Auditing Cloud Computing E-Book

Contents

Cover

Title Page

Copyright

Dedication

Preface

Chapter 1: Introduction to Cloud Computing

History

Defining Cloud Computing

Cloud Computing Services Layers

Roles in Cloud Computing

Cloud Computing Deployment Models

Challenges

In Summary

Chapter 2: Cloud-Based IT Audit Process

The Audit Process

Control Frameworks for the Cloud

Recommended Controls

Risk Management and Risk Assessment

In Summary

Chapter 3: Cloud-Based IT Governance

Governance in the Cloud

Governance

Implementing and Maintaining Governance for Cloud Computing

In Summary

Chapter 4: System and Infrastructure Lifecycle Management for the Cloud

Every Decision Involves Making a Tradeoff

What about Policy and Process Collisions?

The System and Management Lifecycle Onion

Mapping Control Methodologies onto the Cloud

Verifying Your Lifecycle Management

Risk Tolerance

Special Considerations for Cross-Cloud Deployments

The Cloud Provider's Perspective

In Summary

Chapter 5: Cloud-Based IT Service Delivery and Support

Beyond Mere Migration

Architected to Share, Securely

The Question of Location

Designed and Delivered for Trust

In Summary

Chapter 6: Protection and Privacy of Information Assets in the Cloud

The Three Usage Scenarios

What Is a Cloud? Establishing the Context—Defining Cloud Solutions and their Characteristics

The Cloud Security Continuum and a Cloud Security Reference Model

Cloud Characteristics, Data Classification, and Information Lifecycle Management

Regulatory and Compliance Implications

A Cloud Information Asset Protection and Privacy Playbook

In Summary

Chapter 7: Business Continuity and Disaster Recovery

Business Continuity Planning and Disaster Recovery Planning Overview

Augmenting Traditional Disaster Recovery with Cloud Services

Cloud Computing and Disaster Recovery: New Issues to Consider

In Summary

Chapter 8: Global Regulation and Cloud Computing

What is Regulation?

Why Do Regulations Occur?

The Real World—A Mixing Bowl

The Regulation Story

Effective Audit

Identifying Risk

In Summary

Chapter 9: Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit

Where is the Data?

A Shift in Thinking

Cloud Morphing Strategies

Data in the Cloud

Cloud Storage

Cryptographic Protection of the Data

In Summary

Appendix: Cloud Computing Audit Checklist

About the Editor

About the Contributors

Index

Copyright©2011 by Ben Halpert. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Auditing cloud computing: a security and privacy guide/[edited by] Ben Halpert.

p. cm.—(Wiley corporate F & A; 21)

ISBN 978-0-470-87474-5 (pbk); 978-1-118-11602-9 (ebk);

978-1-118-11603-6 (ebk); 978-1-118-11604-3 (ebk)

1. Business enterprises–Computer networks–Security measures. 2. Cloud

computing–Security measures. 3. Information technology–Security measures.

4. Data protection. I. Halpert, Ben, 1986-

HF5548.37.A93 2011

005.8—dc22

Dedication

To my wife, for her love, patience, andunwavering support of all my endeavors.

Preface

As a keynote and session speaker at over 30 conferences to date, I am often asked for references regarding the topics I present. Experience has taught me that it is always best to have the references ready when asked. In 2009, I presented a session on cloud computing at the MIS Training Institute's 29th Annual IT Audit & Controls conference. The room included an audience of very attentive and eager attendees. During my presentation, I discussed the history of cloud computing, the different types of clouds, the rationale as to why organizations are so eager to move to the cloud, challenges of cloud computing, and considerations for leveraging cloud services. When addressing the section on the challenges of cloud computing, I reviewed properties of the cloud along with risks, security, and interoperability aspects. While discussing these topics, I talked about aspects that IT auditors need to consider when conducting an audit of cloud providers.

Throughout the session, there was great interaction among the attendees. During the question and answer segment, at the end, one attendee asked if I could recommend a book or other reference that IT auditors could leverage to increase their knowledge base related to cloud computing topics. At the time there were no such resources, so I responded that I was unaware of such materials targeted specifically at the IT audit community: hence, the origin of the idea for this book.

What you will find in the forthcoming chapters of this text is a collection of white papers written by thought leaders in the space of auditing cloud computing. Auditing Cloud Computing: A Security and Privacy Guide can be used in various ways, by a variety of audiences.

First, the chapters are arranged in an order that allows for a logical flow of information providing a comprehensive background in the subject matter. From an introduction to cloud computing, through governance, audit, legal, service delivery, and other perspectives, a holistic view of the cloud computing space is delineated. Second, this text can be used as a reference for specific aspects of cloud computing and questions that may arise during preparation of an audit program or throughout the course of an audit or assessment. Third, the material can support those individuals who want to learn more about the impact of cloud computing on the field of IT audit in support of industry certifications, such as the Certified Information Systems Auditor (CISA) credential, among others. Additionally, this compilation also addresses auditing the cloud from more than simply an auditor's perspective; it provides perspectives from both the cloud provider and the cloud service customer.

What you will not find in this book are specific technical controls or audit programs for various point technology solutions that enable the existence of cloud services. Developers of such solutions provide (or should provide!) configuration and hardening guides that can be referenced depending on the environment under consideration. Such specific configuration aspects will change with each code release or product update.

Content Delineation

The individual contributors to this text have labored to provide insight, based on their real-world experience, into many aspects that organizations will encounter during their foray into the cloud. The forthcoming chapters exemplify their vast knowledge of the subject matter. You will notice that in many of the chapters certain topics are revisited from the specific author's perspective (introductory material and organizations working the cloud space, as examples). This is not an error or oversight in the content of this text. Rather, it is meant to show the variation in the industry on perception and reality you may and will encounter.

In the first chapter, Omkhar Arasaratnam provides an introduction to the concepts involved in cloud computing. The chapter starts with a brief history into the origins of cloud computing and then introduces relevant definitions. Next, the different types of cloud categories are discussed followed by a review of roles and deployment models in the cloud space. You will notice that care is taken to address aspects not only of cloud consumers, but providers and integrators as well. This is a theme that continues throughout the chapters (although the specific terminology may deviate slightly based on an individual subject matter expert's experience in the industry). The chapter concludes with a discussion of cloud challenges that are then expounded upon in later chapters.

Chapter 2, Cloud-Based IT Audit Process, authored by Jeremy Rissi and Sean Sherman, serves as a gateway to the other chapters by providing an overview of what organizations can expect when creating audit programs for cloud environments. An overview of industry efforts, such as CSA, NIST, ISACA, and ENISA is provided in relation to security and compliance programs. Recommended controls and then a discussion of risk management follow the overview.

As explained by the authors, before an organization should even consider utilizing cloud services, a governance model must be established. In Chapter 3, Mike Whitman and Herb Mattord provide an introduction to governance in the cloud. They then provide guidance on implementing, extending, and maintaining a governance program for cloud activities.

In Chapter 4, System and Infrastructure Lifecycle Management for the Cloud, Steve Riley explores traditional lifecycle management techniques as applied to cloud deployments. Lifecycle management has to be adapted for the cloud due to the fact that processes that were once handled by a single organization will now be shared or handed over completely, depending on the environment. Steve illustrates how existing lifecycle controls can be leveraged. A discussion on cross-cloud deployments follows and the chapter concludes with a cloud service provider's perspective along with a look into what control questions really count.

Peter Coffee then takes us through Cloud-Based IT Delivery and Support in Chapter 5. The concepts of radical simplification and securely shared are introduced. These concepts apply to all cloud deployment models, even private clouds. Architecture considerations for cloud service delivery and support are discussed in connection with the aforementioned tenets.

In Chapter 6, Protection and Privacy of Information Assets in the Cloud, Nikhil Kumar and Leon DuPree introduce us to the Cloud Security Continuum. The authors then map cloud characteristics against protection and privacy of information assets. A brief discussion of various aspects of regulation and compliance are then considered (more on regulatory and compliance in Chapter 8). The concept of the playbook is then introduced and expounded upon.

In Chapter 7, Business Continuity and Disaster Recovery, Jeff Fenton discusses Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) in general terms and then focuses on the impact of cloud computing that can be augmented to traditional BCP and DRP. Jeff concludes the chapter with specific aspects to consider when utilizing cloud services.

Global Regulation and Cloud Computing, Chapter 8, is authored by Jeremy Rissi and Sean Sherman. The authors provide background into regulations with which organizations must comply, along with cloud-specific considerations. We are presented with the realities of leveraging the cloud, given the global context of an evolving regulatory environment along with aspects for auditors to consider.

Liam Lynch and Tammi Hayes present the final chapter of the book, Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit. As you will notice when reading the chapter, Liam is an active and founding member of the Cloud Security Alliance and the leader of the Trusted Cloud Initiative. The basic premise of the chapter is that change is a constant in the IT industry and organizations and cloud service providers have to morph in order to provide specified levels of assurance for specific data. This industry evolution will allow for effective audit and compliance for business processes in the cloud.

I would like to express my gratitude to all the contributors who believed in the vision for this book and the need to support the IT audit community. Thank you to Brian Curtis for his guidance throughout the process and to Ronny Nussbaum for his critical eye. A special thank-you to Sheck Cho of John Wiley & Sons, Inc., for reaching out to get this project launched. Additionally, the professionalism displayed by Stacey Rivera, Jennifer MacDonald, Natasha Andrews-Noel, Helen Cho and the rest of the John Wiley & Sons, Inc. team made for a pleasurable journey.

Ben Halpert Atlanta, GA June 2011

Chapter 1

Introduction to Cloud Computing

Omkhar Arasaratnam

Cloud computing has taken the IT world by storm. Often viewed as the utopia of utility computing, cloud computing offers flexibility and financial benefits second to none. It also lowers the entry point to high performance computing, allowing organizations to leverage computing power that they have neither the capital budget nor operational expertise to acquire. This chapter provides background as to where cloud computing came from, what cloud computing is, and discusses some of the advantages and challenges with cloud computing.

History

Computing has evolved significantly over the last 60 years. In the early days, a large central computer would be used by an entire company. This gradually evolved to departmental computers in the 1970s and later personal computers in the 1980s and 1990s. Although cloud computing is a new term, as a concept it was predicted by computer scientist John McCarthy in the 1960s. McCarthy asserted: “Computation may someday be organized as a public utility.”

McCarthy had the foresight to predict what we today refer to as cloud computing. In the mid-1960s, Intel co-founder Gordon E. Moore famously predicted that the number of transistors (or computing power) that could be inexpensively placed on an integrated circuit would double every two years. This is commonly known as Moore's law. By the late 1990s, Moore's law had guided computing to heights beyond many organizations' predictions. Much of this demand was fueled by the now popular World Wide Web (WWW), which brought an age of networking and collaboration that had not been seen before.