Uploaded byJonathan Sinclair
Cloud Compliance Auditing - Closer 2011
This document discusses cloud compliance auditing. It begins with definitions of cloud computing, compliance, and auditing. It discusses how legislation and regulations create compliance requirements that businesses and auditors must adhere to. Service level agreements are important for defining compliance needs. The document then examines a customer relationship management use case and challenges of ensuring compliance for data accessibility, retention, and geo-locality in cloud environments. It presents a logical architecture for cloud compliance auditing consisting of distributed event source, processing, and storage layers to help address these challenges.
More Related Content
Similar to Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011
- 1. Cloud Compliance AuditingJonathanSinclairSAP Research BelfastMay 7th, 2011
- 2. AgendaFundamentals of Cloud,Compliance and AuditingUse Case: Customer Relationship ManagementCloud Compliance ChallengesCompliance AuditingConclusions
- 3. Fundamentals Cloud, Complianceand Auditing“An undefined problem has an infinite number of solutions” Robert A. Humphrey
- 4. FundamentalsDefinitionsComplianceCompliance is definedas being in accordance with relevant governmental or industrial laws, regulations and standards through governance processes.Cloud ComputingClouds are a large pool of easily usable and accessible virtualized resources that can be dynamically reconfigured to adjust to a variable load.Business WebAuditingA business model and technical framework that represents a marketplace allowing providers and consumers to negotiate the usage of products.The process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.
- 5. FundamentalsAuditing Legislation &Regulation createscreatescreatescreatesRegulatorRegulatorGovernmentGovernmentLegislationRegulationLegislationRegulationGovernanceGovernanceComplianceCompliancehave to comply withhave to comply withhave to comply withhave to comply withAuditorAuditorstore and are responsible forstore and are responsible foruse IT to improve operationsuse IT to improve operationsCompliance CheckCompliance CheckCompliance ReportCompliance ReportIT DepartmentIT DepartmentBusinessesBusinessesCustomer DataCustomer Data
- 6. FundamentalsService Level Agreementsand Event ProcessingService Level AgreementsSLA’s are important in facilitating the definition of compliance requirements:Legal Responsibilities
- 7.
- 8. Remedial Actions /PenaltiesEvent ProcessingSLA’s are no support to the consumer without enforcement or traceabilityLogs (Physical, Virtual, Logical)
- 9. Event Transport andStorage for services
- 10. Event Processing Rulesderived from SLA’sUse CaseCustomer Relationship Management“Most human beings have an almost infinite capacity for taking things for granted” Aldous Huxley
- 11. Use Case: CustomerRelationship Management (CRM)Problem IdentificationTraditional ApproachDue to increasing enforcement and financial penalties legislation requirements are seen as equally important as functional requirements.Application HeterogeneityVarious applications perform differing tasks and integrate with CRM systems.Storage RedundancyData redundancy occurs when customer data iscollected, stored and processed by different systemswithin the same organisationResource UtilizationPeriodic Processing causes elastic utilizationPower ConsumptionCost of power and consumption can varies with hardware and location
- 12. Cloud Compliance Challenges“Thegreatest challenge to any thinker is stating the problem in a way that will allow a solution.” Bertrand Russell
- 13. Cloud Compliance ChallengesGeo-LocalityThelocality of data is of key importance to adhere to legislation, but what are the implications:Cross-jurisdictional conflictionsDifficulty in simultaneously complying with multiple laws.Performance and AvailabilityGeographic placement may hinder performance.Disaster Recovery and BackupLegal restrictions may reduce the possibilities of providing an adequate disaster recovery solution.
- 14. Cloud Compliance ChallengesDataAccessibilityCompany Multi-tenancyDifferent companies virtually co-located on same physical infrastructureSystems Multi-tenancySame company co-locates different virtualized systems on same physical infrastructure Who can access data ?What data can be accessed ?How should data be accessed ?
- 15. Cloud Compliance ChallengesDataRetentionRetaining data in the CloudHow long can data be stored ?
- 16. How should databe archived ?
- 17. How much isbudgeted to retain data ?Retaining data from the CloudHow can data be retrieved ?
- 18. Is data integritymaintained ?
- 19. Is data removedfrom the cloud ?Compliance Auditing“A complex system that works is invariably found to have evolved from a simple system that works” John Gaule
Editor's Notes
- #4 With the advancement of web-based infrastructures it is perceived that computing resource will become the 5th utility after water, electricity, gas and telephony
- #5 The foundational infrastructure upon which I am investigating my research will focus on cloud computing which is currently the hype in distributed architectures.There is no single universal definition of an InformationSystems audit, though in this context I define it as:However, companies willing to leverage this new business model have to abide by the current state of legislation which hampers its adoption even thoughcloud offers benefits such as elasticity and rapid deployment, improving companies’ efficiencies in times of economic hardship. The risk and financial penalty associated with non-compliance is too great for businesses to ignore.
- #7 So what fundamental technologies exist that could help tackle this problem…..
- #8 Lets look at a typical government CRM setup to illustrate auditing issues for data governance when transitioning to a cloud-based environment.
- #9 Traditionally CRM systems are deployed on premise within the government’s control and jurisdiction.The government like enterprises are under increasing pressure to improve return on investment (ROI) whilst maintaining both legal and regulatory compliance.It is common for organisations may have several local sites across a country and consequently, multiple servers. IT infrastructure at locations are independently managed. With systems such as CRM, integration has the following problems:
- #11 Customer consumes services over the internet, therefore locality is not necessarily importantInfrastructure providers may choose the geographic placement of data centers based on environmental, economical or political factors such as energy.However the physical location of data being accessed, stored, processed or transferred is of critical importance to the applications of data protection legislation such as EUDirective.Geographic locality challenges audit and compliance in the following forms:
- #12 Data access is another point of contention with respect to compliance.Consumers must consider the compliance requirements of when deploying services in terms of:Who can access data? What data can be accessed? How should data be accessed?
- #16 The data and logs returned from various logical, physical or virtual components in the system. The source may be a sensor, application, messaging framework, business process, data store, client applications.Each source is authenticated and uses secure means of communication and verified using a system similar to trusted platform computing (TPC).An ESB controls how data is routed to the event processing engine, in a standardized format.Anomalous Filtering: Removes data that is not relevant to the compliance process.Temporal Filtering: Synchronizes time and event type inconsistencies and correlates events, aggregating dataCompliance Filtering: Event streams are compared and evaluated against business rules that have been derived from the legalizationThis enables us to process historic queries and results from event correlation which enable us in future works to provide predictive analysisQueries can be defined by the user and can be compared in run-time or on historic data.
- #17 Service Provider – Entities who create software components / elements of code, may compose multiple service offerings to provide a new offering.Cloud Provider – Unique type of service provider, that provides utility compute / storage resource.Service Consumer – The end user or company that procures the service, be it Software, Platform or Infrastructure as a ServiceService Aggregator – A specialised consumer who procures generic services and aggregate them with their own or others services to form a composite service.Service Broker – A service broker acts as an intermediary / marketplace to expose services from service / cloud providers, in essence it acts as an advertising, directory and delivery resource for services. The service delivery is managed by the broker when services are procured at run-time.Service Hoster – The deployment enabling intermediary between the service broker and infrastructure providers. The hoster allows various platform and infrastructure technologies to be exposed comparatively and matched with the technical need requested by the broker. The hoster enables services to be discovered and accessed for different purposes.Service Auditor – This is the main implementation of the proof of concept, the SA is a third-party that integrates with the current service deployment and runtime process, in order to enforce compliance.
- #19 Legal and regulatory compliance issues are seen as important by businesses. Despite heavy financial and incarceration penalties, processes for auditing compliance currently focus on periodic reporting. By addressing the cloud auditing constraints, businesses can: