SlideShare une entreprise Scribd logo

Cloud Audit and Compliance

Q
Quadrisk

There is an increasing trend witnessed in the cloud computing technology which has led to a lot of risks in preserving the Confidentiality, Integrity and Availability of data. The Cloud is now facing a lot of compliance requirements due to the sensitivity of the data that is being stored. View this presentation to understand the Cloud Compliance Requirements, Risks, Audit Processes and Methodologies involved in providing assurance. This presentation was given by CA Anand Prakash Jangid at the Conference on Cloud Computing conducted by the Committee on Information Technology of the Institute of Chartered Accountants of India on 11th January 2014.

BusinessTechnologie
1  sur  36
  CA ANAND PRAKASH JANGID anand@quadrisk.com
Cloud Computing & Risk Auditing the cloud Audit consideration in cloud environment Questions Cloud & compliance
The Future is not, What it used to be
 I think there is a world market for maybe five computers.‟ o Thomas Watson, Chairman of IBM, 1943  „There is no reason why anyone would want a computer in the home.‟ o Ken Olson, Present, Chairman and founder of Digital Equipment Corporation, 1977  „640K should be enough for anybody.‟ o Bill Gates, 1981  „So far, Java seems like a stinker to me…I have a hunch that it won't be a very successful language.‟ o Paul Graham, Author
GE: Global procurement hosting 500k suppliers and 100k users in six languages on SaaS platform to manage $55B/yr in spend  Eli Lilly : Using Amazon Web Services can deploy a new server in 3min vs 50days and a 64-node Linux cluster in 5min vs 100days  Nasdaq: Using Amazon Storage to store 30-80TB/day of trading 
    The cloud acts as a big black box, nothing inside the cloud is visible to the clients Clients have no idea or control over what happens inside a cloud Even if the cloud provider is honest, it can have malicious system admins who can tamper with the VMs and violate confidentiality and integrity Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks
 Also a massive concentration of risk expected loss from a single breach can be significantly larger concentration of “users” represents a concentration of threats “Ultimately, you can outsource responsibility but you can‟t outsource accountability.” o o 
Why should we worry about Cloud???
 SA 300 - Planning an Audit of Financial Statements  SA 315- Identifying and assessing the risk of material misstatement through understanding the entity and its environment  SA 402 - Audit considerations relating to an entity using a service organization
 …. effect of information technology on the audit procedures, including the availability of data and the expected use of computer assisted audit techniques.  ……….management‟s commitment to the design, implementation and maintenance of sound internal control, including evidence of appropriate documentation of such internal control.
   Controls in IT systems consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. When IT is used to initiate, record, process or report transactions, or other financial data for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for material accounts or may be critical to the effective functioning of manual controls that depend on IT.
          Information Technology also poses specific risks to an entity‟s internal control, including, for example : Reliance on systems or programs that are inaccurately processing data,processing inaccurate data, or both. Unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorised or nonexistent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database. The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties. Unauthorised changes to data in master files. Unauthorised changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss of data or inability to access data as required.
 Para 3: “ Services provided by a service organization are relevant to the audit of a user entity‟s financial statements when those services, and the controls over them, are part of the user entity‟s information system, including related business processes, relevant to financial reporting”  Para 5 : Information available on general controls and computer systems controls relevant to the client's applications
 Para 34 of SA 400
 Confidentiality o Fear of loss of control over data • Will the sensitive data stored on a cloud remain confidential? • Will cloud compromises leak confidential client data o Will the cloud provider itself be honest and won‟t peek into the data?  Integrity o How do I know that the cloud provider is doing the computations correctly? o How do I ensure that the cloud provider really stored my data without tampering with it? 19
 Availability o Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? o What happens if cloud provider goes out of business? o Would cloud scale well-enough? o Often-voiced concern • Although cloud providers argue their downtime compares well with cloud user‟s own data centers 20
• Privacy issues raised via massive data mining – Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients • Increased attack surface – Entity outside the organization now stores and computes data, and so – Attackers can now target the communication link between cloud provider and client – Cloud provider employees can be phished 21
 Auditability and forensics (out of control of data) o Difficult to audit data held outside organization in a cloud o Forensics also made difficult since now clients don‟t maintain data locally  Legal quagmire and transitive trust issues o Who is responsible for complying with regulations? • e.g., IT ACT, Companies Act, SOX, HIPAA, GLBA , ? o If cloud provider subcontracts to third party clouds, will the data still be secure? 22
Cloud Computing is a security nightmare and it can't be handled in traditional ways. John Chambers CISCO CEO  Security is one of the most difficult task to implement in cloud computing. o Different forms of attacks in the application side and in the hardware components  Attacks with catastrophic effects only needs one security flaw 23
              Contractual discrepancies and gaps between business expectations and service provider capabilities Control gaps between processes performed by the service provider and the organization Compromised system security and confidentiality Invalid transactions or transactions processed incorrectly Costly compensating controls Reduced system availability and questionable integrity of information Poor software quality, inadequate testing and high number of failures Failure to respond to relationship issues with optimal and approved decisions Insufficient allocation of resources Unclear responsibilities and accountabilities Litigation, mediation or termination of the agreement, resulting in added costs and/or business disruption and/or total loss of the organization Inability to satisfy audit/assurance charter and requirements of regulators or external auditors Reputation Fraud
 
27 Cloud Consumer Cloud Auditor Security Audit Privacy Impact Audit Performance Audit Cloud Provider Cloud Broker Cloud Orchestration Service Layer SaaS Cloud Service Management Business PaaS Service Intermediation Support IaaS Resource Abstraction Cloud Consumer and Control Layer Physical Resource Layer Hardware Facility Provisioning/ Configuration Service Aggregation Portability/ Interoperability Service Arbitrage Cloud Carrier Cross Cutting Concerns: Security, Privacy, etc
Data Breaches Denial of Service Data Loss Account or Service Traffic Hijacking Insecure Interfaces with APIs Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology vulnerabilities
Application and Interface Security Data Security and Information Lifecycle Management Audit Assurance and Compliance Business Continuity Management Change Control and Configuration management Datacenter Security Encryption and Key Management Governance and Risk Management Human Resources Identity and Access Management
  Risk Based Audit Approach Identify Risks that are present in the Cloud Environment o Inherent Risks – Risks that arise naturally o Controllable Risks – Risks arising due to insufficient Internal Controls     Identify controls that are in place to treat the identified risk Examine policy and procedure documents that are maintained for the cloud Environment Perform Sampling on the controls to determine design and operating effectiveness and gather audit evidence (SA 500 – Audit Evidence, SA 530 Audit Sampling) Prepare a report and present it to the entity
Identify controls that are in place to treat the identified risk o RCM Approach – Risk Control Matrix   Risk Control Matrix is a matrix of the controls in place for the identified Risk CCM v3 – Cloud Control Matrix Version 3 o www.cloudsecurityalliance.org o It is a matrix published by Cloud Security Alliance which has a list of all the controls that should be in place for an optimal Cloud Environment. o It also shows the compliance of controls mapped to statutes, standards and Frameworks.
ISO 27001 SSAE 16 PCIDSS Indian IT Act HIPAA Act
When are these opportunities?? Half our life is spent trying to find something to do with the time we have rushed through life trying to save. Will Rogers
Questions???
ANAND PRAKASH JANGID | anand@quadrisk.com | +919620233516   www.quadrisk.com

Recommandé

Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
Wen-Pai Lu
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Ninh Nguyen
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
Jonathan Sinclair
 
Cloud Service Models
Cloud Service ModelsCloud Service Models
Cloud Service Models
Abhishek Pachisia
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
Venkatesh Chary
 

Recommandé

Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud Security: A New Perspective
Cloud Security: A New PerspectiveCloud Security: A New Perspective
Cloud Security: A New Perspective
Wen-Pai Lu
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Ninh Nguyen
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
Jonathan Sinclair
 
Cloud Service Models
Cloud Service ModelsCloud Service Models
Cloud Service Models
Abhishek Pachisia
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
AWS User Group Bengaluru
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
Venkatesh Chary
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
Cloud governance - theory and tools
Cloud governance - theory and toolsCloud governance - theory and tools
Cloud governance - theory and tools
Antti Arnell
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
Viresh Suri
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
Vladimir Jirasek
 
Google Cloud Platform
Google Cloud PlatformGoogle Cloud Platform
Google Cloud Platform
GeneXus
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
Srikanth Kappagantula
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
Marcos Oikawa
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
Keet Sugathadasa
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
Joseph Holbrook, Chief Learning Officer (CLO)
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud Computing
KNOWARTH - Software Development Company
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
AlgoSec
 
Azure governance
Azure governanceAzure governance
Azure governance
girish goudar
 
Cloud security
Cloud securityCloud security
Cloud security
Tushar Kayande
 
Cloud Computing and Amazon Web Services
Cloud Computing and Amazon Web ServicesCloud Computing and Amazon Web Services
Cloud Computing and Amazon Web Services
Aditya Jha
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011
Jonathan Sinclair
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
OneLogin
 

Contenu connexe

Tendances

Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
Career Communications Group
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 

Tendances (20)

AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
Cloud governance - theory and tools
Cloud governance - theory and toolsCloud governance - theory and tools
Cloud governance - theory and tools
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
Google Cloud Platform
Google Cloud PlatformGoogle Cloud Platform
Google Cloud Platform
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
Benefits of Cloud Computing
Benefits of Cloud ComputingBenefits of Cloud Computing
Benefits of Cloud Computing
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
 
Azure governance
Azure governanceAzure governance
Azure governance
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Computing and Amazon Web Services
Cloud Computing and Amazon Web ServicesCloud Computing and Amazon Web Services
Cloud Computing and Amazon Web Services
 
Zero Trust and Data Security
Zero Trust and Data SecurityZero Trust and Data Security
Zero Trust and Data Security
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 

En vedette

Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011
Jonathan Sinclair
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
OneLogin
 

En vedette (7)

Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
 
Proposal pembuatan aplikasi
Proposal pembuatan aplikasiProposal pembuatan aplikasi
Proposal pembuatan aplikasi
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Ppt 1
Ppt 1Ppt 1
Ppt 1
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 

Similaire à Cloud Audit and Compliance

Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
David Spinks
 

Similaire à Cloud Audit and Compliance (20)

Cloud computing Risk management
Cloud computing Risk management Cloud computing Risk management
Cloud computing Risk management
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
 
Cloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and FrontiersCloud Security - Emerging Facets and Frontiers
Cloud Security - Emerging Facets and Frontiers
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptx
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 
Myths of validation
Myths of validationMyths of validation
Myths of validation
 
Does cloud technology belong at your law firm?
Does cloud technology belong at your law firm?Does cloud technology belong at your law firm?
Does cloud technology belong at your law firm?
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
The Top Cloud Security Issues
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security Issues
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
How secure is the cloud? and Amazon vs Walmart which giant will dominant?
How secure is the cloud? and Amazon vs Walmart which giant will dominant?How secure is the cloud? and Amazon vs Walmart which giant will dominant?
How secure is the cloud? and Amazon vs Walmart which giant will dominant?
 
Cloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionCloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA Profession
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
Cloud-Computing_USA.ppt
Cloud-Computing_USA.pptCloud-Computing_USA.ppt
Cloud-Computing_USA.ppt
 
Cloud-Computing_USA.ppt
Cloud-Computing_USA.pptCloud-Computing_USA.ppt
Cloud-Computing_USA.ppt
 
Cloud-Computing_USA.ppt
Cloud-Computing_USA.pptCloud-Computing_USA.ppt
Cloud-Computing_USA.ppt
 
Cloud-Computing_USA.ppt
Cloud-Computing_USA.pptCloud-Computing_USA.ppt
Cloud-Computing_USA.ppt
 
Global Security Certification for Governments
Global Security Certification for GovernmentsGlobal Security Certification for Governments
Global Security Certification for Governments
 

Dernier

Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceMalegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Damini Dixit
 
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
dlhescort
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
Aggregage
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
lizamodels9
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
amitlee9823
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
amitlee9823
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
dlhescort
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
lizamodels9
 

Dernier (20)

Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort ServiceMalegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
Malegaon Call Girls Service ☎ ️82500–77686 ☎️ Enjoy 24/7 Escort Service
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Falcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business GrowthFalcon Invoice Discounting: Empowering Your Business Growth
Falcon Invoice Discounting: Empowering Your Business Growth
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
Call Girls In Majnu Ka Tilla 959961~3876 Shot 2000 Night 8000
 
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 

Cloud Audit and Compliance

  • 1.   CA ANAND PRAKASH JANGID anand@quadrisk.com
  • 2. Cloud Computing & Risk Auditing the cloud Audit consideration in cloud environment Questions Cloud & compliance
  • 4.  I think there is a world market for maybe five computers.‟ o Thomas Watson, Chairman of IBM, 1943  „There is no reason why anyone would want a computer in the home.‟ o Ken Olson, Present, Chairman and founder of Digital Equipment Corporation, 1977  „640K should be enough for anybody.‟ o Bill Gates, 1981  „So far, Java seems like a stinker to me…I have a hunch that it won't be a very successful language.‟ o Paul Graham, Author
  • 5.
  • 6. GE: Global procurement hosting 500k suppliers and 100k users in six languages on SaaS platform to manage $55B/yr in spend  Eli Lilly : Using Amazon Web Services can deploy a new server in 3min vs 50days and a 64-node Linux cluster in 5min vs 100days  Nasdaq: Using Amazon Storage to store 30-80TB/day of trading 
  • 7.     The cloud acts as a big black box, nothing inside the cloud is visible to the clients Clients have no idea or control over what happens inside a cloud Even if the cloud provider is honest, it can have malicious system admins who can tamper with the VMs and violate confidentiality and integrity Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks
  • 8.
  • 9.  Also a massive concentration of risk expected loss from a single breach can be significantly larger concentration of “users” represents a concentration of threats “Ultimately, you can outsource responsibility but you can‟t outsource accountability.” o o 
  • 10.
  • 11.
  • 12. Why should we worry about Cloud???
  • 13.  SA 300 - Planning an Audit of Financial Statements  SA 315- Identifying and assessing the risk of material misstatement through understanding the entity and its environment  SA 402 - Audit considerations relating to an entity using a service organization
  • 14.  …. effect of information technology on the audit procedures, including the availability of data and the expected use of computer assisted audit techniques.  ……….management‟s commitment to the design, implementation and maintenance of sound internal control, including evidence of appropriate documentation of such internal control.
  • 15.    Controls in IT systems consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. When IT is used to initiate, record, process or report transactions, or other financial data for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for material accounts or may be critical to the effective functioning of manual controls that depend on IT.
  • 16.           Information Technology also poses specific risks to an entity‟s internal control, including, for example : Reliance on systems or programs that are inaccurately processing data,processing inaccurate data, or both. Unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorised or nonexistent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database. The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties. Unauthorised changes to data in master files. Unauthorised changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss of data or inability to access data as required.
  • 17.  Para 3: “ Services provided by a service organization are relevant to the audit of a user entity‟s financial statements when those services, and the controls over them, are part of the user entity‟s information system, including related business processes, relevant to financial reporting”  Para 5 : Information available on general controls and computer systems controls relevant to the client's applications
  • 18.  Para 34 of SA 400
  • 19.  Confidentiality o Fear of loss of control over data • Will the sensitive data stored on a cloud remain confidential? • Will cloud compromises leak confidential client data o Will the cloud provider itself be honest and won‟t peek into the data?  Integrity o How do I know that the cloud provider is doing the computations correctly? o How do I ensure that the cloud provider really stored my data without tampering with it? 19
  • 20.  Availability o Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? o What happens if cloud provider goes out of business? o Would cloud scale well-enough? o Often-voiced concern • Although cloud providers argue their downtime compares well with cloud user‟s own data centers 20
  • 21. • Privacy issues raised via massive data mining – Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients • Increased attack surface – Entity outside the organization now stores and computes data, and so – Attackers can now target the communication link between cloud provider and client – Cloud provider employees can be phished 21
  • 22.  Auditability and forensics (out of control of data) o Difficult to audit data held outside organization in a cloud o Forensics also made difficult since now clients don‟t maintain data locally  Legal quagmire and transitive trust issues o Who is responsible for complying with regulations? • e.g., IT ACT, Companies Act, SOX, HIPAA, GLBA , ? o If cloud provider subcontracts to third party clouds, will the data still be secure? 22
  • 23. Cloud Computing is a security nightmare and it can't be handled in traditional ways. John Chambers CISCO CEO  Security is one of the most difficult task to implement in cloud computing. o Different forms of attacks in the application side and in the hardware components  Attacks with catastrophic effects only needs one security flaw 23
  • 24.               Contractual discrepancies and gaps between business expectations and service provider capabilities Control gaps between processes performed by the service provider and the organization Compromised system security and confidentiality Invalid transactions or transactions processed incorrectly Costly compensating controls Reduced system availability and questionable integrity of information Poor software quality, inadequate testing and high number of failures Failure to respond to relationship issues with optimal and approved decisions Insufficient allocation of resources Unclear responsibilities and accountabilities Litigation, mediation or termination of the agreement, resulting in added costs and/or business disruption and/or total loss of the organization Inability to satisfy audit/assurance charter and requirements of regulators or external auditors Reputation Fraud
  • 26.
  • 27. 27 Cloud Consumer Cloud Auditor Security Audit Privacy Impact Audit Performance Audit Cloud Provider Cloud Broker Cloud Orchestration Service Layer SaaS Cloud Service Management Business PaaS Service Intermediation Support IaaS Resource Abstraction Cloud Consumer and Control Layer Physical Resource Layer Hardware Facility Provisioning/ Configuration Service Aggregation Portability/ Interoperability Service Arbitrage Cloud Carrier Cross Cutting Concerns: Security, Privacy, etc
  • 28. Data Breaches Denial of Service Data Loss Account or Service Traffic Hijacking Insecure Interfaces with APIs Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology vulnerabilities
  • 29. Application and Interface Security Data Security and Information Lifecycle Management Audit Assurance and Compliance Business Continuity Management Change Control and Configuration management Datacenter Security Encryption and Key Management Governance and Risk Management Human Resources Identity and Access Management
  • 30.   Risk Based Audit Approach Identify Risks that are present in the Cloud Environment o Inherent Risks – Risks that arise naturally o Controllable Risks – Risks arising due to insufficient Internal Controls     Identify controls that are in place to treat the identified risk Examine policy and procedure documents that are maintained for the cloud Environment Perform Sampling on the controls to determine design and operating effectiveness and gather audit evidence (SA 500 – Audit Evidence, SA 530 Audit Sampling) Prepare a report and present it to the entity
  • 31. Identify controls that are in place to treat the identified risk o RCM Approach – Risk Control Matrix   Risk Control Matrix is a matrix of the controls in place for the identified Risk CCM v3 – Cloud Control Matrix Version 3 o www.cloudsecurityalliance.org o It is a matrix published by Cloud Security Alliance which has a list of all the controls that should be in place for an optimal Cloud Environment. o It also shows the compliance of controls mapped to statutes, standards and Frameworks.
  • 33.
  • 34. When are these opportunities?? Half our life is spent trying to find something to do with the time we have rushed through life trying to save. Will Rogers
  • 36. ANAND PRAKASH JANGID | anand@quadrisk.com | +919620233516   www.quadrisk.com

Notes de l'éditeur

  1. NIST SP 500-292. This body of work brought together the various stakeholders to develop the taxonomy to communicate the components and offerings of cloud computing in a vendor-neutral way. It does not seek to stifle innovation by defining a prescribed technical solution. Actor/Role-based model and the necessary architectural components for managing and providing cloud services such as service deployment, service orchestration, cloud service management, security and privacy. A Cloud Consumer is an individual or organization that acquires and uses cloud products and services. The purveyor of products and services is the Cloud Provider. The Cloud Broker acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value-added cloud services as well. The Cloud Auditor provides a valuable inherent function for the government by conducting the independent performance and security monitoring of cloud services. The Cloud Carrier is the organization who has the responsibility of transferring the data akin to the power distributor for the electric grid.