There is an increasing trend witnessed in the cloud computing technology which has led to a lot of risks in preserving the Confidentiality, Integrity and Availability of data. The Cloud is now facing a lot of compliance requirements due to the sensitivity of the data that is being stored. View this presentation to understand the Cloud Compliance Requirements, Risks, Audit Processes and Methodologies involved in providing assurance.
This presentation was given by CA Anand Prakash Jangid at the Conference on Cloud Computing conducted by the Committee on Information Technology of the Institute of Chartered Accountants of India on 11th January 2014.
4.
I think there is a world market for maybe five computers.‟
o Thomas Watson, Chairman of IBM, 1943
„There is no reason why anyone would want a computer in the home.‟
o Ken Olson, Present, Chairman and founder of Digital Equipment
Corporation, 1977
„640K should be enough for anybody.‟
o Bill Gates, 1981
„So far, Java seems like a stinker to me…I have a hunch that it won't be a very
successful language.‟
o Paul Graham, Author
5.
6. GE:
Global procurement hosting 500k suppliers and 100k users
in six languages on SaaS platform to manage $55B/yr in
spend
Eli Lilly :
Using Amazon Web Services can deploy a new server in
3min vs 50days and a 64-node Linux cluster in 5min vs
100days
Nasdaq:
Using Amazon Storage to store 30-80TB/day of trading
7.
The cloud acts as a big black box, nothing inside the cloud is
visible to the clients
Clients have no idea or control over what happens inside a
cloud
Even if the cloud provider is honest, it can have malicious
system admins who can tamper with the VMs and violate
confidentiality and integrity
Clouds are still subject to traditional data confidentiality,
integrity, availability, and privacy issues, plus some additional
attacks
8.
9.
Also a massive concentration of risk
expected loss from a single breach can be significantly
larger
concentration of “users” represents a concentration of
threats
“Ultimately, you can outsource responsibility but you can‟t
outsource accountability.”
o
o
13.
SA 300 - Planning an Audit of Financial Statements
SA 315- Identifying and assessing the risk of material
misstatement through understanding the entity and its
environment
SA 402 - Audit considerations relating to an entity using a
service organization
14.
…. effect of information technology on the audit
procedures, including the availability of data and the
expected use of computer assisted audit techniques.
……….management‟s commitment to the design,
implementation and maintenance of sound internal
control, including evidence of appropriate documentation
of such internal control.
15.
Controls in IT systems consist of a combination of automated
controls (for example, controls embedded in computer
programs) and manual controls.
Further, manual controls may be independent of IT, may use
information produced by IT, or may be limited to monitoring the
effective functioning of IT and of automated controls, and to handling
exceptions.
When IT is used to initiate, record, process or report
transactions, or other financial data for inclusion in financial
statements, the systems and programs may include controls
related to the corresponding assertions for material accounts
or may be critical to the effective functioning of manual controls that
depend on IT.
16.
Information Technology also poses specific risks to an entity‟s internal control, including, for
example :
Reliance on systems or programs that are inaccurately processing data,processing
inaccurate data, or both.
Unauthorised access to data that may result in destruction of data or improper changes to
data, including the recording of unauthorised or nonexistent
transactions, or inaccurate recording of transactions. Particular risks may arise where
multiple users access a common database.
The possibility of IT personnel gaining access privileges beyond those necessary to
perform their assigned duties thereby breaking down segregation of duties.
Unauthorised changes to data in master files.
Unauthorised changes to systems or programs.
Failure to make necessary changes to systems or programs.
Inappropriate manual intervention.
Potential loss of data or inability to access data as required.
17.
Para 3: “ Services provided by a service organization are
relevant to the audit of a user entity‟s financial
statements when those services, and the controls over
them, are part of the user entity‟s information system,
including related business processes, relevant to
financial reporting”
Para 5 : Information available on general controls and
computer systems controls relevant to the client's
applications
19.
Confidentiality
o Fear of loss of control over data
• Will the sensitive data stored on a cloud remain confidential?
• Will cloud compromises leak confidential client data
o Will the cloud provider itself be honest and won‟t peek into the
data?
Integrity
o How do I know that the cloud provider is doing the computations
correctly?
o How do I ensure that the cloud provider really stored my data
without tampering with it?
19
20.
Availability
o Will critical systems go down at the client, if the provider is
attacked in a Denial of Service attack?
o What happens if cloud provider goes out of business?
o Would cloud scale well-enough?
o Often-voiced concern
• Although cloud providers argue their downtime compares well with
cloud user‟s own data centers
20
21. •
Privacy issues raised via massive data mining
– Cloud now stores data from a lot of clients, and can run data
mining algorithms to get large amounts of information on clients
•
Increased attack surface
– Entity outside the organization now stores and computes data,
and so
– Attackers can now target the communication link between cloud
provider and client
– Cloud provider employees can be phished
21
22.
Auditability and forensics (out of control of data)
o Difficult to audit data held outside organization in a cloud
o Forensics also made difficult since now clients don‟t maintain
data locally
Legal quagmire and transitive trust issues
o Who is responsible for complying with regulations?
• e.g., IT ACT, Companies Act, SOX, HIPAA, GLBA , ?
o If cloud provider subcontracts to third party clouds, will the data
still be secure?
22
23. Cloud Computing is a security
nightmare and it can't be handled
in traditional ways.
John Chambers
CISCO CEO
Security is one of the most difficult task to implement in cloud
computing.
o Different forms of attacks in the application side and in the hardware
components
Attacks with catastrophic effects only needs one security
flaw
23
24.
Contractual discrepancies and gaps between business expectations and service provider capabilities
Control gaps between processes performed by the service provider and the organization
Compromised system security and confidentiality
Invalid transactions or transactions processed incorrectly
Costly compensating controls
Reduced system availability and questionable integrity of information
Poor software quality, inadequate testing and high number of failures
Failure to respond to relationship issues with optimal and approved decisions
Insufficient allocation of resources
Unclear responsibilities and accountabilities
Litigation, mediation or termination of the agreement, resulting in added costs and/or business disruption
and/or total loss of the organization
Inability to satisfy audit/assurance charter and requirements of regulators or external auditors
Reputation
Fraud
27. 27
Cloud
Consumer
Cloud
Auditor
Security
Audit
Privacy Impact
Audit
Performance
Audit
Cloud Provider
Cloud
Broker
Cloud Orchestration
Service Layer
SaaS
Cloud Service
Management
Business
PaaS
Service
Intermediation
Support
IaaS
Resource Abstraction Cloud Consumer
and Control
Layer
Physical Resource Layer
Hardware
Facility
Provisioning/
Configuration
Service
Aggregation
Portability/
Interoperability
Service
Arbitrage
Cloud Carrier
Cross Cutting Concerns: Security, Privacy, etc
28. Data
Breaches
Denial of
Service
Data Loss
Account or
Service Traffic
Hijacking
Insecure
Interfaces
with APIs
Malicious
Insiders
Abuse of
Cloud
Services
Insufficient
Due Diligence
Shared
Technology
vulnerabilities
29. Application and
Interface
Security
Data Security
and Information
Lifecycle
Management
Audit Assurance
and Compliance
Business
Continuity
Management
Change Control
and
Configuration
management
Datacenter
Security
Encryption and
Key
Management
Governance and
Risk
Management
Human
Resources
Identity and
Access
Management
30.
Risk Based Audit Approach
Identify Risks that are present in the Cloud Environment
o Inherent Risks – Risks that arise naturally
o Controllable Risks – Risks arising due to insufficient Internal Controls
Identify controls that are in place to treat the identified risk
Examine policy and procedure documents that are maintained for
the cloud Environment
Perform Sampling on the controls to determine design and operating
effectiveness and gather audit evidence (SA 500 – Audit Evidence,
SA 530 Audit Sampling)
Prepare a report and present it to the entity
31. Identify controls that are in place to treat the identified risk
o RCM Approach – Risk Control Matrix
Risk Control Matrix is a matrix of the controls in place for the
identified Risk
CCM v3 – Cloud Control Matrix Version 3
o www.cloudsecurityalliance.org
o It is a matrix published by Cloud Security Alliance which has a list of
all the controls that should be in place for an optimal Cloud
Environment.
o It also shows the compliance of controls mapped to statutes,
standards and Frameworks.
34. When are these opportunities??
Half our life is spent trying to find something to do with the
time we have rushed through life trying to save.
Will Rogers
NIST SP 500-292. This body of work brought together the various stakeholders to develop the taxonomy to communicate the components and offerings of cloud computing in a vendor-neutral way. It does not seek to stifle innovation by defining a prescribed technical solution. Actor/Role-based model and the necessary architectural components for managing and providing cloud services such as service deployment, service orchestration, cloud service management, security and privacy. A Cloud Consumer is an individual or organization that acquires and uses cloud products and services. The purveyor of products and services is the Cloud Provider. The Cloud Broker acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value-added cloud services as well. The Cloud Auditor provides a valuable inherent function for the government by conducting the independent performance and security monitoring of cloud services. The Cloud Carrier is the organization who has the responsibility of transferring the data akin to the power distributor for the electric grid.