Cloud Audit and Compliance


Published on

There is an increasing trend witnessed in the cloud computing technology which has led to a lot of risks in preserving the Confidentiality, Integrity and Availability of data. The Cloud is now facing a lot of compliance requirements due to the sensitivity of the data that is being stored. View this presentation to understand the Cloud Compliance Requirements, Risks, Audit Processes and Methodologies involved in providing assurance.

This presentation was given by CA Anand Prakash Jangid at the Conference on Cloud Computing conducted by the Committee on Information Technology of the Institute of Chartered Accountants of India on 11th January 2014.

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • NIST SP 500-292. This body of work brought together the various stakeholders to develop the taxonomy to communicate the components and offerings of cloud computing in a vendor-neutral way. It does not seek to stifle innovation by defining a prescribed technical solution. Actor/Role-based model and the necessary architectural components for managing and providing cloud services such as service deployment, service orchestration, cloud service management, security and privacy. A Cloud Consumer is an individual or organization that acquires and uses cloud products and services. The purveyor of products and services is the Cloud Provider. The Cloud Broker acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value-added cloud services as well. The Cloud Auditor provides a valuable inherent function for the government by conducting the independent performance and security monitoring of cloud services. The Cloud Carrier is the organization who has the responsibility of transferring the data akin to the power distributor for the electric grid.
  • Cloud Audit and Compliance

    2. 2. Cloud Computing & Risk Auditing the cloud Audit consideration in cloud environment Questions Cloud & compliance
    3. 3. The Future is not, What it used to be
    4. 4.  I think there is a world market for maybe five computers.‟ o Thomas Watson, Chairman of IBM, 1943  „There is no reason why anyone would want a computer in the home.‟ o Ken Olson, Present, Chairman and founder of Digital Equipment Corporation, 1977  „640K should be enough for anybody.‟ o Bill Gates, 1981  „So far, Java seems like a stinker to me…I have a hunch that it won't be a very successful language.‟ o Paul Graham, Author
    5. 5. GE: Global procurement hosting 500k suppliers and 100k users in six languages on SaaS platform to manage $55B/yr in spend  Eli Lilly : Using Amazon Web Services can deploy a new server in 3min vs 50days and a 64-node Linux cluster in 5min vs 100days  Nasdaq: Using Amazon Storage to store 30-80TB/day of trading 
    6. 6.     The cloud acts as a big black box, nothing inside the cloud is visible to the clients Clients have no idea or control over what happens inside a cloud Even if the cloud provider is honest, it can have malicious system admins who can tamper with the VMs and violate confidentiality and integrity Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks
    7. 7.  Also a massive concentration of risk expected loss from a single breach can be significantly larger concentration of “users” represents a concentration of threats “Ultimately, you can outsource responsibility but you can‟t outsource accountability.” o o 
    8. 8. Why should we worry about Cloud???
    9. 9.  SA 300 - Planning an Audit of Financial Statements  SA 315- Identifying and assessing the risk of material misstatement through understanding the entity and its environment  SA 402 - Audit considerations relating to an entity using a service organization
    10. 10.  …. effect of information technology on the audit procedures, including the availability of data and the expected use of computer assisted audit techniques.  ……….management‟s commitment to the design, implementation and maintenance of sound internal control, including evidence of appropriate documentation of such internal control.
    11. 11.    Controls in IT systems consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. When IT is used to initiate, record, process or report transactions, or other financial data for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for material accounts or may be critical to the effective functioning of manual controls that depend on IT.
    12. 12.           Information Technology also poses specific risks to an entity‟s internal control, including, for example : Reliance on systems or programs that are inaccurately processing data,processing inaccurate data, or both. Unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorised or nonexistent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database. The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties. Unauthorised changes to data in master files. Unauthorised changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss of data or inability to access data as required.
    13. 13.  Para 3: “ Services provided by a service organization are relevant to the audit of a user entity‟s financial statements when those services, and the controls over them, are part of the user entity‟s information system, including related business processes, relevant to financial reporting”  Para 5 : Information available on general controls and computer systems controls relevant to the client's applications
    14. 14.  Para 34 of SA 400
    15. 15.  Confidentiality o Fear of loss of control over data • Will the sensitive data stored on a cloud remain confidential? • Will cloud compromises leak confidential client data o Will the cloud provider itself be honest and won‟t peek into the data?  Integrity o How do I know that the cloud provider is doing the computations correctly? o How do I ensure that the cloud provider really stored my data without tampering with it? 19
    16. 16.  Availability o Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? o What happens if cloud provider goes out of business? o Would cloud scale well-enough? o Often-voiced concern • Although cloud providers argue their downtime compares well with cloud user‟s own data centers 20
    17. 17. • Privacy issues raised via massive data mining – Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients • Increased attack surface – Entity outside the organization now stores and computes data, and so – Attackers can now target the communication link between cloud provider and client – Cloud provider employees can be phished 21
    18. 18.  Auditability and forensics (out of control of data) o Difficult to audit data held outside organization in a cloud o Forensics also made difficult since now clients don‟t maintain data locally  Legal quagmire and transitive trust issues o Who is responsible for complying with regulations? • e.g., IT ACT, Companies Act, SOX, HIPAA, GLBA , ? o If cloud provider subcontracts to third party clouds, will the data still be secure? 22
    19. 19. Cloud Computing is a security nightmare and it can't be handled in traditional ways. John Chambers CISCO CEO  Security is one of the most difficult task to implement in cloud computing. o Different forms of attacks in the application side and in the hardware components  Attacks with catastrophic effects only needs one security flaw 23
    20. 20.               Contractual discrepancies and gaps between business expectations and service provider capabilities Control gaps between processes performed by the service provider and the organization Compromised system security and confidentiality Invalid transactions or transactions processed incorrectly Costly compensating controls Reduced system availability and questionable integrity of information Poor software quality, inadequate testing and high number of failures Failure to respond to relationship issues with optimal and approved decisions Insufficient allocation of resources Unclear responsibilities and accountabilities Litigation, mediation or termination of the agreement, resulting in added costs and/or business disruption and/or total loss of the organization Inability to satisfy audit/assurance charter and requirements of regulators or external auditors Reputation Fraud
    21. 21.  
    22. 22. 27 Cloud Consumer Cloud Auditor Security Audit Privacy Impact Audit Performance Audit Cloud Provider Cloud Broker Cloud Orchestration Service Layer SaaS Cloud Service Management Business PaaS Service Intermediation Support IaaS Resource Abstraction Cloud Consumer and Control Layer Physical Resource Layer Hardware Facility Provisioning/ Configuration Service Aggregation Portability/ Interoperability Service Arbitrage Cloud Carrier Cross Cutting Concerns: Security, Privacy, etc
    23. 23. Data Breaches Denial of Service Data Loss Account or Service Traffic Hijacking Insecure Interfaces with APIs Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology vulnerabilities
    24. 24. Application and Interface Security Data Security and Information Lifecycle Management Audit Assurance and Compliance Business Continuity Management Change Control and Configuration management Datacenter Security Encryption and Key Management Governance and Risk Management Human Resources Identity and Access Management
    25. 25.   Risk Based Audit Approach Identify Risks that are present in the Cloud Environment o Inherent Risks – Risks that arise naturally o Controllable Risks – Risks arising due to insufficient Internal Controls     Identify controls that are in place to treat the identified risk Examine policy and procedure documents that are maintained for the cloud Environment Perform Sampling on the controls to determine design and operating effectiveness and gather audit evidence (SA 500 – Audit Evidence, SA 530 Audit Sampling) Prepare a report and present it to the entity
    26. 26. Identify controls that are in place to treat the identified risk o RCM Approach – Risk Control Matrix   Risk Control Matrix is a matrix of the controls in place for the identified Risk CCM v3 – Cloud Control Matrix Version 3 o o It is a matrix published by Cloud Security Alliance which has a list of all the controls that should be in place for an optimal Cloud Environment. o It also shows the compliance of controls mapped to statutes, standards and Frameworks.
    27. 27. ISO 27001 SSAE 16 PCIDSS Indian IT Act HIPAA Act
    28. 28. When are these opportunities?? Half our life is spent trying to find something to do with the time we have rushed through life trying to save. Will Rogers
    29. 29. Questions???
    30. 30. ANAND PRAKASH JANGID | | +919620233516  