Cloud Compliance Auditing - Closer 2011
•
5 likes•977 views
This document discusses cloud compliance auditing. It begins with definitions of cloud computing, compliance, and auditing. It discusses how legislation and regulations create compliance requirements that businesses and auditors must adhere to. Service level agreements are important for defining compliance needs. The document then examines a customer relationship management use case and challenges of ensuring compliance for data accessibility, retention, and geo-locality in cloud environments. It presents a logical architecture for cloud compliance auditing consisting of distributed event source, processing, and storage layers to help address these challenges.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Cloud Compliance Auditing - Closer 2011
Similar to Cloud Compliance Auditing - Closer 2011 (20)
Recently uploaded
Recently uploaded (20)
Cloud Compliance Auditing - Closer 2011
- 1. Cloud Compliance Auditing Jonathan Sinclair SAP Research BelfastMay 7th, 2011
- 2. Agenda Fundamentals of Cloud, Compliance and Auditing Use Case: Customer Relationship Management Cloud Compliance Challenges Compliance Auditing Conclusions
- 3. Fundamentals Cloud, Compliance and Auditing “An undefined problem has an infinite number of solutions” Robert A. Humphrey
- 4. FundamentalsDefinitions Compliance Compliance is defined as being in accordance with relevant governmental or industrial laws, regulations and standards through governance processes. Cloud Computing Clouds are a large pool of easily usable and accessible virtualized resources that can be dynamically reconfigured to adjust to a variable load. Business Web Auditing A business model and technical framework that represents a marketplace allowing providers and consumers to negotiate the usage of products. The process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.
- 5. FundamentalsAuditing Legislation & Regulation creates creates creates creates Regulator Regulator Government Government Legislation Regulation Legislation Regulation Governance Governance Compliance Compliance have to comply with have to comply with have to comply with have to comply with Auditor Auditor store and are responsible for store and are responsible for use IT to improve operations use IT to improve operations Compliance Check Compliance Check Compliance Report Compliance Report IT Department IT Department Businesses Businesses Customer Data Customer Data
- 9. Event Transport and Storage for services
- 11. Use Case: Customer Relationship Management (CRM)Problem Identification Traditional Approach Due to increasing enforcement and financial penalties legislation requirements are seen as equally important as functional requirements. Application Heterogeneity Various applications perform differing tasks and integrate with CRM systems. Storage Redundancy Data redundancy occurs when customer data is collected, stored and processed by different systems within the same organisation Resource Utilization Periodic Processing causes elastic utilization Power Consumption Cost of power and consumption can varies with hardware and location
- 12. Cloud Compliance Challenges “The greatest challenge to any thinker is stating the problem in a way that will allow a solution.” Bertrand Russell
- 13. Cloud Compliance ChallengesGeo-Locality The locality of data is of key importance to adhere to legislation, but what are the implications: Cross-jurisdictional conflictions Difficulty in simultaneously complying with multiple laws. Performance and Availability Geographic placement may hinder performance. Disaster Recovery and Backup Legal restrictions may reduce the possibilities of providing an adequate disaster recovery solution.
- 14. Cloud Compliance ChallengesData Accessibility Company Multi-tenancy Different companies virtually co-located on same physical infrastructure Systems Multi-tenancy Same company co-locates different virtualized systems on same physical infrastructure Who can access data ? What data can be accessed ? How should data be accessed ?
- 16. How should data be archived ?
- 18. Is data integrity maintained ?
- 23. Conclusions “A conclusion is the place where you got tired of thinking” Harold Fricklestein
- 25. Maintain compliance with data security / privacy laws
- 26. Assure that service providers, integrators or composers cannot
- 27. access data within a consumer’s service
Editor's Notes
- With the advancement of web-based infrastructures it is perceived that computing resource will become the 5th utility after water, electricity, gas and telephony
- The foundational infrastructure upon which I am investigating my research will focus on cloud computing which is currently the hype in distributed architectures.There is no single universal definition of an InformationSystems audit, though in this context I define it as:However, companies willing to leverage this new business model have to abide by the current state of legislation which hampers its adoption even thoughcloud offers benefits such as elasticity and rapid deployment, improving companies’ efficiencies in times of economic hardship. The risk and financial penalty associated with non-compliance is too great for businesses to ignore.
- So what fundamental technologies exist that could help tackle this problem…..
- Lets look at a typical government CRM setup to illustrate auditing issues for data governance when transitioning to a cloud-based environment.
- Traditionally CRM systems are deployed on premise within the government’s control and jurisdiction.The government like enterprises are under increasing pressure to improve return on investment (ROI) whilst maintaining both legal and regulatory compliance.It is common for organisations may have several local sites across a country and consequently, multiple servers. IT infrastructure at locations are independently managed. With systems such as CRM, integration has the following problems:
- Customer consumes services over the internet, therefore locality is not necessarily importantInfrastructure providers may choose the geographic placement of data centers based on environmental, economical or political factors such as energy.However the physical location of data being accessed, stored, processed or transferred is of critical importance to the applications of data protection legislation such as EUDirective.Geographic locality challenges audit and compliance in the following forms:
- Data access is another point of contention with respect to compliance.Consumers must consider the compliance requirements of when deploying services in terms of:Who can access data? What data can be accessed? How should data be accessed?
- The data and logs returned from various logical, physical or virtual components in the system. The source may be a sensor, application, messaging framework, business process, data store, client applications.Each source is authenticated and uses secure means of communication and verified using a system similar to trusted platform computing (TPC).An ESB controls how data is routed to the event processing engine, in a standardized format.Anomalous Filtering: Removes data that is not relevant to the compliance process.Temporal Filtering: Synchronizes time and event type inconsistencies and correlates events, aggregating dataCompliance Filtering: Event streams are compared and evaluated against business rules that have been derived from the legalizationThis enables us to process historic queries and results from event correlation which enable us in future works to provide predictive analysisQueries can be defined by the user and can be compared in run-time or on historic data.
- Service Provider – Entities who create software components / elements of code, may compose multiple service offerings to provide a new offering.Cloud Provider – Unique type of service provider, that provides utility compute / storage resource.Service Consumer – The end user or company that procures the service, be it Software, Platform or Infrastructure as a ServiceService Aggregator – A specialised consumer who procures generic services and aggregate them with their own or others services to form a composite service.Service Broker – A service broker acts as an intermediary / marketplace to expose services from service / cloud providers, in essence it acts as an advertising, directory and delivery resource for services. The service delivery is managed by the broker when services are procured at run-time.Service Hoster – The deployment enabling intermediary between the service broker and infrastructure providers. The hoster allows various platform and infrastructure technologies to be exposed comparatively and matched with the technical need requested by the broker. The hoster enables services to be discovered and accessed for different purposes.Service Auditor – This is the main implementation of the proof of concept, the SA is a third-party that integrates with the current service deployment and runtime process, in order to enforce compliance.
- Legal and regulatory compliance issues are seen as important by businesses. Despite heavy financial and incarceration penalties, processes for auditing compliance currently focus on periodic reporting. By addressing the cloud auditing constraints, businesses can: