The auditor's guide to ensuring correct security and privacy practices in a cloud computing environment

Many organizations are reporting or projecting a significant cost savings through the use of cloud computing—utilizing shared computing resources to provide ubiquitous access for organizations and end users. Just as many organizations, however, are expressing concern with security and privacy issues for their organization's data in the "cloud." Auditing Cloud Computing provides necessary guidance to build a proper audit to ensure operational integrity and customer data protection, among other aspects, are addressed for cloud based resources.

• Provides necessary guidance to ensure auditors address security and privacy aspects that through a proper audit can provide a specified level of assurance for an organization's resources
• Reveals effective methods for evaluating the security and privacy practices of cloud services
• A cloud computing reference for auditors and IT security professionals, as well as those preparing for certification credentials, such as Certified Information Systems Auditor (CISA)

Timely and practical, Auditing Cloud Computing expertly provides information to assist in preparing for an audit addressing cloud computing security and privacy for both businesses and cloud based service providers.

Chapter 1: Introduction to Cloud Computing 1

History 1

Defining Cloud Computing 2

Elasticity 2

Multitenancy 3

Economics 3

Abstraction 3

Cloud Computing Services Layers 4

Infrastructure as a Service 5

Platform as a Service 5

Software as a Service 6

Roles in Cloud Computing 6

Consumer 6

Provider 6

Integrator 7

Cloud Computing Deployment Models 8

Private 8

Community 8

Public 9

Hybrid 9

Challenges 9

Availability 10

Data Residency 10

Multitenancy 11

Performance 11

Data Evacuation 12

Supervisory Access 12

In Summary 13

Chapter 2: Cloud-Based IT Audit Process 15

The Audit Process 16

Control Frameworks for the Cloud 18

ENISA Cloud Risk Assessment 20

FedRAMP 20

Entities Using COBIT 21

CSA Guidance 21

CloudAudit/A6—The Automated Audit, Assertion, Assessment, and Assurance API 22

Recommended Controls 22

Risk Management and Risk Assessment 26

Risk Management 27

Risk Assessment 27

Legal 28

In Summary 29

Chapter 3: Cloud-Based IT Governance 33

Governance in the Cloud 36

Understanding the Cloud 36

Security Issues in the Cloud 37

Abuse and Nefarious Use of Cloud Computing 38

Insecure Application Programming Interfaces 39

Malicious Insiders 39

Shared Technology Vulnerabilities 39

Data Loss/Leakage 40

Account, Service, and Traffic Hijacking 40

Unknown Risk Profile 40

Other Security Issues in the Cloud 41

Governance 41

IT Governance in the Cloud 44

Managing Service Agreements 44

Implementing and Maintaining Governance for Cloud Computing 46

Implementing Governance as a New Concept 46

Preliminary Tasks 46

Adopt a Governance Implementation Methodology 48

Extending IT Governance to the Cloud 49

In Summary 52

Chapter 4: System and Infrastructure Lifecycle Management for the Cloud 57

Every Decision Involves Making a Tradeoff 57

Example: Business Continuity/Disaster Recovery 59

What about Policy and Process Collisions? 60

The System and Management Lifecycle Onion 61

Mapping Control Methodologies onto the Cloud 62

Information Technology Infrastructure Library 63

Control Objectives for Information and Related Technology 64

National Institute of Standards and Technology 65

Cloud Security Alliance 66

Verifying Your Lifecycle Management 67

Always Start with Compliance Governance 67

Verification Method 68

Illustrative Example 70

Risk Tolerance 72

Special Considerations for Cross-Cloud Deployments 73

The Cloud Provider’s Perspective 74

Questions That Matter 75

In Summary 76

Chapter 5: Cloud-Based IT Service Delivery and Support 79

Beyond Mere Migration 80

Architected to Share, Securely 80

Single-Tenant Offsite Operations (Managed Service Providers) 81

Isolated-Tenant Application Services (Application Service Providers) 81

Multitenant (Cloud) Applications and Platforms 82

Granular Privilege Assignment 82

Inherent Transaction Visibility 84

Centralized Community Creation 86

Coherent Customization 88

The Question of Location 90

Designed and Delivered for Trust 91

Fewer Points of Failure 91

Visibility and Transparency 93

In Summary 93

Chapter 6: Protection and Privacy of Information Assets in the Cloud 97

The Three Usage Scenarios 99

What Is a Cloud? Establishing the Context—Defining Cloud Solutions and their Characteristics 100

What Makes a Cloud Solution? 101

Understanding the Characteristics 104

Service Based 104

On-Demand Self-Service 104

Broad Network Access 104

Scalable and Elastic 105

Unpredictable Demand 105

Demand Servicing 105

Resource Pooling 105

Managed Shared Service 105

Auditability 105

Service Termination and Rollback 106

Charge by Quality of Service and Use 106

Capability to Monitor and Quantify Use 106

Monitor and Enforce Service Policies 107

Compensation for Location Independence 107

Multitenancy 107

Authentication and Authorization 108

Confidentiality 108

Integrity 108

Authenticity 108

Availability 108

Accounting and Control 109

Collaboration Oriented Architecture 109

Federated Access and ID Management 109

The Cloud Security Continuum and a Cloud Security Reference Model 110

Cloud Characteristics, Data Classification, and Information Lifecycle Management 113

Cloud Characteristics and Privacy and the Protection of Information Assets 113

Information Asset Lifecycle and Cloud Models 114

Data Privacy in the Cloud 118

Data Classification in the Context of the Cloud 119

Regulatory and Compliance Implications 119

A Cloud Information Asset Protection and Privacy Playbook 121

In Summary 124

Chapter 7: Business Continuity and Disaster Recovery 129

Business Continuity Planning and Disaster Recovery Planning Overview 129

Problem Statement 130

The Planning Process 131

The Auditor’s Role 133

Augmenting Traditional Disaster Recovery with Cloud Services 135

Cloud Computing and Disaster Recovery: New Issues to Consider 136

Cloud Computing Continuity 136

Audit Points to Emphasize 138

In Summary 139

Chapter 8: Global Regulation and Cloud Computing 143

What is Regulation? 144

Federal Information Security Management Act 146

Sarbanes-Oxley Law 146

Health Information Privacy Accountability Act 146

Graham/Leach/Bliley Act 147

Privacy Laws 147

Why Do Regulations Occur? 148

Some Key Takeaways 149

The Real World—A Mixing Bowl 149

Some Key Takeaways 151

The Regulation Story 151

Privacy 153

International Export Law and Interoperable Compliance 154

Effective Audit 155

Identifying Risk 156

In Summary 156

Chapter 9: Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit 161

Where Is the Data? 162

A Shift in Thinking 164

Cloud Security Alliance 165

CloudAudit 1.0 166

Cloud Morphing Strategies 166

Virtual Security 167

Data in the Cloud 168

Cloud Storage 169

Database Classes in the Cloud 171

Perimeter Security 171

Cryptographic Protection of the Data 172

In Summary 173

Appendix: Cloud Computing Audit Checklist 175

About the Editor 181

About the Contributors 183

Index 191