Auditing Cloud Computing: A Security and Privacy Guide


Gain assurance with your hosted services with Auditing Cloud Computing

Cloud Computing has taken the IT world by storm. Often viewed as the utopia of utility computing, Cloud Computing offers flexibility and financial benefits second to none. But in today's high-stakes corporate world, one devastating breach could quickly break a company. Learn how to harness and secure the computing power of the Cloud while helping your bottom line with Auditing Cloud Computing.

Edited by Ben Halpert, a well-respected authority in IT security, Auditing Cloud Computing presents a rich compilation of ideas and strategies from thought leaders who show you how to develop better ways of evaluating the security and privacy practices of Cloud services.

This comprehensive collection of papers is arranged to allow for a logical flow of information—beginning with a thorough introduction to the field, followed by in-depth coverage of governance, audit, legal, service delivery, and other perspectives—to provide you with a 360 perspective of the Cloud Computing space.

Designed to help you audit the security and privacy of your hosted services, Auditing Cloud Computing answers your Cloud-related questions, including:

  • Is the Cloud secure enough to house my data?
  • What kind of data shouldn't be stored in the Cloud?
  • What are the key regulatory issues?
  • Why do I need to establish a governance model before using the Cloud?
  •   What steps do I need to take to remain in compliance?
  • What are the causes and effects of regulation?
  • What are the real and perceived risks and benefits?
  • How do I balance business risk and business opportunity with the appropriate internal audit?
  • What are the traditional lifecycle management techniques?
  • What are the Cloud's benefits over traditional IT outsourcing?
  •   How do I manage my company's service agreements?
  • What is the future of regulation?
  • What's holding Cloud Computing back?

Timely and practical, Auditing Cloud Computing lays out the groundwork to help you and your organization build a proper audit that ensures operational integrity and customer data protection for Cloud-based resources.  

BEN HALPERT, CISSP, is an information security researcher and practitioner. He has keynoted and presented sessions at numerous conferences and was a contributing author to Readings and Cases in the Management of Information Security and the Encyclopedia of Information Ethics and Security. Halpert writes a monthly security column for Mobile Enterprise magazine as well as an IT blog ( He is also an adjunct instructor and on the advisory board of numerous colleges and universities.
Preface xiii

Chapter 1: Introduction to Cloud Computing 1

History 1

Defining Cloud Computing 2

Elasticity 2

Multitenancy 3

Economics 3

Abstraction 3

Cloud Computing Services Layers 4

Infrastructure as a Service 5

Platform as a Service 5

Software as a Service 6

Roles in Cloud Computing 6

Consumer 6

Provider 6

Integrator 7

Cloud Computing Deployment Models 8

Private 8

Community 8

Public 9

Hybrid 9

Challenges 9

Availability 10

Data Residency 10

Multitenancy 11

Performance 11

Data Evacuation 12

Supervisory Access 12

In Summary 13

Chapter 2: Cloud-Based IT Audit Process 15

The Audit Process 16

Control Frameworks for the Cloud 18

ENISA Cloud Risk Assessment 20

FedRAMP 20

Entities Using COBIT 21

CSA Guidance 21

CloudAudit/A6—The Automated Audit, Assertion, Assessment, and Assurance API 22

Recommended Controls 22

Risk Management and Risk Assessment 26

Risk Management 27

Risk Assessment 27

Legal 28

In Summary 29

Chapter 3: Cloud-Based IT Governance 33

Governance in the Cloud 36

Understanding the Cloud 36

Security Issues in the Cloud 37

Abuse and Nefarious Use of Cloud Computing 38

Insecure Application Programming Interfaces 39

Malicious Insiders 39

Shared Technology Vulnerabilities 39

Data Loss/Leakage 40

Account, Service, and Traffic Hijacking 40

Unknown Risk Profile 40

Other Security Issues in the Cloud 41

Governance 41

IT Governance in the Cloud 44

Managing Service Agreements 44

Implementing and Maintaining Governance for Cloud Computing 46

Implementing Governance as a New Concept 46

Preliminary Tasks 46

Adopt a Governance Implementation Methodology 48

Extending IT Governance to the Cloud 49

In Summary 52

Chapter 4: System and Infrastructure Lifecycle Management for the Cloud 57

Every Decision Involves Making a Tradeoff 57

Example: Business Continuity/Disaster Recovery 59

What about Policy and Process Collisions? 60

The System and Management Lifecycle Onion 61

Mapping Control Methodologies onto the Cloud 62

Information Technology Infrastructure Library 63

Control Objectives for Information and Related Technology 64

National Institute of Standards and Technology 65

Cloud Security Alliance 66

Verifying Your Lifecycle Management 67

Always Start with Compliance Governance 67

Verification Method 68

Illustrative Example 70

Risk Tolerance 72

Special Considerations for Cross-Cloud Deployments 73

The Cloud Provider’s Perspective 74

Questions That Matter 75

In Summary 76

Chapter 5: Cloud-Based IT Service Delivery and Support 79

Beyond Mere Migration 80

Architected to Share, Securely 80

Single-Tenant Offsite Operations

(Managed Service Providers) 81

Isolated-Tenant Application Services

(Application Service Providers) 81

Multitenant (Cloud) Applications and Platforms 82

Granular Privilege Assignment 82

Inherent Transaction Visibility 84

Centralized Community Creation 86

Coherent Customization 88

The Question of Location 90

Designed and Delivered for Trust 91

Fewer Points of Failure 91

Visibility and Transparency 93

In Summary 93

Chapter 6: Protection and Privacy of Information Assets in the Cloud 97

The Three Usage Scenarios 99

What Is a Cloud? Establishing the Context—Defining Cloud

Solutions and their Characteristics 100

What Makes a Cloud Solution? 101

Understanding the Characteristics 104

Service Based 104

On-Demand Self-Service 104

Broad Network Access 104

Scalable and Elastic 105

Unpredictable Demand 105

Demand Servicing 105

Resource Pooling 105

Managed Shared Service 105

Auditability 105

Service Termination and Rollback 106

Charge by Quality of Service and Use 106

Capability to Monitor and Quantify Use 106

Monitor and Enforce Service Policies 107

Compensation for Location Independence 107

Multitenancy 107

Authentication and Authorization 108

Confidentiality 108

Integrity 108

Authenticity 108

Availability 108

Accounting and Control 109

Collaboration Oriented Architecture 109

Federated Access and ID Management 109

The Cloud Security Continuum and a Cloud Security Reference Model 110

Cloud Characteristics, Data Classification, and Information

Lifecycle Management 113

Cloud Characteristics and Privacy and the Protection

of Information Assets 113

Information Asset Lifecycle and Cloud Models 114

Data Privacy in the Cloud 118

Data Classification in the Context of the Cloud 119

Regulatory and Compliance Implications 119

A Cloud Information Asset Protection and Privacy Playbook 121

In Summary 124

Chapter 7: Business Continuity and Disaster Recovery 129

Business Continuity Planning and Disaster Recovery

Planning Overview 129

Problem Statement 130

The Planning Process 131

The Auditor’s Role 133

Augmenting Traditional Disaster Recovery with Cloud Services 135

Cloud Computing and Disaster Recovery: New Issues to Consider 136

Cloud Computing Continuity 136

Audit Points to Emphasize 138

In Summary 139

Chapter 8: Global Regulation and Cloud Computing 143

What is Regulation? 144

Federal Information Security Management Act 146

Sarbanes-Oxley Law 146

Health Information Privacy Accountability Act 146

Graham/Leach/Bliley Act 147

Privacy Laws 147

Why Do Regulations Occur? 148

Some Key Takeaways 149

The Real World—A Mixing Bowl 149

Some Key Takeaways 151

The Regulation Story 151

Privacy 153

International Export Law and Interoperable Compliance 154

Effective Audit 155

Identifying Risk 156

In Summary 156

Chapter 9: Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit 161

Where Is the Data? 162

A Shift in Thinking 164

Cloud Security Alliance 165

CloudAudit 1.0 166

Cloud Morphing Strategies 166

Virtual Security 167

Data in the Cloud 168

Cloud Storage 169

Database Classes in the Cloud 171

Perimeter Security 171

Cryptographic Protection of the Data 172

In Summary 173

Appendix: Cloud Computing Audit Checklist 175

About the Editor 181

About the Contributors 183

Index 191