42 Fig Audit information is accessible from several different sources 31

43 CHAPTER 4 Design and Implementation 4.1. Proposed Work The cloud providers are not the real owners of the data and they are not authorized to, delete, view, or edit the data, many systems were introduced to prove the ownership of the data such as or to verify that the data was not tampered with or deleted by proving its integrity, such as. However, those systems rely on third party auditors to store testing data and keys and to do the verification for them. Using third party auditors may force the users to reveal some private data to the auditors to be able to do their job, which violates the privacy and confidentiality requirements for the system. On the other hand, systems such as were designed to preserve data privacy by making the third party auditors do their job without the need to access any confidential data. Meanwhile, the fact that this system depends on a third party auditor, which is assumed to be trusted to store the auditing data and keys and to do auditing as required from them, is a weakness in the system. In a Corporate world there are large number of client who accessing their data and modifying a data. To manage this data we use third party auditor (TPA), that will check the reliability of data but it increases the data integrity risk of data owner. Since TPA not only read the data but also he can modify the data, therefore a novel approach should be provided who solved this problem. In this thesis we first examine the problem and new potential security scheme used to solve this problem. Our algorithm encrypt the content of file at user level which ensure the data owner and client that there data are intact Eucalyptus Setup Eucalyptus is open source software that helps in managing and creating public or even private accessible cloud [13]. Eucalyptus has become very popular and is seen as one of the key open 32

44 source cloud platform. Its architecture is simple and flexible. Eucalyptus has five main components: Cloud controller (CLC) It is the frontend of the architecture and interacts with the user and also provides the virtual machine controlling. It is most visible element of the eucalyptus architecture. Walrus Storage Controller (WSC) It is a storage which is used to store and access virtual machine images and user data.wsc storing and accessing data either from running instance or from anywhere on the web. Cluster controller (CC) This is used to manage one or more the node controllers and manage/deploys instances on them. Cluster controller also manages the networking for instances running on the nodes. It operates between cloud controller and node controller. It will receive request to allocate machine images from the cloud controller and in turn decides which node controller will run the machine instance. This decision is based upon status report which the cluster controller receives from each of the node controllers. Node controller (NC) It is back end of the infrastructure, used to control and terminating of virtual machine instances on the host. The NC role is to interact with the operating system and hypervisor running on the node, as instructed by the cluster controller. Fig 4.1 Eucalyptus Architecture 33

45 Accessing Admin Eucalyptus Account The Eucalyptus Administrator Console is web-based interface that allows you to manage your system, identities, and resources. To sign in to the Eucalyptus Administrator Console: 1. Open a browser window and go to Your browser displays a warning. 2. Accept the self-signed SSL certificate and continue. The Eucalyptus sign-in page displays. 3. Enter your account name in the Account field. For system admin the account name is eucalyptus. 4. Enter your user name in the User field. 5. Enter your password in the Password field. 6. Click the Sign in button. The Eucalyptus Administrator Console Start Guide page displays. You can now use the Eucalyptus Administrator Console to manage your system, identities, and resources. Fig Confirm security exception 34

46 Fig Sign in eucalyptus cloud Fig First time login 35

47 Fig Admin Console Fig Confirmation Eucalyptus User Console The Eucalyptus Administrator Console is web-based interface that allows you to manage your system, identities, and resources. To sign in to the Eucalyptus User Console: 1. Open a browser window and go to 36

48 Fig User Console 4.3. Log Forensic Usually when an issue arises in Eucalyptus, you can find information that points to the nature of the problem either in the Eucalyptus log files or in the system log files. By default, the Eucalyptus log files are stored in /var/log/eucalyptus/ on each machine that hosts a Eucalyptus component. If Eucalyptus is installed somewhere other than the file system root (/), log files are stored in $EUCALYPTUS/var/log/eucalyptus/. Here are the relevant logs for each component: A. Cloud controller (CLC), Walrus, Storage controller (SC) cloud-output.log euca_imager.log These components also include specialized developer log files. These are not relevant to troubleshooting a production system, and are not affected by any log level settings. These logs include the following: cloud-debug.log 37

49 cloud-error.log cloud-exhaust.log cloud-extreme.log B. Cluster controller (CC) cc.log axis2c.log httpd-cc_error_log C. Node controller (NC) nc.log axis2c.log httpd-nc_error_log euca_test_nc.log D. System Logs You might also find helpful information about the nature of an issue in the system logs. In particular, the following logs may be relevant: /var/log/messages /var/log/libvirt/ /var/log/xen/ Fault Logs Eucalyptus includes fault logs for easy identification of conditions outside of Eucalyptus's control that may cause it to fail. These messages are logged per component, and each fault is logged only once per component, in /var/log/eucalyptus/[component]-fault.log. The messages include a suggested resolution, and can be customized. Where they have been translated, Eucalyptus will use the system-configured LOCALE variable to serve appropriate messages. Fault messages are based on XML-formatted templates, stored in a per-locale directory structure, with one file per fault message, and one file storing common strings. Default 38

50 templates are shipped with Eucalyptus. These are stored in /usr/share/eucalyptus/faults/ as follows: /usr/share/eucalyptus/faults/en_us/0001.xml /usr/share/eucalyptus/faults/en_us/1234.xml /usr/share/eucalyptus/faults/en_us/common.xml Log Format Eucalyptus logs now have a standard format, which varies slightly per log level. For log levels FATAL, ERROR, WARN and INFO: YYYY-MM-DD HH:MM:SS LEVEL message For log levels DEBUG and TRACE: YYYY-MM-DD HH:MM:SS LEVEL PROCESS:THREAD loggingmethodorclass message For log level EXTREME and ALL: YYYY-MM-DD HH:MM:SS LEVEL PROCESS:THREAD loggingmethodorclass FILENAME:LineNumber message The test fault should be logged in the appropriate component fault log (in this case, /var/log/eucalyptus/broker-fault.log Eucalyptus uses customized messages where they are available, preferring a non-localized custom message over a localized default message. Localized messages should be in a per-locale directory under /etc/eucalyptus/faults/, with a directory name that matches the system LOCALE. If no LOCALE is set, Eucalyptus defaults to en_us Eucalyptus Log files /etc/eucalyptus/eucalyptus.conf - Main Eucalyptus config file /etc/eucalyptus/cloud.d/* /etc/eucalyptus/eucalyptus-version - Details which version of Eucalyptus you are using /etc/eucalyptus/httpd.conf - Axis2c httpd config /var/log/eucalyptus/cloud-output.log - Cloud output information /var/log/eucalyptus/cloud-debug.log - Verbose version of cloud-output.log 39

51 /var/log/eucalyptus/cloud-error.log - Error info from cloud-output.log /var/log/eucalyptus/nc.log - NC specific log /var/log/eucalyptus/cc.log - CC specific log /var/log/eucalyptus/* - All logs Fig Eucalyptus Boot Log Fig CC Logs 40

52 Fig Audit Logs 4.5. Third party auditor model for HIPAA data security In the figure below we presented a model in which client, third party auditor and client service provider are shown. Where client asks the cloud service provider to provide service where cloud service provider authenticate the client and provide a virtual machine by means infrastructure as a service (IaaS) to the client. In this model, virtual machine (VM) use RSA algorithm where client encrypt and decrypt the files. After performing file operation client send the files to TPA and CSP. This TPA and CSP will keep data safe and provide full integrity but how it does not ensure that we will full trust on third party auditor (TPA). He can send the data s of data owner to the unauthorized user. But the problem will be same if we remove the TPA because CSP can also send the data to unauthorized party. So cryptography is required at user level. So TPA keeps this encrypted data as a full proof. Hence, to fully ensure data security, we propose to enable publicly auditable cloud storage services, where data owners can resort to an external third party auditor (TPA) to verify the outsourced data when needed. Third party auditing provides a transparent method for establishing trust between cloud server and 41