Audit and Assurance of Cloud Computing Part 1 - PowerPoint PPT Presentation


PPT – Audit and Assurance of Cloud Computing Part 1 PowerPoint presentation | free to download - id: 45984d-MjFjO


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Audit and Assurance of Cloud Computing Part 1


Business Continuity and Data Recovery Cloud providers have business continuity ... Performance Index Auditors Judgment Internal Controls Internal Controls ... – PowerPoint PPT presentation

Number of Views:285
Avg rating:3.0/5.0
Slides: 95
Provided by: Del161
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Audit and Assurance of Cloud Computing Part 1

Audit and Assurance of Cloud Computing Part 1
  • C Delano Gray
  • June 23, 2012

Cloud Computing
  • TSO fulfills a similar purpose to Unix login
    sessions. Time-sharing means that many persons
    can access the operating system concurrently,
    while unaware that others are also accessing the
    operating system. It appears to each TSO user
    that they are the only user on the system.
  • TSO is most commonly used by mainframe system
    administrators and programmers. It provides
  • A text editor
  • Batch job support, including completion
  • Debuggers for some programming languages used on
    System/360 and later IBM mainframes
  • Support for other vendors' end-user applications,
    for example for querying DB2 databases

  • When computer usage evolved from batch mode to
    interactive mode, multiprogramming was no longer
    a suitable approach. Each user wanted to see his
    program running as if it were the only program in
    the computer. The use of time sharing made this
    possible, with the qualification that the
    computer would not seem as fast to any one user
    as it really would be if it were running only
    that user's program.

(No Transcript)
Where Do We Start
  • As CxOs search for ways to meet ever-increasing
    IT demands, many are closely examining cloud
    computing as a real option for their enterprise
    needs. The promise of cloud computing is arguably
    revolutionizing the IT services world by
    transforming computing into a ubiquitous utility,
    leveraging on attributes such as increased
    agility, elasticity, storage capacity and
    redundancy to manage information assets.

Start 2
  • The continued influence and innovative use of the
    Internet has enabled cloud computing to utilize
    existing infrastructure and transform it into
    services that could provide enterprises both
    significant cost savings and increased
    efficiency. Enterprises are realizing there is a
    potential to leverage this innovation to better
    serve customers and gain business advantage.

  • By offering enterprises the opportunity to
    decouple their IT needs and their infrastructure,
    cloud computing has the likely ability to offer
    enterprises long-term IT savings, including
    reducing infrastructure costs and offering
    pay-for-service models. By moving IT services to
    the cloud, enterprises can take advantage of
    using services in an on-demand model.
  • Less up-front capital expenditure is required,
    which allows businesses increased flexibility
    with new IT services.

What Exactly is It???
  • One of the most confusing issues surrounding the
    cloud and its related services is the lack of
    agreed-upon definitions.
  • As with all emerging technologies, the lack of
    clarity and agreement often hinders the overall
    evaluation and adoption of that technology.
  • Two groups that have offered a baseline of
    definitions are the National Institute of
    Standards and Technology (NIST) and the Cloud
    Security Alliance. They both define cloud
    computing as a model for enabling convenient,
    on-demand network access to a shared pool of
    configurable computing resources (e.g., networks,
    servers, storage, applications and services) that
    can be rapidly provisioned and released with
    minimal management effort or service provider
  • Another way to describe services offered in the
    cloud is to liken them to that of a utility. Just
    as enterprises pay for the electricity, gas and
    water they use, they now have the option of
    paying for IT services on a consumption basis.

  • The two words in the phrase cloud computing have
    the following interpretations
  • Cloud As a noun, this is a metaphor for the
    Internet, and as an adjective it means pertaining
    to the Internet. This usage derives from the
    cloud symbols that represent the Internet on
  • Computing Any IT activity carried out
  • When using "a local server or a personal
    computer, which implies that the IT resources
    are under the exclusive control of the user.
  • To store, manage, and process data, which
    implies that the data is private to the user, in
    the sense that it is determined by them, even if
    it is accessible by others.

Introduction 2
  • This means that cloud computing is a type of
    Internet-based computing, and it consists of
    every situation where the use of IT resources by
    an entity, including a person or an
    organization, has all of the following
  • Access to the resources is
  • Controlled by the entity, and restricted by them
    to their authorized users.
  • Delivered via the Internet to all of these users.
  • The resources are
  • Hosted by a service provider on behalf of the
  • Dedicated to their exclusive use.
  • Data processed by the resources is
  • Private to the entity and its associates.
  • Entered or collected by them, or automatically
    produced for them.

Introduction 3
  • Depending on the context, cloud computing can
  • Access to and use of the resources.
  • The hosting and delivery service that provides
    this access.
  • A model for enabling such access and delivery.
  • The hosted resources or services themselves.
  • The computing execution carried out by the
  • Technology used for the provision of the services.

Additional Features
  • Internet versus network accessibility
  • There are several deployment models that make
    cloud computing available on the Internet in a
    variety of public or private computer systems.
  • Besides these, there are also IT systems that
    have some of the same typical characteristics and
    advantages as cloud computing, but that, for
    security reasons, are accessible only via a
    private network, rather than the Internet. These
    have been described as cloud computing-like,
    but, because of the shared features, they are
    sometimes included as part of cloud computing

(No Transcript)
  • Cloud software is also known as cloudware, and it
    includes cloud
  • Applications
  • Databases
  • Platforms
  • Data-centre operating systems.

Cloud Operations
  • Cloud operations are IT operations that provide,
    support or develop cloud systems, or that manage
    cloud data-centers.
  • Cloud operations use cloud engineering, which is
    the application of systems engineering and
    software engineering to the design of cloud
    systems, and cloud architecture, which is the
    structure of these systems, in terms of their
    components and the way they interact with each
    other and with external systems

  • Cloud computing has been described as a model
    for enabling particular types of access to and
    delivery of IT services

(No Transcript)
Service models
  • There are three main cloud-computing service
    models, and these represent the three types of
    computing generally required by consumers
    software applications (SaaS) to process their
    data, platforms (PaaS) to develop applications,
    and infrastructure (IaaS) to run software and
    store data

Software as a Service
  • Software as a Service (SaaS) provides software
    that is specific to its consumers end-user
    requirements, including traditional applications,
    such as accounting, and email. This is the
    largest group of cloud services, and it provides
    a very wide range of software.
  • The host manages the software, and the
    infrastructure that runs this software and that
    stores data. It may use its own infrastructure,
    which is then said to be in-house or on-premise,
    or it may use another cloud provider for this

Software as a Service
  • The consumers do not control the software, beyond
    the usual configuration settings, or the
    infrastructure, beyond changing the resources
    they use, such as the amount of disk space
    required for their data.
  • For the usual security reasons that apply when
    managing a data-centre, such as to mitigate
    against the risk of an infrastructure outage, the
    host will regularly backup all data, across all
    tenants, but consumers can also backup their own
    data in their own disk space.
  • SaaS may be accessible from a variety of cloud

Desktop as a Service
  • Desktop as a Service (DaaS) is the hosting of a
    desktop PC software environment, including
    office-productivity applications, such as word
    processing, by a SaaS provider. This is done so
    that only a thin client, with perhaps just a web
    browser, need be used to access all the required
    software, and this can be financially
    advantageous for the consumer. Also, it
    simplifies deployment and administration of the
    PC environment.
  • DaaS is also known as a cloud desktop or desktop
    in the cloud.

Platform as a Service
  • Platform as a Service (PaaS) consists of
    software-development and deployment platforms,
    known as cloud platforms, located in the cloud.
  • With this type of service, the host provides a
    complete software-development and run-time
    environment, including programming languages and
    related infrastructure, so that the consumers can
    either create their own software on this
    platform, or deploy software that was developed
    elsewhere, but that needs this same environment
    to run.
  • The infrastructure can include a database and
    identity-management, or access-control, software

Infrastructure as a Service
  • Infrastructure as a Service (IaaS) consists of
    hardware infrastructure that is located in the
    cloud. It includes cloud storage, cloud servers
    and cloud networks, and is also known as Hardware
    as a Service (HaaS). The infrastructure can be
    used to run software or simply to store data.
  • The consumers can be end-users, developers or
    other cloud providers. For example, SaaS
    providers can use IaaS providers to run their
    applications or to store their consumers data.

What It Is Not
  • Cloud computing isnt just the same as Internet
    computing, and the Intercloud doesnt include all
    the websites on the Internet.
  • For example, the following are excluded from
    cloud computing
  • Publicly accessible websites that process the
    same data for every visitor, such as web search
    engines. There is no private-data aspect for
    these sites.
  • All web pages that provide a calculation feature,
    but without managing private data, such as a
    financial institutions loan-repayment
  • All sites that only provide information, rather
    than a computation facility.

Cloud Is More Than A Buzz
  • It is now an integral part of our lives
  • Has changed how businesses can process
  • Business Leaders are increasingly familiar with
    it and recognize its potential

US National Institute of Standards and Technology
Cloud Computing Essential Characteristics
  • On-demand self-service
  • The cloud provider should have the ability to
    automatically provision computing capabilities,
    such as server and network storage, as needed
    without requiring human interaction with each
    services provider.
  • Broad network access
  • According to NIST, the cloud network should be
    accessible anywhere, by almost any device (e.g.,
    smart phone, laptop, mobile devices, PDA)

Cloud Computing Essential Characteristics 2
  • Resource pooling
  • The providers computing resources are pooled to
    serve multiple customers using a multitenant
    model, with different physical and virtual
    resources dynamically assigned and reassigned
    according to demand. There is a sense of location
    independence. The customer generally has no
    control or knowledge over the exact location of
    the provided resources. However, he/she may be
    able to specify location at a higher level of
    abstraction (e.g., country, region or data
    center). Examples of resources include storage,
    processing, memory, network bandwidth and virtual

Cloud Computing Essential Characteristics 3
  • Rapid Elasticity
  • Capabilities can be rapidly and elastically
    provisioned, in many cases automatically, to
    scale out quickly and rapidly released to scale
    in quickly. To the customer, the capabilities
    available for provisioning often appear to be
    unlimited and can be purchased in any quantity at
    any time.
  • Measured Service
  • Cloud systems automatically control and optimize
    resource use by leveraging a metering capability
    (e.g., storage, processing, bandwidth and active
    user accounts). Resource usage can be monitored,
    controlled and reported, providing transparency
    for both the provider and customer of the
    utilized service.

  • Private cloud
  • Operated solely for an organization. May be
    managed by the organization or a third party
  • May exist on-premise or off-premise. Cloud
    services with minimum risk.
  • May not provide the scalability and agility of
    public cloud services
  • Community cloud
  • Shared by several organizations. Supports a
    specific community that has shared mission or
    interest. May be managed by the organizations or
    a third party
  • May reside on-premise or off-premise and is
    same as private cloud, plus data may be stored
    with the data of competitors.

  • Public cloud
  • Made available to the general public or a large
    industry group .
  • Owned by an organization selling cloud services
  • Same as community cloud, plus data may be stored
    in unknown locations and may not be easily
  • Hybrid cloud
  • A composition of two or more clouds (private,
    community or public) that remain unique entities
    but are bound together by standardized or
    proprietary technology that enables data and
    application portability .
  • Aggregate risk of merging different deployment
  • Classification and labeling of data will be
    beneficial to the security manager to ensure that
    data are assigned to the correct cloud type.

What, When, How to Move to the Cloud
  • Identify the asset(s) for cloud deployment
  • Data
  • Applications/Functions/Process
  • Evaluate the asset
  • Determine how important the data or function is
    to the org

Evaluate the Asset
  • How would we be harmed if
  • the asset became widely public widely
  • An employee of our cloud provider accessed the
  • The process of function were manipulated by an
  • The process or function failed to provide
    expected results?
  • The info/data was unexpectedly changed?
  • The asset were unavailable for a period of time?

  • Service contracts should address
  • Architectural Framework
  • Governance, Enterprise Risk Mgt
  • Legal, e-Discovery
  • Compliance Audit
  • Information Lifecycle Mgt
  • Portability Interoperability

  • Security, Business Continuity, Disaster Recovery
  • Data Center Operations
  • Incident Response Issues
  • Application Security
  • Encryption Key Mgt
  • Identity Access Mgt
  • Virtualization

Principles for Cloud Computing
  • The Enablement Principle Plan for cloud
    computing as a strategic enabler, rather than as
    an outsourcing arrangement or technical platform.
  • The Cost/Benefit Principle  Evaluate the
    benefits of cloud acquisition based on a full
    understanding of the costs of cloud compared with
    the costs of other technology platform business
  • The Enterprise Risk Principle  Take an
    enterprise risk management (ERM) perspective to
    manage the adoption and use of cloud.
  • The Capability Principle  Integrate the full
    extent of capabilities that cloud providers offer
    with internal resources to provide a
    comprehensive technical support and delivery
  • The Accountability Principle  Manage
    accountabilities by clearly defining internal and
    provider responsibilities.
  • The Trust Principle  Make trust an essential
    part of cloud solutions, building trust into all
    business processes that depend on cloud computing

The Effects of SSAE 16
  • SSAE 16 is an enhancement to the current standard
    for Reporting on Controls at a Service

Who Needs an SSAE 16 Audit?
Audit and Assurance of Cloud Computing Part 2
  • C Delano Gray
  • June 23, 2012

Audit and Security
Cloud Computing Audit and Security
  • Cloud computing security (sometimes referred to
    simply as "cloud security") is an evolving
    sub-domain of computer security, network
    security, and, more broadly, information
    security. It refers to a broad set of policies,
    technologies, and controls deployed to protect
    data, applications, and the associated
    infrastructure of cloud computing

Security Issues Associated With the Cloud
  • There are a number of security issues/concerns
    associated with cloud computing but these issues
    fall into two broad categories Security issues
    faced by cloud providers (organizations providing
    Software-, Platform-, or Infrastructure-as-a-Servi
    ce via the cloud) and security issues faced by
    their customers.
  • In most cases, the provider must ensure that
    their infrastructure is secure and that their
    clients data and applications are protected
    while the customer must ensure that the provider
    has taken the proper security measures to protect
    their information.

Cloud Security
  • Correct security controls should be implemented
    according to asset, threat, and vulnerability
    risk assessment matrices. While cloud security
    concerns can be grouped into any number of
    dimensions these dimensions have been aggregated
    into three general areas Security and Privacy,
    Compliance, and Legal or Contractual Issues

Security and Privacy
Identity Management 
  • Every enterprise will have its own identity
    management system to control access to
    information and computing resources. Cloud
    providers either integrate the customers
    identity management system into their own
    infrastructure, or provide an identity management
    solution of their own.

Physical and Personnel Security 
  • Providers ensure that physical machines are
    adequately secure and that access to these
    machines as well as all relevant customer data is
    not only restricted but that access is documented

  • Cloud providers assure customers that they will
    have regular and predictable access to their data
    and applications.

Application Security
  • Cloud providers ensure that applications
    available as a service via the cloud are secure
    by implementing testing and acceptance procedures
    for outsourced or packaged application code. It
    also requires application security measures be in
    place in the production environment.

  • Finally, providers ensure that all critical data
    (credit card numbers, for example) are masked and
    that only authorized users have access to data in
    its entirety. Moreover, digital identities and
    credentials must be protected as should any data
    that the provider collects or produces about
    customer activity in the cloud.

Legal issues
  • Providers and customers must consider legal
    issues, such as Contracts and E-Discovery, and
    the related laws, which may vary by country

Numerous regulations pertain to the storage and
use of data, including Payment Card Industry Data
Security Standard (PCI DSS), the Health Insurance
Portability and Accountability Act (HIPAA), the
Sarbanes-Oxley Act, among others. Many of these
regulations require regular reporting and audit
trails. Cloud providers must enable their
customers to comply appropriately with these
Business Continuity and Data Recovery
  • Cloud providers have business continuity and data
    recovery plans in place to ensure that service
    can be maintained in case of a disaster or an
    emergency and that any data loss will be
    recovered. These plans are shared with and
    reviewed by their customers.

Logs and Audit Trails
  • In addition to producing logs and audit trails,
    cloud providers work with their customers to
    ensure that these logs and audit trails are
    properly secured, maintained for as long as the
    customer requires, and are accessible for the
    purposes of forensic investigation (e.g.,

Unique Compliance Requirements
  • In addition to the requirements to which
    customers are subject, the data centers
    maintained by cloud providers may also be subject
    to compliance requirements. Using a cloud service
    provider (CSP) can lead to additional security
    concerns around data jurisdiction since customer
    or tenant data may not remain on the same system,
    or in the same data center or even within the
    same provider's cloud.

Legal and Contractual Issues
  • Aside from the security and compliance issues
    numerated above, cloud providers and their
    customers will negotiate terms around liability,
    (e.g. stipulating how incidents involving data
    loss or compromise will be resolved),
    intellectual property, and end-of-service (when
    data and applications are ultimately returned to
    the customer).

Public Records
  • Legal issues may also include records-keeping
    requirements in the public sector, where many
    agencies are required by law to retain and make
    available electronic records in a specific
    fashion. This may be determined by legislation,
    or law may require agencies to conform to the
    rules and practices set by a records-keeping
    agency. Public agencies using cloud computing and
    storage must take these concerns into account.

Information Systems Environment Why are
Control and Auditability Important?
Data Center Audits
  • In todays business environment, there is
    increasing reliance on information systems to
    support business needs. Auditing provides
    independent and objective assurance that
    information is processed in a safe and sound
    manner that operations are efficient, effective,
    and adequate and that information assets are

The Business Environment
  • Business Strategy Operations
  • Business partnerships,
  • Multiple distribution channels
  • Get products to market faster
  • Mergers, downsizing
  • Technologically
  • Heavy reliance on technology to be competitive
  • E-commerce via Internet

The IT Environment
  • Increase system quality and functionality
  • Improve service levels
  • Decrease delivery time
  • More reliance on IT vendors and
  • their strategies

Business Risks
  • Activities or events that might interfere with
    meeting business objectives
  • Probability or likelihood that loss will occur
  • Measure of loss if it occurs

Business Risks
  • Inherent (environmental)
  • Fraud
  • Lost opportunities
  • Loss of competitiveness

IT Risks
  • Unauthorized access
  • Inaccurate
  • Unreliable information
  • System unavailability

Information Systems Audit Defined
  • The process of collecting and evaluating
    evidence to determine whether a computer system
    safeguards assets, maintain data integrity,
    allows organizational goals to be achieved and
    determine the efficient use of resources

Business Needs
  • Organizations must Control and Audit
    Computer-Based Information Systems
  • Must have Procedures to detect errors and
  • Must have Procedures to contain cost of Controls
    and Development.

Need for Controls
  • The Organization must protect itself from
  • Corruption of Data and Database
  • Poor decision making due to poor quality
  • Losses due to abuse
  • Loss of hardware, software and personnel
  • Maintenance of Privacy

Computer Abuse
  • Hacking
  • Viruses
  • Illegal Physical Access
  • Abuse of Privileges

Consequence of Abuse
  • Destruction of Assets
  • Theft of Assets
  • Modification of Assets
  • Privacy violations
  • Disruption of operations
  • Un-authorized use of assets
  • Physical harm to Personnel

The Information Systems Audit Function
  • Used to safeguard Assets
  • Maintain Data Integrity
  • Achieve system efficiency

Asset Safeguarding
  • Hardware
  • Software
  • Facilities
  • Personnel (Knowledge)
  • Data files and systems documentation
  • Supplies

Data Integrity
  • Completeness
  • Soundness
  • Accuracy
  • Conciseness

Value of Data Integrity
  • Value to Decision Makers
  • Extent of data sharing
  • Value to competitors
  • Compliance Issues

  • Achieving stated objective
  • Satisfaction of users needs

Efficiency - Performance Index
  • Timeliness Provide user responses
  • Throughput Performance over time
  • Utilization Time system is busy
  • Reliability - Availability

Auditors Judgment
  • Must use a model of workload system
  • Must be aware of the cost of the evaluation
  • System may not yet be operational
  • Model used must correctly simulate the real
    system and environment

Internal Controls
  • Separation of Duties
  • Delegation of Authority and Responsibility
  • Competent Personnel
  • System Authorization
  • Document and Records

Internal Controls
  • Management Supervision
  • Independent Checks on Performance
  • Accountability of Assets

Effects of Computers on Auditing
  • Change in evidence collection
  • Change in evidence evaluation

Information Systems Auditing
  • Traditional Auditing
  • Information Systems Management
  • Behavioral Science
  • Computer

  • Conducting an information System Audit

Nature of Controls
  • Auditors have to evaluate the reliability of
    controls. They therefore have to have an
    understanding of the control environment and the
    system of controls.

Nature of Controls
  • Controls fall into three categories
  • Preventive
  • Detective
  • Corrective

Purpose of Controls
  • Decreasing the probability of a loss occurring
  • Limiting the losses if they occur.

Dealing with Complexity
  • Break systems into subsystems
  • Determine the reliability of each subsystem.
  • (Decomposing or Factoring)

Types of Subsystems-Management
  • Top Management
  • Information Systems Management
  • Systems Development
  • Programming
  • Data Administration
  • Quality Assurance
  • Security Administration
  • Operations Management

Types of Subsystems-Application
  • Input
  • Communications
  • Processing
  • Database
  • Output

Assessing Subsystem Reliability
  • Controls at the higher or subsystem level
  • Cost/Benefit analysis

Inherent Risk Factors
  • Financial Systems
  • Strategic Systems
  • Critical Operations
  • Technologically Advanced Systems