Secure Cloud Computing through IT Auditing 75 Navita Agarwal Department of CSIT Moradabad Institute of Technology, Moradabad, U.P., INDIA Email: nvgrwl06@gmail.com ABSTRACT In this paper we discuss the origin of cloud computing and framework for providing secure cloud computing through IT auditing. It involves checklists which are based on the cloud deployment models and cloud services models. This paper emphasizes on implication of cloud computing and defines secure cloud computing via IT auditing in spite of proposing a new technology to secure cloud computing. Keywords: Cloud, Cloud Service, Cloud Computing. 1. INTRODUCTION Cloud computing is an advanced technology that provides resources over the Internet and they act as extremely informative services to those who use the service. With this cloud, subscribers can access relevant business applications by using a web browser. Their data and the related software are stored on an off-site server. It ensures economic benefits by providing computing resources and applications to all customers. These services may include computing software services, storage, development and deployment platform, infrastructure and desktop services etc. It represents a different way to maintain data and applications by the use of internet and central remote servers. Consumers and businesses can easily use applications without installation and access their personal files at any computer with internet access. This efficient technology centralizes storage, memory, processing and bandwidth. In the cloud computing, a thin client interacts with remote cloud operating system to get virtual desktop with a chosen virtual local operating to access virtual data storage and implement these applications from anywhere and at anytime. In the current scenario, IT has reached a critical point. The information is driving 54% growth in storage. So, large scientific calculation such as weather forecasting, new medicine and healthcare informatics demands faster processing capabilities. Whereas in real terms, around 85% of computing capacity is idle. On an average, near about 70% of the IT budget is spent on managing IT infrastructure rather than adding new capabilities to the existing technologies. Alongwith this, the connectivity cost keeps on falling. So an off-site cloud computing infrastructure is provided by a third party who requires less technological skills for the user s in-house implementation. Although centralized data storage approach is implemented, but possible security risks should be considered along with loss of access and control. Users of cloud computing can easily achieve location and device independence. They can also use a web browser to access various systems from any site with various devices. Customers can manage and interact with the cloud services through APIs. Service Providers must ensure that security is integrated into their service models, and users must be aware of security risks in the use, implementation, management, and monitoring of those services. The risks may include limited monitoring capabilities, inflexible access controls, reusable passwords, clear-text authentication and improper authorizations. Figure 1
76 Businesses are running all kinds of applications in the cloud like Human Resource (HR), Customer Relationship Management (CRM), accounting and many others. Best IT Companies moved their applications to the cloud after clearly testing the security and reliability of the infrastructure. In this paper, we focus on the security issues for information assurance. That is, we can secure cloud computing by using the IT auditing policy. IT auditing under cloud computing provide benefit of building strategic plan for the enterprise in addition to the traditional auditing role. For this we make master checklists framework that can specify cloud deployment models. 2. ORIGIN OF CLOUD COMPUTING In 1960, John McCarthy stated about cloud computing that- Computation may someday be organized as a public utility. [1] Other scholars have shown that cloud computing s roots go all the way back to the 1950s when scientist Herb Grosch claimed that the entire world would operate on dumb terminals powered by about 15 large data centers. The term cloud comes from telephony in that telecommunications companies offers Virtual Private Network (VPN) services to customers with comparable quality of service (QoS) but at comparable less cost. The cloud computing symbol was used to specify the boundary between the responsibility of the service provider and the responsibility of the end user. Cloud computing covers aspects of servers and the network infrastructure. Amazon also played a key role in the development of cloud computing by equipting their data centers like other computer networks, which uses only 10% of their capacity at any one time. Amazon found that the new cloud architecture resulted in significant improvements whereby small teams could add new features faster and more easily. So it admitted a new product development effort to provide cloud computing to the external customers, and thus launched utility computing based Amazon Web Service (AWS) in 2006. 3. WHY BUSINESSES NEED CLOUD COMPUTING? The supercomputers can perform complex tasks such as analyzing climate change, ensuring national security and solving medical problems. These are preferred by the universities, government agencies, military and research laboratories. As compared to the 3 billion computations per second processed by a powerful desktop PC, Cloud computing makes trillions of calculations per second and can provide similar power. Users can easily analyze sales data by using Internet, to estimate the risk in businesses ventures, store patients medical information and perform other essential tasks for their organizations. 2010 was a milestone year for the implementation of Cloud Computing Services. Companies are increasingly finding that SaaS (Software-as-a-Service) is a safe and secure service for maintaining flexibility. SaaS is extremely well and simplifies IT planning. Thousands of users can be instantly assigned resources on the fly. It can be done either on a button click, or even automatically. This eliminates unnecessary maintenance costs and hardware upgrades. Different Companies like the idea of SaaS because it allows them to access company systems from any point. Employees can work from the head office, the remote sales office, their home, or even from a laptop while the road. 4. GLIMPSE OF CLOUD COMPUTING NIST has defined cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. [2] [3] The cloud computing model has five essential characteristics broad network access, resource pooling, on-demand self service, measured Service and rapid elasticity. It includes three service models SaaS (Software-as-a service) PaaS (Platform-as-a-service) and IaaS (Infrastructureas-a-Service). These services offer different benefits according to requirements of customers. Figure 2: Types of Cloud Services The cloud computing symbol includes four deployment models Public Cloud, Private Cloud, Community Cloud and Hybrid Cloud. The influence of cloud computing on security, privacy and compliance is a working progress. The major issues include trust, multi-tenancy, encryption and compliance such as FISMA, GLBA, HIPAA, SOX, PCI and SAS 70 Audits. Figure 3: Cloud computing types
77 At the end of 2008, Cloud security alliance released its second version of Security Guidance for Critical Areas of Focus in Cloud Computing. In 2009 five governance domains and seven operational domains were established. In the domain of IT audit, it raises cloud computing issues for regulatory applicability and for the division of compliance responsibilities between providers and users. It also made 13 recommendations which are audit rights, legal and contract team involvement, compliance scope, contractual understanding, impact of regulations on data security, relevant partners and services providers review, provider infrastructure configuration review, policies and procedures analysis, cloud providers SAS 70 Type II status, and ISO/IEC 27001/27002 roadmap and scoping, evidence preparation, auditor qualification and selection. The biggest challenge for cloud computing is that there s no standard or single architectural method. Therefore, it is more appropriate to view cloud architectures as a set of approaches, each with its own examples and capabilities. Open Security Architecture Group offers various Cloud Computing Patterns and specific Controls. In this paper, we focus on IT Audit to assure a secure cloud computing. The main aim is to design a well equipped framework with master check list so that both internal and external auditors get a reference when they have to audit this new and dynamic cloud computing territory. 5. CLOUD DATA LIFE CYCLE Cloud computing makes the world more vapid. Public cloud providers can use their computing resources both locally or globally. Cloud users do not require information about the location of computing resources because they are all virtualized. In general, the data life cycle includes collection, storage, transferring and destruction.[4] The data collection includes both raw data and derived data. Derived data, also called information, is produced from raw data to deliver intelligence. The data storage includes active data storage and inactive storage. For example, former employee data can be considered as inactive. Its storage procedure may be different from the active employee data. It is not necessary that data processing and data storage lie under the same location in the cloud environment. Therefore data transferring is a common activity. The destruction of data is to destroy data permanently, no backup should be left somewhere either in the user side or the provider side. The cloud data life cycle presents many distinct features. Data can cross different security domain and regulations and constantly moves due to the nature of data storage provided by a third party. Information assurance is the advanced area which provide new dimension via contracts among cloud users and cloud providers. They need to establish formal agreement. Service Level Agreement (SLA) can be borrowed, since we now need to add crossing domain compliance clauses that can be implementable. 6. CHECKLIST FOR PUBLIC CLOUD Public Cloud Computing provides scalable and easy access to computing resources and IT services. It is implemented where several organizations have similar requirements and share infrastructure so as to understand the benefits of cloud computing. It offers higher level of privacy, security, and/or policy compliance. Along with this, it can be economically attractive as the storage and workstations utilized and shared in the community are already in use. Cloud computing is cheaper which benefits many users. Public cloud is based on the standard cloud computing model, in which applications and storage are available to the general public over the Internet. These services may be free or offered on pay basis. The base of Public cloud lies in Google, Amazon, and Microsoft etc. Enterprise basically uses public cloud to emphasize on its core business and cut the cost. Cloud concept can integrate various computing resources from different departments and agencies into a manageable format. Therefore making a connected government is a reality. IT auditing in public cloud can have different focus based on different service models- Infrastructure as a Service (IaaS) and Software as a Service (SaaS). 6.1 IaaS Infrastructure as a Service (IaaS) is a popular service model that provides computing resources to cloud users. So that they can utilize operating systems and run their applications on top of it. It can also be used as a archive or as a storage medium. In IT auditing, location, geopolitics, data owner and regulatory issues are not virtualized. The checklist of Public cloud emphasize on the following issues Cloud IT Technique Rationale: IT auditing techniques need to refine to reflect the change. IT auditing is challenging toward public cloud because the IT infrastructure offered by the third party may not provide direct access to the agreement auditors. What: The techniques should include wired and wireless connection, database, data center, cloud operating system like VMware, hardware dependencies. How: IT auditors must verify the agreement with the help of third party cloud provider. They should know how far it can go and test and what kind of tools it can use. Data ownership aware Rationale: Data owner in public cloud is always a issue between providers and users. Cloud users can assume that
78 they are the owners of their data. This assumption should be presented in an agreement format. When it comes to move data out of the cloud, cloud users should know if data are destroyed completely and how. No backup should be there when data is supposed to destroy. What: The agreement clearly states on data ownership on data life cycle. It also included the data destroy and verification process. How: It is necessary to discuss with cloud coordinators about the data ownership and data life cycle management. Data Protection Plan and Best Practice Rationale: Clearly defined data protection plan as the part of data life cycle is important part of agreement among all parties, users, providers and affected. In addition to written agreement, actual practice is also important to data protection. What: Data protection plan should include clear procedure and practice in each phase of data life cycle such as collection, storage, transferring and destruction. How: Auditors must be able to differentiate between essential and non-essential data. IT auditors must advise various controls for every phase of data life cycle. Data Processing Isolation Rationale: Data can also be leaked during the data processing in a shared cloud environment. In order to isolate data processing we have to check that no other applications can access the data during the processing. What: Clear procedure should be applied to make sure data processing does not leak data. How: IT auditors must read the document in written but also follow certain procedures. Cloud Disaster Recovery Plan Rationale: Cloud disaster recovery plan play an important for the business recovery from any disaster. What: Cloud disaster recovery plan must include how to get crucial data back. So it must contain disaster recovery plan from cloud providers. How: IT administrators must do proper documentation and checked if it is being properly tested and updated. Cloud Business Continuity Rationale: Business continuity manages damage minimization. It should include business continuity plans of cloud providers with its own business continuity plan. What: Cloud business continuity should include all the documentation from inside and outside. How: IT administrators should provide proper documentation. They should test business continuity plan. Overall IT Projects Cost Rationale: Actual cost structure using public cloud should be known and how much it saves as compared to traditional IT model.[5] 6.2 SaaS It is a popular cloud service model in which many checklist items are similar to those from IaaS. Data Activity Surrender Rationale: SaaS providers should kept data within the national boundaries so that government agencies can access them when needed. It must keep all the customer data that can be accessed under court order. So SaaS users must be aware if there is a possibility that can avoid the cases of intrusion. How: IT auditors should be able to understand the local law and regulation on data service providers such as phone records, utility bills, etc. They should ask about what kind of information cloud providers keep. This documented policy should be properly viewed on site. Data Format Rationale: If freely available readers like adobe, work, open office and notepad can read the data, SaaS users can avoid pay extra software usage. What: It must check available data format from the software service. How: Auditors should check if these format can be accessed by general reader applications. They should talk to users to find out reasons that specific format being used or not used. Disaster Recovery and Continuity Plan Rationale: Disaster recovery plan must follow the procedure like public cloud. The IT team and management should work together to change the existing disaster plan to fit the cloud scenario. What: The plan should include data different location backup. It should also include how to get crucial data back and how quickly. How: IT administrators should properly check the documentation. 7. CONCLUDING REMARKS: SHAPING OPPORTUNITY In this paper, we have defined a framework of checklist of IT auditing cloud computing that assure the secure cloud computing. It focuses more on Cloud rather than emphasizing on the complete list of IT Auditing for secure Cloud computing. IT auditors whether internal or external should pertain the basic requirements for IT auditing.
79 The checklist of the IT auditing also references to those who want to step into cloud computing wave and a questionnaire to answer if cloud computing is good for the current business applications in long run. PaaS service model is an important aspect for the future work as feasibility for PaaS business model is still going on. The future of cloud computing is expected to see many technological advancements for changing the world. It uses applications which will extract entire potential of the cloud which can be known only when it is used with Internet that has higher bandwidth rates and can be accessed at faster speeds. It is because many public places like educational institutions now have wireless internet facilitating hotspots. The Cloud computing future also shows that the extra overhead of client s computer to maintain the software will be negligible. Because there is no requirement to install the software application on their computer. So there will no need for the end user to emphasize on any type of maintenance issues. The clouds, different services, and various service-oriented architectures are technologies that will be necessary for twentyfirst-century corporations successfully to navigate the changes that they now face. The use of cloud hosting services will began either as an alternative to self-hosting, or as an alternative to other current day third party hosting arrangements will began. The companies that require the implementation results and management of a service-oriented architecture will have to re-architect the current platforms to leverage/implement cloud computing and the possible need to formalize the way the policy is used to manage IT platforms within and across service grid boundaries. Future of cloud computing guarantees that with the reduced usage of hardware, the probability of entry of viruses in the system will be very less since everything will be operated over the network and using web browser. It shows scope in many areas fields which requires high bandwidth internet and need larger storage space like medicine, education and space, which might be difficult if the system does not use cloud computing. Cloud computing cuts down the cost and risks of having storage area and also can have the data stored readily with backup which does not have to be done manually. REFERENCES [1] NIST Definition of Cloud Computing v15, accessed on 4/15/2010, http://csrc.nist.gov/groups/sns/cloudcomputing/ cloud-def-v15.doc [2] Will Forrest, Clearing the Air on Cloud Computing, Discussion Document from McKinsey and Company, March 2009. [3] Luis M. Vaquero, et al., A. Breaks in the Clouds: Toward the Definitions, ACM SIGCOMM Computer Communication Review, V39 No1, January, 2009, pp. 50-55. [4] FISMA: http://csrc.nist.gov/drivers/documents/fismafinal. pdf [5] Gramm-Leach-Bliley Act (GLBA, the Financial Management.