Information Auditing and Governance of Cloud Computing IT Capstone Spring 2013 Sona Aryal Laura Webb Cameron University.

Transcription

1 Information Auditing and Governance of Cloud Computing IT Capstone Spring 2013 Sona Aryal Laura Webb Cameron University P a g e 1

2 P a g e 2 Table of Contents Abstract... 3 Introduction... 3 Previous Work... 3 Definition... 4 Cloud Computing... 4 Private clouds... 4 Public cloud... 4 Community cloud... 4 Hybrid cloud... 5 IT Auditing... 5 Technological Innovation Process Audit... 5 Innovative Comparison Audit... 5 Technological Position Audit... 6 Cloud Based IT Audit Process... 6 Traditional Auditing vs. Cloud Auditing... 6 Risk Management and Risk Assessment... 7 Cloud-Based IT Standards and Governance... 7 Current and Future Guidance... 7 Cloud Security Alliance (CSA )... 8 Information Systems Audit and Control Association (ISACA)... 8 Implementing and Maintaining Governance Methodology... 9 Conclusion & Future Work... 9 Works Cited... 10

3 P a g e 3 Information Auditing and Governance of Cloud Computing Sona Aryal and Laura Webb Abstract - Cloud computing is the most recent attempt in delivering computing resources as a service instead of it being just a product to purchase. There is no escaping from the constant discussion on the future of cloud computing and how it is going to impact businesses finances and resources. In this paper, we will discuss the importance of performing standard audit of cloud computing. This paper will include an in-depth analysis of what cloud computing and IT auditing is and the issues surrounding the auditing technology. We will explore various types, steps and standards involved in information auditing in the cloud. Introduction Cloud computing is receiving a great deal of attention, not only in publications and among experts in the field but also with the users - from individuals at home to the U.S. government [1]. Most among us have either communicated, collaborated or used a service (i.e., tax preparation, online gaming, video sharing, or ) in the cloud or at least have some familiarity on what it is and how it works. Technology evolves at an ever changing pace, and cloud computing has come a long way since it was first introduced in the early 1990 s. A substantial number of businesses have transformed their organizations and adopted the cloud s technology. With this new business model are also skepticism regarding the security, privacy, performance, availability, and liability [2]. Introducing the cloud in today s businesses opens up a door to a whole new level of technological developments benefiting both businesses and its consumers. With the growing number of mobile and remote workers, instant access almost anywhere is necessary. This realization has led the businesses to slowly treat the cloud like any other traditional technological assets of the organization. This is where information technology auditing in cloud plays a vital role. Unlike other information resources used in any organization, cloud computing can be complicated to understand. This unfamiliarity with new, yet powerful technological assets can make the process of auditing chaotic. Therefore, focusing on how businesses perform IT auditing while in the cloud and what governmental standards are utilized becomes crucial. Being able to compare traditional IT auditing with cloud auditing and understanding the similarities and differences each withhold not only help businesses maintain a standard audit trail but also makes their business secured. There has been various guidelines and standards introduced to address the security issues arising from the cloud. Experts in the field have researched on what effective strategies should be implemented to create and propose proper standards and laws. Previous Work There has been a number of work and research done regarding topics closely related to cloud, its security and future of the cloud. All of these findings have been extremely helpful in gaining a broader understanding of this new topic.

4 P a g e 4 We examined many articles of those who have researched various mechanisms in cloud audit. Most have developed specific types of protocols that focus on different areas of the cloud (i.e., cloud server, user, provider, etc). Chen and Yoon proposed an auditing methodology by implementing checklists based on the deployment and service models [3]. In their studies, they suggest that by using this process, precautions and measures would be put into effect therefore minimizing compliance concerns. However, they only designed checklists for IaaS and Saas and not PaaS. Wang and Sherman proposed a privacy preserving auditing protocol by using a random masked technique [4]. This allowed numerous auditing tasks to be performed by a third party auditor without compromising the data content. However, this applies only to the auditor and the data, not authentication between the cloud server, cloud service provider, and the user with the auditor. Haeberlen proposed a tamper evident logging technique which required the use of virtual machines to record all the events that take place [5]. This allows for the cloud to be accountable to the user and provider, but does not define how the data is stored securely. While these are only a few proposals made by others researching this field, the overall consensus are that a set of detailed protocols must be established to protect the cloud from beginning user to end user prior to cloud deployment of any model. Definition The definition of cloud computing as stated by the National Institute of Standards and Technology (NIST) is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [6]. Cloud Computing There are four types of deployment models represented in cloud computing. These are Private, Public, Community, and Hybrid. Selection of which one to be deployed depends upon the needs of an organization. Each model has own benefits and disadvantages that need to be considered. Private clouds are designed for businesses which require the highest level of security for their sensitive data (i.e., banking institutions, law firms, healthcare facilities, etc). The data center is typically on location where all processes and operations are managed internally. However, third parties can provide the same services off-site. Private clouds are used entirely by the organization and have more control over policy implementation [13]. Public cloud is more suited for the smaller businesses and those just starting up with little physical infrastructure. It is available to the general public for a small fee and serves a more common purpose such as and storage services. These are mainly controlled by major corporations like Amazon, Microsoft or Google [11]. Community cloud is often called the vertical cloud and has likeness with that of the private cloud. It is often associated with agencies within the government. It serves multiple organizations who share a similar purpose [12].

5 P a g e 5 Hybrid cloud consists of an integration of the other clouds that remain exclusive but are linked by technology that facilitates data and application portability [6]. Figure 1 shows the four cloud computing deployment models and illustrates the differences in their design. Figure 1. (Source: Cloud Computing Deployment Models illustrating the differences in their properties. IT Auditing An information technology audit is a method of analyzing an organization s technological capacity, its needs and management process. The major aim of an IT audit is to evaluate the capacity of an organization s technological assets, its reliability, efficiency, and level of compliance. It is not necessarily a solution for any problems within the organization but is the first step in recognizing the problem. Furthermore, successful completion of an auditing process leads the auditing team to create a report with a defined action plan. This report is then presented to management making it easy to analyze the technological needs and improvement of an organization. According to Goodman & Lawless there are three main analytic frameworks characterizing the basic approach of carrying out the IT audit [9]. Technological Innovation Process Audit: This auditing technique analyzes the level of risk involved in ongoing projects and future projects of an organization. It studies the ratio of a company s success and risk involved. It provides an internal look at the company s experience in choosing the technology required for projects/product of the organization. Innovative Comparison Audit: This audit creates a comparison between an organization and its competitor or an established benchmark. It analyzes the organization s technological asset/technique with that of its competitors. The comparison involves examining the company s facilities, its policies and its success rate.

6 P a g e 6 Technological Position Audit: This audit reviews the technologies that the organization currently uses and any future plan of purchases. IT analyzes the needs of current and future technology required by the organization in order to function in the most effective yet economic way. Here, an auditor creates a report stating the urgency/ importance of the technology used within the organization. Cloud Based IT Audit Process With more businesses and customers deploying in the cloud, uncertainty of the standards to follow are blurred. Therefore, the process of IT auditing has become a significant issue. At the 8th Annual KPMG conference in 2012, IT Risk and Emerging Technologies was ranked as the 2nd highest concern [9]. Traditional Auditing vs. Cloud Auditing There are many differences in how auditing is conducted traditionally versus auditing in a web based atmosphere. In a traditional setting, an auditor would make detailed examinations of the internal business processes, generate reports, assess the company s current and future risks and develop a plan for improvement. For the cloud, the audit procedure is more in depth as compliance must exist with both the service provider and the organization. The reason is that the cloud service providers have control over the organization s data so the integrity of the data must remain intact and confidential [2]. Cloud auditing includes identifying the risks and new requirements for securing data in the cloud, aligning the system with the company s policies, determining the weaknesses and vulnerabilities, evaluating the controls and implementing a risk assessment plan [13]. Figure 2 illustrates the complex cloud IT auditing process cycle. Figure 2. (Source An illustration of the complex IT Auditing Process in the cloud.

7 P a g e 7 Risk Management and Risk Assessment With the dawn of computerization, the threat of data loss/compromise has always been the most alarming problem. The technological innovation has both helped solve this issue and create a different one every day. However, cloud computing is no exception to this condition. With the uncertainty of where exactly our data is stored and utilized, the risk involved is multiplied. It becomes very important to have a clear understanding of division of liabilities and responsibilities between vendor (provider like amazon, dropbox, and all other cloud based store) and client (home user to high profile companies).study of contract between these two parties should be carefully read and understood.. The process of IT auditing not only helps identify this risk but also guides the authority involved in acknowledging it. Having this understanding helps companies draw proper data recovery process in case of disaster/disruption of data in cloud. Cloud-Based IT Standards and Governance Due to the overwhelming presence the cloud has created, there are three groups who have been working together to build standards and allow interoperability. These are The Cloud Computing Interoperability Forum, The Open Cloud Consortium, and the DMTF Open Clouds Standards Incubator. For the cloud to be open universal protocols must be set in place and utilized by all [12]. Companies are required to follow guidelines ensuring information security. The Sarbanes Oxley Act of 2002 was signed into law to protect investors from inaccurate reporting of financial records of companies they have a venture in [14]. SOX pushed organizations to design business policies to manage risk. The European Network and Information Security Agency (ENISA) is an organization who determines the cost and benefits of cloud computing while analyzing the risks. They also monitor and provide recommendations to other European businesses that are willing to migrate to the cloud [7]. The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce who develops standards and guidelines for Federal agencies; and are responsible for providing adequate information security to those agencies [6]. They works with the private sector, other government agencies, and universities to develop and apply the technology, measurements and standards needed for new and improved products and services [18].The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established federal rules to protect patients by providing rights and disclosure to personal health information [16]. There are many organizations who work together collaborating on current cloud standards and exchange use cases to develop the new standards. NIST publishes this information amongst all the groups and allows for outside organizations to contribute. These standards pertain to different aspects of the cloud such as security, user access, data import and export, network management and registry. Current and Future Guidance By having standard guidelines in place, businesses will gain more confidence in the cloud and develop a greater trust. In order to advance cloud computing, measures to establish greater security will need to be met [17]. The cloud s future will need to expand on its interoperability and ways to handle vendor lock-in.

8 P a g e 8 Cloud Security Alliance (CSA) Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing [8]. The alliance s working group Security as a Service (SecaaS) has published implementation guidance documents which expands on ten different categories of services: 1. Identity and Access Management Implementation Guidance 2. Data Loss Prevention Implementation Guidance 3. Web Security Implementation Guidance 4. Security Implementation Guidance 5. Security Assessments Implementation Guidance 6. Intrusion Management Implementation Guidance 7. Security Information and Event Management Implementation Guidance 8. Encryption Implementation Guidance 9. Business Continuity / Disaster Recovery Implementation Guidance 10. Network Security Implementation Guidance Information Systems Audit and Control Association (ISACA) ISACA is an international professional association focused on IT Governance. The association is responsible in creation of Control Objectives for Information and Related Technology (COBIT) which is one of the most widely used frameworks for information technology management and governance. COBIT addresses 34 IT processes, ranging from strategic planning to implementation, production, support, and monitoring. The processes are grouped into four domains each of which has detailed guidelines as illustrated in Figure 3[10]. COBIT Figure 3 illustrates the four areas of COBIT (designed by Sona Aryal, 2013)

9 P a g e 9 The organization also partners an institute (IT governance institute) which focuses on conducting research/publication on IT governance related subjects. This association s contribution towards the field of IT audit, security, governance and risk management has been given high credibility for the certifications (CISA, CISM, and RISC) they endorse. Implementing and Maintaining Governance Methodology To secure the cloud, organizations should use encryption technology. The servers should have its own encryption as well as the backup system. This ensures that the data is securely stored and protected. Use of proper access control methods ensures standard identification, authentication and authorization. Cloud automation reduces the risk of user error and malicious actions. To ensure the organization is compliant logging, monitoring and alerting will minimize discrepancies. [15]. Conclusion & Future Work The future of auditing in the cloud is accelerating at a rapid pace. There are many organizations that have developed standards and guidelines; however, the risk of data being compromised will still exist. To regulate these standards on a global scale will take a number of years to implement and enforce. Challenges such as new laws and new requirements that vary by geographic area or jurisdiction, compliance of audit logs across multiple domains, and the increased complexity to comply with new standards remain. Organizations and consumers must continue to work together to build a more effective solution to IT auditing in the cloud. Organizations like NIST, CSA, and ISACA are continuously working with IT professional and experts to research this fairly new subject and it has a long way to grow. Future research on this topic can open up doors to new and improved guidelines and standards that can be adapted by various organizations.this particular paper can be used as a reference to elaborate on all the governance proposed/listed the in paper and compare with any new reforms performed by any other guidelines.

10 P a g e 10 Works Cited 1. Huth, A. & Cebula, J. (2011). The Basics of Cloud Computing. Carnegie Mellon University. 2. Gul, I., & Islam, M. H. (2011, June). Cloud Computing Security Auditing. In Next Generation Information Technology (ICNIT), 2011 The 2nd International Conference on (pp ). IEEE. 3. Chen, Z., & Yoon, J. (2010, July). IT Auditing to Assure a Secure Cloud Computing. In 6th World Congress on Services (pp ). 4. Wang, C., Sherman, C., Wang, Q., Ren, K., & Lou, W. (March 2010). Privacy Preserving Public Auditing for Secure Cloud Storage. INFOCOM Proceedings IEEE, Haeberlen, A. (2010). A Case for the Accountable Cloud. ACM SIGOPS Operating Systems Review, 44(2), Mell, P. & Grance, T. (Sept 2011). The NIST Definition of Cloud Computing. NIST Special Publication Hogben, G. ENISA-Cloud Computing and Security Strategy. Retrieved from 8. Cloud Security Alliance. (2011). Security Guidance for Critical Areas of Focus in Cloud Computing V Goodman, R. A., & Lawless, M. W. (1994). Technology and Strategy: Conceptual Models and Diagnostics. New York: Oxford University Press. 10. Information Systems Audit and Control Association (ISACA), Control Objectives for Information and Related Technology (COBIT). Retrieved from Rhoton, John. (2011). Cloud Computing Explained. Recursive Press. 12. Sriram, I. & Khajen-Hosseini, A. Research in Cloud Technologies. Retrieved from (Sept 2011) New Requirements for Security and Compliance Auditing in the Cloud. Qualys Stults, G. (May 9, 2004). An Overview of Sarbanes-Oxley for the Information Security Professional. SANS Institute. Version 1.4b. Option (2013) Understanding Enterprise Cloud Governance. Enstratius Inc. 16. Health Insurance Portability and Accountability Act of Web Badger, L., et al. (Nov 2011) US Government Cloud Computing Technology Roadmap. Volume 1. Release 1.0 (Draft). National Institute of Standards and Technology. Special Publication Office of the Director Homepage. (n.d.). National Institute of Standards and Technology. Retrieved April 16, 2013, from