cloud security auditing: challenges and emerging approaches

Download Cloud Security Auditing: Challenges and Emerging Approaches

Post on 30-Jan-2017




4 download

Embed Size (px)


  • Page 1

    Cloud Security Auditing:Challenges and Emerging Approaches

    Jungwoo Ryoo (, Syed Rizvi (,

    William Aiken (, and John Kissell (

    Penn State University


    An Information Technology (IT) auditor collects information on an organization's information systems, practices, and operations and critically analyzes the information for improvement. One of the primary goals of an IT audit is to determine if the information system and its maintainers are meeting both the legal expectations of protecting customer data and the company standards of achieving financial successes against various security threats. These goals are still relevant to the newly emerging cloud computing model of business, but with a need for customization. We believe that there are clear differences between cloud and traditional IT security auditing, which is validated by our interviews with cloud security auditors. Therefore, this paper explores potential challenges unique to cloud security auditing. The paper also examines additional challenges specific to particular cloud computing domains such as banking, medical, and government sectors. Finally, we present emerging cloud-specific security auditing approaches and provide our critical analysis.


    Cloud computing, as defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-145, is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (Mell, 2011). In essence, cloud computing could simply be described as the use of computing resources, both hardware and software, which are provided over a network, and it also requires minimal interaction between users and providers. NIST goes even further to list what are deemed as five "essential characteristics" which are used for the composition of a cloud model; these five characteristics,

    Digital Object Indentifier 10.1109/MSP.2013.132 1540-7993/$26.00 2013 IEEE

    This article has been accepted for publication in IEEE Security and Privacy but has not yet been fully edited.Some content may change prior to final publication.

  • Page 2

    in no particular order, are: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service (Mell, 2011).

    There are primarily three service models (or service types) which are commonly implemented in the cloud: Software as a Service (SaaS), Platform as a Service (Paas), and Infrastructure as a Service (IaaS). Regardless of the service types, one of the most significant challenges in cloud computing is security and oversight to enhance security. Audits provide a clear and recognizable trail of resource access for both companies and governments. Typically, audits will fall into two main categories, internal and external audits, and we will be using this dichotomy of audits throughout the paper. Internal audits refer to work done by employees of the company, which concern themselves with very specific processes within the company, primarily focusing on optimization and risk management, while external audits refer to audits that give an outside perspective on the companys ability to meet the requirements of various laws and regulations. Organizations have used traditional IT audits to evaluate issues such as availability to authorized users, and integrity and confidentiality in the storage and transmission of data. Cloud audits must be able to meet these same standards in the context of cloud computing.

    Do traditional IT security audit models meet the needs of cloud systems? What happens if the information system is completely overhauled, if all of an organizations IT resources are put in the hands of someone else (i.e., in the cloud)? By definition, cloud computing allows an organization to perform the necessary computer tasks on remote servers via a network connection while passing off the complex tasks of actual networking to a third party. Since cloud computing allows for multiple users across a large domain, it is exposed to novel security threats. These threats range from the confidentiality threats when two different businesses have their data stored together (i.e., colocation due to multi-tenancy) to encryption concerns in both the home and cloud companies (such as who keeps the encryption keys). These new threats pose new challenges for security auditing, but cloud advocates are responding to them. Already there are groups such as Cloud Security Alliance (CSA: urging for standardizing the practice of auditing cloud confidentiality, integrity, and availability.

    In this research paper, our primary research goal is to highlight the essential challenges that separate cloud security auditing from the traditional IT security auditing practices. These challenges mark the distinction between the two auditing approaches and highlight the importance of special provisions for cloud security auditing in the existing security auditing standards. Although security audits on cloud computing and those on traditional IT have similar goals and objectives, the details of how they are evaluated, such as scope, emphasis, depth, etc., divide the audits into two very distinct processes.

    In addition to the differences between the cloud and conventional IT security auditing, the specifics of cloud security auditing can vary depending on what domain the cloud is used for. These domains include medical, banking, and government sectors, and we identify the subtle differences that require somewhat different approaches despite the largely common body of the core cloud security auditing methodology.

    We also investigate the cutting edge of standards being used by the cloud industry to have a consistent line of defense against these security threats in the Emerging Approaches

    Digital Object Indentifier 10.1109/MSP.2013.132 1540-7993/$26.00 2013 IEEE

    This article has been accepted for publication in IEEE Security and Privacy but has not yet been fully edited.Some content may change prior to final publication.

  • Page 3

    section. To validate our research, we conducted a series of interviews with experienced cloud security auditors and incorporated their insights and advice into the discussions in the following sections. Some new ideas from the perspective of practitioners have also emerged from our discussions with the auditors.


    A traditional IT security audit is an examination of the checks, balances, and controls within an IT group. An IT security audit collects, evaluates, and tests information on an organization's systems, practices, and operations, and it determines if the systems are safeguarding the information assets, maintaining data integrity, and operating effectively to achieve the organization's business goals or objectives (Cannon, 2011). Therefore, IT security auditing needs to analyze the data from internal and external sources to support audit objectives accurately.

    The cloud computing field is a flourishing industry that comes with its own set of new security challenges. A cloud infrastructure is the result of a constant three-way negotiation among service organizations, cloud service providers (CSPs), and end users to ensure productivity while maintaining a reasonable degree of security. The CSP should keep data safe from security threats and yet give the client access anywhere with an Internet service. A client organization also needs to verify that the cloud computing enterprise is contributing to its business goals and objectives, and future needs.

    Although both conventional IT security auditing and cloud security auditing share many common concerns, a security audit of the cloud system has to consider and address unique problems typically not handled in the traditional IT security audits.

    According to our interviews, the most immediate and obvious challenge lies in acquiring sufficient knowledge in cloud computing for an auditor to know what additional items to audit in order to address cloud-specific security concerns. Therefore, to function as an effective cloud security auditor, familiarity with cloud computing terminology and working knowledge of what constitutes a cloud system and how cloud services are delivered are essential. This knowledge then enables a cloud security auditor to pay special attention to a set of security factors that may be emphasized much less in a traditional IT security auditing process. These factors include transparency, encryption, colocation, scale, scope, and complexity concerns which are discussed in detail in the following subsections and summarized in .


    An audit must check whether a CSP keeps security-relevant data transparent to its customers. Transparency allows an organization to more easily identify potential security risks and threats and also create and develop the right countermeasures and recommendations for its

    Digital Object Indentifier 10.1109/MSP.2013.132 1540-7993/$26.00 2013 IEEE

    This article has been accepted for publication in IEEE Security and Privacy but has not yet been fully edited.Some content may change prior to final publication.

  • Page 4

    enterprise (Pauley, 2010). By having access to accurate information, a cloud service user (CSU) can reduce the risk of threats being manifested.

    A good cloud security audit would question if the CSP provides a solid balance between security procedures and end-user access. Employees may need to access the cloud from h


View more >