Table of Contents
Preface xiii
Chapter 1: Introduction to Cloud Computing 1
History 1
Defining Cloud Computing 2
Elasticity 2
Multitenancy 3
Economics 3
Abstraction 3
Cloud Computing Services Layers 4
Infrastructure as a Service 5
Platform as a Service 5
Software as a Service 6
Roles in Cloud Computing 6
Consumer 6
Provider 6
Integrator 7
Cloud Computing Deployment Models 8
Private 8
Community 8
Public 9
Hybrid 9
Challenges 9
Availability 10
Data Residency 10
Multitenancy 11
Performance 11
Data Evacuation 12
Supervisory Access 12
In Summary 13
Chapter 2: Cloud-Based IT Audit Process 15
The Audit Process 16
Control Frameworks for the Cloud 18
ENISA Cloud Risk Assessment 20
FedRAMP 20
Entities Using COBIT 21
CSA Guidance 21
CloudAudit/A6—The Automated Audit, Assertion, Assessment, and Assurance API 22
Recommended Controls 22
Risk Management and Risk Assessment 26
Risk Management 27
Risk Assessment 27
Legal 28
In Summary 29
Chapter 3: Cloud-Based IT Governance 33
Governance in the Cloud 36
Understanding the Cloud 36
Security Issues in the Cloud 37
Abuse and Nefarious Use of Cloud Computing 38
Insecure Application Programming Interfaces 39
Malicious Insiders 39
Shared Technology Vulnerabilities 39
Data Loss/Leakage 40
Account, Service, and Traffic Hijacking 40
Unknown Risk Profile 40
Other Security Issues in the Cloud 41
Governance 41
IT Governance in the Cloud 44
Managing Service Agreements 44
Implementing and Maintaining Governance for Cloud Computing 46
Implementing Governance as a New Concept 46
Preliminary Tasks 46
Adopt a Governance Implementation Methodology 48
Extending IT Governance to the Cloud 49
In Summary 52
Chapter 4: System and Infrastructure Lifecycle Management for the Cloud 57
Every Decision Involves Making a Tradeoff 57
Example: Business Continuity/Disaster Recovery 59
What about Policy and Process Collisions? 60
The System and Management Lifecycle Onion 61
Mapping Control Methodologies onto the Cloud 62
Information Technology Infrastructure Library 63
Control Objectives for Information and Related Technology 64
National Institute of Standards and Technology 65
Cloud Security Alliance 66
Verifying Your Lifecycle Management 67
Always Start with Compliance Governance 67
Verification Method 68
Illustrative Example 70
Risk Tolerance 72
Special Considerations for Cross-Cloud Deployments 73
The Cloud Provider’s Perspective 74
Questions That Matter 75
In Summary 76
Chapter 5: Cloud-Based IT Service Delivery and Support 79
Beyond Mere Migration 80
Architected to Share, Securely 80
Single-Tenant Offsite Operations (Managed Service Providers) 81
Isolated-Tenant Application Services (Application Service Providers) 81
Multitenant (Cloud) Applications and Platforms 82
Granular Privilege Assignment 82
Inherent Transaction Visibility 84
Centralized Community Creation 86
Coherent Customization 88
The Question of Location 90
Designed and Delivered for Trust 91
Fewer Points of Failure 91
Visibility and Transparency 93
In Summary 93
Chapter 6: Protection and Privacy of Information Assets in the Cloud 97
The Three Usage Scenarios 99
What Is a Cloud? Establishing the Context—Defining Cloud Solutions and their Characteristics 100
What Makes a Cloud Solution? 101
Understanding the Characteristics 104
Service Based 104
On-Demand Self-Service 104
Broad Network Access 104
Scalable and Elastic 105
Unpredictable Demand 105
Demand Servicing 105
Resource Pooling 105
Managed Shared Service 105
Auditability 105
Service Termination and Rollback 106
Charge by Quality of Service and Use 106
Capability to Monitor and Quantify Use 106
Monitor and Enforce Service Policies 107
Compensation for Location Independence 107
Multitenancy 107
Authentication and Authorization 108
Confidentiality 108
Integrity 108
Authenticity 108
Availability 108
Accounting and Control 109
Collaboration Oriented Architecture 109
Federated Access and ID Management 109
The Cloud Security Continuum and a Cloud Security Reference Model 110
Cloud Characteristics, Data Classification, and Information Lifecycle Management 113
Cloud Characteristics and Privacy and the Protection of Information Assets 113
Information Asset Lifecycle and Cloud Models 114
Data Privacy in the Cloud 118
Data Classification in the Context of the Cloud 119
Regulatory and Compliance Implications 119
A Cloud Information Asset Protection and Privacy Playbook 121
In Summary 124
Chapter 7: Business Continuity and Disaster Recovery 129
Business Continuity Planning and Disaster Recovery Planning Overview 129
Problem Statement 130
The Planning Process 131
The Auditor’s Role 133
Augmenting Traditional Disaster Recovery with Cloud Services 135
Cloud Computing and Disaster Recovery: New Issues to Consider 136
Cloud Computing Continuity 136
Audit Points to Emphasize 138
In Summary 139
Chapter 8: Global Regulation and Cloud Computing 143
What is Regulation? 144
Federal Information Security Management Act 146
Sarbanes-Oxley Law 146
Health Information Privacy Accountability Act 146
Graham/Leach/Bliley Act 147
Privacy Laws 147
Why Do Regulations Occur? 148
Some Key Takeaways 149
The Real World—A Mixing Bowl 149
Some Key Takeaways 151
The Regulation Story 151
Privacy 153
International Export Law and Interoperable Compliance 154
Effective Audit 155
Identifying Risk 156
In Summary 156
Chapter 9: Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit 161
Where Is the Data? 162
A Shift in Thinking 164
Cloud Security Alliance 165
CloudAudit 1.0 166
Cloud Morphing Strategies 166
Virtual Security 167
Data in the Cloud 168
Cloud Storage 169
Database Classes in the Cloud 171
Perimeter Security 171
Cryptographic Protection of the Data 172
In Summary 173
Appendix: Cloud Computing Audit Checklist 175
About the Editor 181
About the Contributors 183
Index 191