Cloud Auditing


Published on

Cloud computing is a paradigm evolution that benefits from virtualisation technologies and introduces “everything-as-a-service” as a technical and business concept supported by pay-per-use pricing models. Whilst the on-demand characteristics of this novel paradigm provide revolutionary advances in technical ability, the changes while incorporating this into an IT infrastructure raise many complex problems and risks with regards to auditing. Auditing is the process of tracing and logging significant events the take place during the system run-time for analysis, and can be seen as a vital tool in validating and securing systems.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud Auditing

  1. 1. Auditing in Cloud Computing SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Jonathan Sinclair SAP Research, CEC Belfast SAP (UK) Ltd. 25th March 2010
  2. 2. Agenda 1. Background 1.1 Cloud Computing 1.2 IT Auditing 2. Why do Business’ care? 3. Traditional view 4. Services: The New Delivery Model 5. Current Auditing Areas & Problems 6. Challenges for Auditing in Cloud © SAP 2010 / Page 2
  3. 3. Cloud Computing a definition framework Compliance, Governance, Regulation, Security, Risk Reference: “Rational Survivability Blog”. Chris Hoff. © SAP 2010 / Page 3
  4. 4. IT Auditing setting the scene Definition of IT Auditing The process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently. Definition: Information Systems Control and Audit, Ron Weber • PCI DSS Financial and • Gramm-Leach-Bliley Act (US) Commerce • Sarbanes–Oxley (SOX) Social and • SAS70 Labour • HIPAA • EU Directive on Data Security Public Safety • Data Protection Act (UK) • Federal Information Security Act (US) • ISO 27k (International Standards Security Organisation) © SAP 2010 / Page 4
  5. 5. Why do Business’ care? Auditing for Compliance Regulation: A principle, rule, or law designed to control or govern conduct Legal Co- Social operative Regulation Self Market © SAP 2010 / Page 5
  6. 6. Why do Business’ care? Auditing for Governance and Risk IT Governance is concerned with how the performance and risk of an IT landscape is administered. Processes Institutions Customs Governance Laws Policies © SAP 2010 / Page 6
  7. 7. Why do Business’ care? Auditing for Security IT Security in Cloud is mainly concerned with data access and user privileges, in both the physical and virtual layers. Technical Admin Security Physical Virtual © SAP 2010 / Page 7
  8. 8. Past deep dive  User  Access Rights  Policies  Reporting, Logging  Network  VPN, Firewall, Intrusion Detection  Event Logging  Application  User Privileges  Logging (Access, Transactions, Change Management)  DB  User Privileges  Security Policies (Password Encryption, Data Encryption)  Logging (Access, Record Management)  Data Replication © SAP 2010 / Page 8
  9. 9. Auditing was hard but now : 1:1 mapping doesn’t exist anymore • Ex: VMs, Virtual Landscapes, etc.. What typically used to be static is not anymore • Ex: Dynamic change of IP, domain, Datacenter, server etc. Audit Analysis – Data Storm problem • How to retrieve, correlate and extract meaningful data from a ever increasing number of data sources. • Tracking change becomes a priority Auditing is becoming a service • Consumers may need to track the Business Processes across multiples providers, an audit trail may span multiple domains © SAP 2010 / Page 9
  10. 10. Services: The New Delivery Model • License model • Customization required Past Software • Managed by customer: • customer buys application. as Product • Pay per use / Subscription model • Remote delivery Present Software • Managed by service provider: • customer buys access to application as Service • Composite Services • Business-process-focused Future Business • Services provisioned by service provider: • customer buys a service with no awareness of application. Services © SAP 2010 / Page 10
  11. 11. Present deep dive (taken from 2006 JavaOne Conference | Session TS-1591)  Business Continuity  Contract of BC Procedures  Disaster Recovery Procedures  Permissions of External Services  Logging (Access, Data Management) © SAP 2010 / Page 11
  12. 12. Future? outlook Adapted from (Chris Hoff - Draft v4.0) © SAP 2010 / Page 12
  13. 13. Data Confidentiality, Privacy, Integrity Problems: • Data stored, transmitted and processed outside of the organisation • Shared computing environments • No physical control of data • Physical and logical access managed by the provider • No controls to prevent data modification • No logging events on data (access, modification, transmission) Implementation Challenges: • Data logging and monitoring • Separation of user directories and access control • Data security (encryption, key management, digital signatures) • Access control & reviews (firewalls, VPN) • Data Isolation • Define standards (information classification, encryption) • Procedural reviews (redundancy, error recovery) © SAP 2010 / Page 13
  14. 14. Service Availability Problems: Network connectivity Bottlenecking Multi-tenancy Availability Limited ability for change control Provider viability Reliance on provider’s disaster recovery procedures Implementation Challenges: Caching to address potential network issues SLAs ISP Network Availability Change Control Process Multiple Providers Data Retrieval Process © SAP 2010 / Page 14
  15. 15. Regulations and Compliance Problems: Data subject to new laws Exposure to foreign governments and subpoenas Retention requirements vary among jurisdictions Audit of provider’s environment Increased complexity to comply with standards Implementation Challenges Storage and transmission policies for jurisdictions Agreement for privacy laws Provider security certifications External Audit review Limit types of data transmission © SAP 2010 / Page 15
  16. 16. Problems arising from Cloud for Auditing Compliance, IT Auditing Governance, Regulation, Security & Risk Application Change Patch Licensing SLAs Networking Fraud Controls Management Management Privacy Identity Access Outsourcing Compensation Assurance Prevention Business Management Improve Assess Continuity Responsibility Performance Deficiency Risk Regulation © SAP 2010 / Page 16
  17. 17. Challenges for Auditing in Cloud Federation of Architecture audit logs Compliance Audit-based and protocols from analysis of access of for storage distributed federated physical / and retrieval sources audit logs for network- of secure across SLA’s and based distributed multiples Regulation resources audit logs domains © SAP 2010 / Page 17
  18. 18. Thank you! Jonathan Sinclair Research Associate SAP Research CEC Belfast SAP [UK] Ltd The Concourse, Queen‘s Road Queen‘s Island, Titanic Quarter Belfast BT3 9DT T +44 (0)28 9078 5749 F +44 (0)28 9078 5777 E © SAP 2010 / Page 18