Classic IT Security Audits vs Cloud Audits

For classical IT audits, today’s standard is the Statements on Standards for Attesta- tion Engagements No. 16 (SSAE 16) [124] report. SSAE 16 is an AICPA auditing standard for reporting on controls at service organisations (including data centres) in the United States. It requires that the auditor obtains a written assertion from management regarding the design and operating effectiveness of the controls being re- viewed. This should minimise the following IT related risks, which are also applicable for cloud infrastructures:

• Loss of business focus of the service.

• Solutions failing to meet business and/or user requirements. The service is not performing as expected.

3.5. Security Audits in Clouds

• Compromised security and confidentiality. • Invalid or incorrect processed transactions. • Pure software quality (high number of failures).

With the appearance of cloud infrastructures, cloud-specific risks regarding IT security audits have been discussed and addressed by many researchers [76, 75], industry [87] and institutions [86, 74]. It can be summarised as:

Greater dependency on the provider Access to data or the control of resources in the cloud is still very much provider dependent. The cloud resource access inter- faces are complex, and the extra control interfaces increase the vulnerability of cloud infrastructures. The risk of data lock-in is high, and because of the appearance of many new cloud providers, the risk of bankruptcy should not be neglected. There is a lack of standardized access interfaces to the cloud.

Increased complexity of compliance with laws and regulations Although a service is hosted at a cloud provider, the customer is still responsible for the data and service quality to the service users. Thus, the laws and regulations of a cloud provider country might be quite different than from the cloud customers’. The nature of cloud computing is to hide the location of the resources to the customer. The processing and data location can be anywhere, which might violate laws (e.g. European law of privacy forces the location in Europe for personal private data).

Reliance on the Internet The organisation’s data stored in the cloud is only ac- cessible through the Internet, which raises further security issues like data integrity, privacy and all kinds of attacks from this public environment.

Dynamic nature of cloud computing Processing and data location can be changed at any time because of load-balancing reasons or infrastructure failure. This causes many monitoring and controlling problems, and therefore, arguably the level of secu- rity decreases. Since the provider can scale the customer’s infrastructure automati-

cally, the user must have control of this to limit the number of instances and control of the costs. Otherwise, a denial of service eats up all the revenue of the business service.

Thus, for cloud computing, an audit needs to clarify the following questions:

Privileged user access Since the provider has root access to the infrastructure and therefore can read unencrypted data on the cloud storage. So the number of admin- istrators with root access should be minimised.

Regulatory compliance Customers are responsible for the data, even if it is in an external data centre. It has to be ensured that the provider takes care of backup, has reasonable data recovery times and strong encryption algorithms are used, if data encryption is needed.

Data confidentiality, integrity, privacy, availability and segregation In a cloud, the environment is typically shared among the customers. It is important to verify that it is secure. If the VM of another company is compromised, would my company VM be affected? Do you want to share a resource with your competitor? For many applications, resource sharing is acceptable, but for enterprise critical ap- plications, you might want resources exclusively. Can a provider offer this? Special interest should be taken in understanding how the data is segregated and secured at the cloud provider. Is data replicated over multiple sites? Are backup strategies log- ically consistent? Is data really encrypted? Is data access limited to the customer’s application? Is it possible to limit the data location to predefined areas? The cloud provider should transparently inform about the key management, access control, data segmentation, used encryption algorithms utilised, etc., of the cloud infrastructure. Additionally, business continuity plans and disaster recovery plans have to be defined in cooperation with the provider.

3.5. Security Audits in Clouds

provider might have problems in undertaking forensic analysis, since logging in cloud environments are not user partitioned.

Monitor and control of cloud services Do customers get service level agreements, which can be adapted to the needs of the customers? Will the customers be able to monitor and manage them afterwards? Do the cloud interfaces offer sufficient and reliable information for the integration, control and monitoring tasks? How is data audited, which is stored, transmitted and processed outside the company? Is there access to accounting information?

Data retention For data stored in a cloud, questions need to be answered: How long can data be stored? How are data archived? How much is budgeted to retain data [125]? For retaining data from the cloud, it is important to clarify the following: How can data be retrieved? How is data integrity maintained during this process? How is data removed/securely wiped from the cloud storage systems?

Service level agreements are most often used to clarify the majority of these ques- tions [1]. Nevertheless, SLAs are no support for a cloud customer without enforcement or traceability. It is important to provide a customer with the ability to check log data (physical, virtual and logical), event transport and storage services as well as event processing rules derived from SLAs.

From the technical point of view, the following challenges need to be covered [126]: • Loss of 1:1 mapping: Due to the technology shifts towards VMs, virtual

landscaped, location transparency is not clear for the customer.

• Static gets variable: Dynamic changes of IPs, data centres and servers depend on demand, time of day, etc.

• Audit analysis: How can data be retrieved, correlated and extracted meaning- fully in a permanently changing infrastructure (VM start and stop)?

Control en- vironment/ company level controls Information security IT service delivery/ operations Systems develop- ment Financial report- ing sys- tem Specific tech- nologies or incremental requirements Best practices guidance COBIT COSCO

ISO27002 ITIL ISO

20000-2

CMM/ISO 21827

ITGI-SOX ISO var. ANSI

var. NIST var. Certification/ audit criteria/ requirement ISO 27001 ISO 20000-1 Regulatory/ Industry requirements FFIEC HIPAA HITRUST NIST PCI ISO2700X SOX PCAOB EV SSL Audit framework SAS 70 SysTrust WebTrust BITS FISAP PCAOB WebTrust CA WebTrust EV GAPP

Table 3.4: Industry standards for IT security [16]

• Audit as a service: For customers, it might be important to audit their busi- ness processes across multiple cloud providers.

Towards a Cloud Audit - Audit Standards

Multiple industry standards exist regarding compliance, regulation and best practices. Compliance to these standards enables companies to perform IT security audits which fit to their infrastructure. Since cloud infrastructures are definitely a special kind of IT infrastructure, cloud service providers (CSP) need to consider what IT services customers are allowed to run on their infrastructure and which industry standards apply to that business model. Table 3.4 shows available industry standards and their special focus [16]. Over the past three years, new IT security standards appeared, which are specialised for cloud infrastructures:

• CloudAudit A6: Automated Audit, Assertion, Assessment and Assurance API [127] • EuroCloud Star Audit [95]

3.5. Security Audits in Clouds

CloudAudit A6 Its goal is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment and Assur- ance (A6) of their cloud environments. The interoperability between different clouds to avoid resource lock-in is important. It should be ensured that virtual machines can be controlled and hosted at different cloud sides. Therefore, the cloud provider should offer standardized interfaces to make the cloud more transparent in a secure and reliable way. One initiative is the DiffCloud interface, a language- independent REST-API.

EuroCloud Star Audit is a certificate for SaaS providers. It is the first specific certi- fication for the Software as a Service model by the German EuroCloud Deutschland eco e.V. [95]. The audit aims to establish a high level of security and transparency for users and providers alike. The audit starts with the provider’s general profile; carries on with contract and compliance including data privacy protection, general security, operation and infrastructure and operation processes and goes as far as application and implementation. The audit consists mainly of six steps:

1. Questionnaire: The SaaS provider fills out a questionnaire about company pro- file, contract clauses, compliance, security and safety, infrastructure, business processes and implementation.

2. Evaluation of questionnaire: Auditors evaluate the questionnaire.

3. Auditor interview: Auditors interview the SaaS provider about questionnaire details, validity of certifications and implementation of documentation processes.

4. On-site verification: Auditors verify in an on-site visit questionnaire details, validity of certifications and documentation processes. This includes a visit of the provider’s data centre if applicable.

5. Evaluation and star ranking: Auditors evaluate results based on a point-based evaluation matrix to decide which SaaS stars can be assigned. Detailed infor- mation about the matrix can be found in EuroCloud quick reference [129].

6. Assignment of certificate: The provider gets 1–5 SaaS EuroCloud stars assigned, dependent on the results of the evaluation. The certificate is valid for 24 months.

Although Eurostar Cloud Audits can already show some references of firms who suc- cessfully got the certificate [130] it remains unclear who the auditors are and how their qualification is verified.

Cloud Security Control Matrix Published by the Cloud Security Alliance, the cloud Security Control Matrix (CCM) is designed to provide fundamental security principles as guidance for cloud providers and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. It provides an overview of audit attributes for a cloud infrastructure and classifies which cloud service models as well as cloud infrastructure components are affected by this attribute. It furthermore provides information about which specific section of available audit industry standards (as listed in Table 3.4) is addressing the respective issue.

The analysis on cloud security issues (Section 3.4) identified open research topics in the area of cloud computing security. The literature review on cloud audit projects (Chapter 3.3 as well as the analysis on audits (Section 3.5) showed, that they are a feasible approach to mitigate the identified problems. However, a cloud audit system needs to respect the cloud’s characteristics, especially it flexibility and frequently changing infrastructure. There is clearly a need for a novel cloud audit system, since none exist so far. Thus, this research will continue on the development of a novel cloud audit system (to be presented in Chapter 4). To describe the main targets for the audit system to be developed, a well acknowledged approach in Software Engineering is the

3.5. Security Audits in Clouds

Figure 3.5: Audit from the Cloud

definition of use cases, to describe the (non-) functional, architectural and derived requirements and stakeholders of the target system.