CLOUD COMPUTING AUDIT

Transcription

1 U.P.B. Sc. Bull., Seres C, Vol. 77, Iss. 3, 2015 ISSN CLOUD COMPUTING AUDIT Georgana MATEESCU 1, Valentn SGÂRCIU 2 Ths paper presents a personal approach of conductng the audt process n cloud archtecture. Startng from the cloud computng benefts, we presented n Introducton secton the man characterstcs that a cloud provder should offer to hs consumer n exchange for credblty and trust. In order to prove all these capabltes, a proper audt process must be mplemented. Secton 2 descrbes our orgnal methodology of evaluatng the safety level of a cloud servce and the complance level aganst the standards used as reference. Our personal contrbutons consstng n quantfyng the safety level based on assumed rsk level were valdated by the mplementaton depcted n secton three. Ths paper concludes wth the benefts of our methodology. Keywords: cloud computng governance, cloud audt, cloud strategy, cloud evaluaton 1. Introducton Cloud Computng s a very fashonable concept and n the same tme, a controversal one. Whle a lot of people refer t as a dsruptve technology that has the potental to enhance collaboraton, aglty, scalng, and avalablty, and provdes the opportuntes for cost reducton through optmzed and effcent computng [1], there are a lot of opnons that thnk cloud computng s a trap for users to become cloud provder dependent [2]. The man attrbutes of cloud computng phenomenon are [3]: Shared resources cloud computng s an archtecture that allows multple users to utlze the same resources from network level, host level to applcaton level. Massve scalablty cloud computng has the ablty to scale to thousands of systems. Elastcty n cloud computng framework t s very easy to adapt the resources hardware and software to the user s necessty. Pay as you go users pay only the resources they use for only the tme they actually requre them. 1 PhD Student, Faculty of Automatc Control and Computers, Unversty POLITEHNICA of Bucharest, Romana, e-mal: [email protected] 2 Professor, Faculty of Automatc Control and Computers, Unversty POLITEHNICA of Bucharest, Romana

2 32 Georgana Mateescu, Valentn Sgârcu Self provsonng of resources addtonal systems (processng capablty, software, storage) and network resources are added f needed. Cloud Computng represents a new archtectural model that lead to new governance and management strateges based on the trust between consumers and provders. The trust t s defned by the level of securty confdence a provder can offer to hs clents, confdence that must ensure the followng key factors [4]: Transparency n provng a hgh level of securty measures mplementaton that assures the proper use of confdental data durng ther entre lfecycle: create, share, use, archve, destroy stages. Prvacy the cloud servces must prevent, detect and react to securty breaches and malcous attacks n a tmely and effectve manner. Complance the cloud provder must prove complance wth the securty standards and regulatons. One of the most mportant aspects regardng ths topc s to ensure that the cloud consumer s able to retreve hs data from the cloud whenever s requred. Localzaton of data the physcal locaton of the data storage can be the subject of partcular regulaton s some geographc area, therefore the consumer must ensure proper cloud provder selecton f hs actvty s n scope for such standards. In order to prove that the cloud servce s complant wth technology and securty requrements, a proper audt process must be conduct. In ths paper, we present our personal approach n defnng an effectve audt methodology, able to quantfy the cloud servce safety and complance based on the key drvers from the man areas concernng the IT nfrastructure: governance, management, operatons. Startng from the COBIT [5] framework we have created an orgnal approach to evaluate the safety of a cloud servce n order to emphasze the man areas where enhancements are requred. The next secton descrbes the cloud audt methodology together wth the evaluaton algorthm. The thrd secton presents the practcal mplementaton for methodology valdaton. Ths paper concludes wth the man advantages and benefts of the presented approach. 2. Cloud Audt Process The Cloud Audt s a relatvely young doman that s beng enhanced by the cloud practces and standardzaton communtes n order to address all partcular ssues of the knd of archtectural model. The current practce, started from the IT tradtonal securty and control measures are based on these, the audt process s beng contnuously customzed on the cloud specfc partculartes. In order to create ths approach, we started from the exstng prncples, best practces and recommendatons regardng audt process, we mapped the tradtonal archtectures wth the cloud models n order to defne the man

3 Cloud computng audt 33 vertcals for the cloud audt specfc characters and for all these vertcals we classfed them nto domans. The categorzaton was performed accordng to the securty reference model defned n [7]. For all the vertcals we defned controls able to measure them. After defnng the audt context and aspects to evaluate, we bult our evaluaton methodology based on COBIT [5] model that offers a framework used to assess the governance and the management of IT. The framework was ntally desgned on tradtonal archtecture, but t can be adapted to cloud archtectures also. The capablty model leveraged by our methodology s depcted n the pcture below: Fg 1: COBIT capablty model [5] In order to conduct the audt process, we structured the exstng IT key prncples [6], practces, mechansms, procedures and controls n 14 domans, accordng to [7]. The audt process addresses one cloud applcaton that s evaluated from one or multple securty domans perspectve [8] [9], by analyzng the mplementaton level of each control defned n the audt questonnare for that doman. The audt report conssts n two man drvers: The safety level ths represents the level of securty controls mplementatons as compared to the assumed rsk defned for the applcaton that s been evaluated. The complance level ths represents the percentage of the securty coverage n the analyzed domans as they are defned by CSA n [7].

4 34 Georgana Mateescu, Valentn Sgârcu In order to compute the Safety Level, the approach defnes the applcaton rsk as the uncertanty rate reported to the cloud vulnerabltes from the analyzed securty doman, materalzed n the mplementaton level of each control: AR n = cnsa + k =1 Where: AR s the applcaton rsk for the evaluated doman ( 5 s ) c (1) c NSA s the correcton rsk constant computed based on the exstng cloud communty experence. Its value s 0.01 and t s ntroduces for practcal reasons because there s no doman wth zero rsk. s k s the score of the mplementaton level for control k from the doman c A s the correcton constant appled to the rsk defned for the control. Ths constant depends on the ndustry the target belongs to, and on the senstvty level of the cloud servce. n s the number controls beng evaluated n the audt process For each cloud applcaton, there s an assumed level of rsk ranked from 1 to 3, defned by the IT strategy and management responsble team. Based on the assumed level of rsk, the assumed rsk s computed usng the followng expresson: ' AR = RL n c A (2) Where: AR ' s the assumed rsk for the evaluated doman RL s the rsk level defned by the management responsble team c A s the correcton constant appled to the rsk defned for the control. Ths constant depends on the ndustry the target belongs to, and on the senstvty level of the cloud servce. n s the number controls beng evaluated n the audt process Based on these two measures, the safety level s computed as: AR 5 n(1 c ) A ' = AR SL 100 5n (3) Where: SL s the safety level for the evaluated doman c A s the correcton constant appled to the rsk defned for the control. Ths constant depends on the ndustry the target belongs to, and on the senstvty level of the cloud servce. AR ' s the assumed rsk for the evaluated doman AR s the applcaton rsk for the evaluated doman k A

5 Cloud computng audt 35 n s the number controls beng evaluated n the audt process If the audt process s conducted for multple domans, the safety level s the arthmetc mean of the safety levels of the ndvdual domans: n SL SL = = 1 (4) n Where: SL s the safety level of the audt process SL s the safety level for the evaluated doman n s the number of domans n scope for the audt process. Based on the safety level and on the assumed rsk level, the Complance Level s computed usng the followng expresson: c 1+ ( 1) SL SLmn CL = ( SLmn + ) (5) 2 SLmn Where: CL s the complance level for the evaluated doman SL s the safety level for the evaluated doman n s the number of domans n scope for the audt process c s the complance factor that ensure that the complance level s zero f the mnmum safety level s not reached. Ths factor s computed usng the followng expresson: 1, SL < SLmn c = (5) 2, SL > SLmn SL mn s the mnmum safety level that must be obtaned by a doman n order to be complant and t s computed based on the assumed level of rsk: SL = 1 RL Where: SL mn s the mnmum safety level mn c c (6) RL s the assumed rsk level for the applcaton c c s the complance constant and ts value s 0.25 The complance level s the measure of the mplemented level of securty and governance measures, as compared to the best practces recommended by the standards used as references when we defned the audt framework. Therefore the two levels computed by our approach offer a realstc vew of the contracted cloud servce by analyzng the entre ntegraton context. Our approach analyzes both cloud provder and consumer controls n order to evaluate the level of performance, governance, rsk, management and operaton of the IT doman.

6 36 Georgana Mateescu, Valentn Sgârcu 3. Implementaton the audt process In order to valdate the proposed methodology we used the followng archtecture: Fg 2: Implementaton Archtecture The IT envronment components are: The Identty Management System n charge wth the management of the enterprse users and accounts n target systems. Ths system retreves denttes attrbutes from Drectory Server system and, based on defned busness rules, provsons the cloud servce through APIs calls. The communcaton between Identty Management and salesforce.com s authentcated and the nformaton flow s encrypted by the Securty Gateway. Identty Management s the system that manages the users and the roles wthn salesforce.com.. The Drectory Server system s the authortatve source of denttes attrbutes n the company and provdes all employees detals to Identty Management system. Identty Federaton and Sngle Sgn On system s the system n charge wth the authentcaton process wthn the company. The repostory for the dentty federaton s Drectory Server Securty Gateway s the system n charge wth the encrypton of data n moton nvolved n the ntegraton wth salesforce. Salesforce.com s the cloud servce that s been audt and has the followng characterstcs depcted by the Table 1 below.

7 Cloud computng audt 37 The audted applcaton characterstcs No Characterstc Value 1 Applcaton Name Salesforce.com 2 Senstve Applcaton No 3 Nvel de Rsc Asumat 2 4 Implementaton Program Salesforce 5 Cloud Servce Type SaaS 6 Cloud Model Cloud Publc Table 1 Durng the audt process we addressed 11 domans out of 14 because these were the most relevant ones: Governance and Enterprse Rsk Management [14] Tradtonal Securty, Busness Contnuty and Dsaster Recovery [13] Complance and Audt [18] Portablty and Interoperablty [17] Incdent Response, Notfcaton and Remedaton [13] Applcaton Securty [11] Encrypton and Key Management [18] Identty and Access Management[15] Vrtualzaton [16] Data Center Operatons [19] Informaton Management and Data Securty [12] Doman The table below depcts the audt results: Audt Results No of App Controls Rsk Assumed Rsk Safety Level Governance and Enterprse Rsk Management Tradtonal Securty, Busness Contnuty and Dsaster Recovery Complance and Audt Portablty and Interoperablty Incdent Response, Notfcaton and Remedaton Table 2

8 38 Georgana Mateescu, Valentn Sgârcu Doman No of Controls App Rsk Assumed Rsk Safety Level Applcaton Securty Encrypton and Key Management Identty and Access Management Vrtualzaton Data Center Operatons Informaton Management and Data Securty Total Number of Controls 262 Safety Level The followng pcture depcts the rato between the Applcaton Rsk computed durng the audt process and the Assumed rsk for the analyzed domans: Fg 3 Raton between Applcaton Rsk and Assumed Rsk The pcture shows that the domans where the audted applcaton rsk exceeded than the assumed rsk are: Incdent Response, Notfcaton and Remedaton Applcaton Securty Encrypton and Key Management

9 Cloud computng audt 39 For these domans, the company wll have to enhace the exstng controls n order to ensure that the rsk s addressed properly and the busness requrements regadng avalablty and audtablty are met. The pcture below depcts the comparson between the safety level computed durng the audt process for all n scope domans: Fg 4: Safety Levels The level of safety of the audted applcaton s SL = 97%. Consderng that the assumed level of rsk s RL = 2 and that the applcaton s not consdered senstve, the mnmum safety level that must be met n order for one doman to be complant s: SL 1 RL c 95% (7) mn = c = Based on the mnmum safety level, the conformty level s computed for each n scope doman and the results are presented n the pcture below: Fg 5: Conformty Levels for the analyzed domans We can conclude that 10 out of 11 analyzed domans are complant wth the best practces recommended by the standards used as references n the audt

10 40 Georgana Mateescu, Valentn Sgârcu approach. The only doman that was not complant s Portablty and Interoperablty whch safety level s 94.62%. Ths means that the efforts for performng the enhancement requred for complance are not sgnfcant as the dfference untl the mnmum safety level n very small. The mean complance level for the 10 complant domans s: 10 CL = 1 CL = 100 = 97.7% (8) 10 We can conclude that the audted servce cloud s a safe servce, wth the safety level of 97% that proves the hgh performance securty and control mechansms n place n order to ensure transparency, prvacy, avalablty and requred performance. In the archtecture we audt, the salesforce.com was complant n 10 domans out of 11, fact that leads to a 90.9% percentage of complance. As already mentoned, the dfference between the safety level on the non-complant doman and the mnmum safety level requred for complance s small, therefore the overall evaluaton of salesforce.com s classfyng ths servce as a safe, controllable and hgh performance cloud servce. By mplementng ths use case we proved the practcal applcablty of our approach n evaluatng the cloud servce form the followng perspectves: Securty controls n place n the archtecture on both costumer and provder sde Governance and rsk management measures Operablty processes and procedures 6. Conclusons Nowadays the nformaton securty and proftablty are maybe the most mportant two aspects wthn an organzaton. They are nterconnected and have a drect mpact one on each other and because of that the man challenge today s to fnd the best balance between the cost spent on the securty aspects and ther proftablty. In order to ensure the maxmzed busness value added by mplementng IT programs, the companes must buld a strong audt process able to quantfy the safety of the IT soluton mplemented, the proftablty rate and the IT strategy maturty. By combnng techncal aspects [10] dved nto man securty drvers wth governance and operatons related factors, we managed to offer a full evaluaton analyss of cloud system that quantfes the overall safety of the cloud safety from both technologcal and operatonal perspectve. In ths way, the audt process can be a key decson support for the IT strategy roadmap.

11 Cloud computng audt 41 Our approach offers the followng benefts and nnovatons: Quantfes the safety score based on securty measures and controls usng an orgnal methodology based on mature and relable framework. Quantfes the level of complance wth the standards used as reference n defnng the audt framework. The approach reles of the safety score and t s bult by adaptng the tradtonal methodology to cloud archtectures. Offers an effcent methodology for complex analyss that shows strengths and weaknesses of the company Offers decson support for future cloud adopton by evaluatng the rate of company maturty and adaptablty to change by assessng the entre stack of mechansms, controls, process and procedures defned wthn the company n order to obtan an effcent governance and management process. By usng as a reference model an nternatonal standard, we ensure that the prncpals, best practces and mature recommendatons are part of the audt process. Also, by leveragng an exstng framework for ntal assessment of the mplementaton level, we obtan all the benefts of a framework that proved ts value durng the experence. We can conclude that our approach helps the company gan vsblty on ther own IT envronment by evaluatng the governance, management and operatons maturty levels usng a holstc approach. R E F E R E N C E S [1] Cloud Securty Allance, Securty Gudance for Crtcal Areas of Focus n Cloud Computng v [2] Mchael Armbrust, Armando Fox, Rean Grffth, Anthony D. Joseph, Randy Katz, Andy Konwnsk, Gunho Lee, Davd Patterson, Arel Rabkn, Ion Stoca, and Mate Zahara, Above the Clouds: A Berkeley Vew of Cloud Computng Electrcal Engneerng and Computer Scences Unversty of Calforna at Berkeley Techncal Report February 10, 2009 [3] Tm Mather, Subra Kumaraswany, Shahed Latf, Cloud Securty and Prvacy. An Enterprse Perspectve on Rsk and Complance, O Relly Unted States of Amerca, frst verson 2009 [4] Robert R. Moeller, Executve's Gude to IT Governance: Improvng Systems Processes wth Servce Management, COBIT, and ITIL, 2013 John Wnley & Sons ISBN: [5] ISACA, COBIT 5: A Busness Framework for the Governance and Management of Enterprse IT, 2012, ISACA ISBN: [6] ISACA, IT Control Objectves for Cloud Computng: Controls and Assurance n the Cloud, 2011, ISACA ISBN: [7] Cloud Securty Allance, Securty Gudance for crtcal areas of focus n cloud computng v3.0, [8] Robert R. Moeller, Executve's Gude to IT Governance: Improvng Systems Processes wth Servce Management, COBIT, and ITIL, 2013 John Wnley & Sons ISBN:

12 42 Georgana Mateescu, Valentn Sgârcu [9] Jared Carstensen, Bernard Golden, JP Morgenthal, Cloud Computng: Assessng the Rsks, 2012, IT Governance ISBN: [10] Chrs Davs, Mke Schller, Kevn Wheeler, IT Audtng: Usng Controls to Protect Informaton Assets, Second Edton, 2011 McGraw-Hll/Osborne ISBN: [11] Lee Newcombe, Securng Cloud Servces: A Pragmatc Approach to Securty Archtecture n the Cloud, 2012, IT Governance ISBN: [12] Jennfer L. Bayuk,Cyber Securty Polcy Gudebook, 2012, John Wley & Sons ISBN: [13] Kurt J. Engemann and Douglas M. Henderson, Busness Contnuty and Rsk Management: Essentals of Organzatonal Reslence, 2012, Rothsten Assocates ISBN: [14] Robert R. Moeller, COSO Enterprse Rsk Management: Establshng Effectve Governance, Rsk, and Complance, Second Edton, 2011, John Wley & Sons ISBN: [15] Matthew Metheny, Federal Cloud Computng: The Defntve Gude for Cloud Servce Provders, 2013, Syngress Publshng ISBN: [16] Dane Barrett and Greg Kpper, Vrtualzaton and Forenscs: A Dgtal Forensc Investgator's Gude to Vrtual Envronments, 2010 Syngress Publshng ISBN: [17] Nck Antonopoulos, Lee Gllam, Cloud Computng: Prncples, Systems and Applcatons, 2010, Sprnger ISBN: [18] Ben Halpert, Audtng Cloud Computng: A Securty and Prvacy Gude, 2011, John Wley & Sons ISBN: [19] Bran J.S. Chee, Curts Frankln, Cloud Computng: Technologes and Strateges of the Ubqutous Data Center, 2010, Auerbach Publcatons ISBN: