The auditor''s guide to ensuring correct security and
privacy practices in a cloud computing environment
Many organizations are reporting or projecting a significant
cost savings through the use of cloud computing—utilizing shared
computing resources to provide ubiquitous access for organizations
and end users. Just as many organizations, however, are expressing
concern with security and privacy issues for their organization''s
data in the "cloud." Auditing Cloud Computing provides
necessary guidance to build a proper audit to ensure operational
integrity and customer data protection, among other aspects, are
addressed for cloud based resources.
Provides necessary guidance to ensure auditors address security
and privacy aspects that through a proper audit can provide a
specified level of assurance for an organization''s resources
Reveals effective methods for evaluating the security and
privacy practices of cloud services
A cloud computing reference for auditors and IT security
professionals, as well as those preparing for certification
credentials, such as Certified Information Systems Auditor
CISA
Timely and practical, Auditing Cloud Computing expertly
provides information to assist in preparing for an audit addressing
cloud computing security and privacy for both businesses and cloud
based service providers.
關於作者:
BEN HALPERT, CISSP, is an information security
researcher and practitioner. He has keynoted and presented sessions
at numerous conferences and was a contributing author to
Readings and Cases in the Management of Information Security
and the Encyclopedia of Information Ethics and Security.
Halpert writes a monthly security column for Mobile Enterprise
magazine as well as an IT blog www.benhalpert.com. He is also an
adjunct instructor and on the advisory board of numerous colleges
and universities.
目錄:
Preface xiii
Chapter 1: Introduction to Cloud Computing
History
Defining Cloud Computing
Elasticity
Multitenancy
Economics
Abstraction
Cloud Computing Services Layers
Infrastructure as a Service
Platform as a Service
Software as a Service
Roles in Cloud Computing
Consumer
Provider
Integrator
Cloud Computing Deployment Models
Private
Community
Public
Hybrid
Challenges
Availability
Data Residency
Multitenancy
Performance
Data Evacuation
Supervisory Access
In Summary
Chapter 2: Cloud-Based IT Audit Process
The Audit Process
Control Frameworks for the Cloud
ENISA Cloud Risk Assessment
FedRAMP
Entities Using COBIT
CSA Guidance
CloudAuditA6—The Automated Audit, Assertion, Assessment, and
Assurance API
Recommended Controls
Risk Management and Risk Assessment
Risk Management
Risk Assessment
Legal
In Summary
Chapter 3: Cloud-Based IT Governance
Governance in the Cloud
Understanding the Cloud
Security Issues in the Cloud
Abuse and Nefarious Use of Cloud Computing
Insecure Application Programming Interfaces
Malicious Insiders
Shared Technology Vulnerabilities
Data LossLeakage
Account, Service, and Traffic Hijacking
Unknown Risk Profile
Other Security Issues in the Cloud
Governance
IT Governance in the Cloud
Managing Service Agreements
Implementing and Maintaining Governance for Cloud Computing
Implementing Governance as a New Concept
Preliminary Tasks
Adopt a Governance Implementation Methodology
Extending IT Governance to the Cloud
In Summary
Chapter 4: System and Infrastructure Lifecycle Management for the
Cloud
Every Decision Involves Making a Tradeoff
Example: Business ContinuityDisaster Recovery
What about Policy and Process Collisions?
The System and Management Lifecycle Onion
Mapping Control Methodologies onto the Cloud
Information Technology Infrastructure Library
Control Objectives for Information and Related Technology
National Institute of Standards and Technology
Cloud Security Alliance
Verifying Your Lifecycle Management
Always Start with Compliance Governance
Verification Method
Illustrative Example
Risk Tolerance
Special Considerations for Cross-Cloud Deployments
The Cloud Provider’s Perspective
Questions That Matter
In Summary
Chapter 5: Cloud-Based IT Service Delivery and Support
Beyond Mere Migration
Architected to Share, Securely
Single-Tenant Offsite Operations
Managed Service Providers
Isolated-Tenant Application Services
Application Service Providers
Multitenant Cloud Applications and Platforms
Granular Privilege Assignment
Inherent Transaction Visibility
Centralized Community Creation
Coherent Customization
The Question of Location
Designed and Delivered for Trust
Fewer Points of Failure
Visibility and Transparency
In Summary
Chapter 6: Protection and Privacy of Information Assets in the
Cloud
The Three Usage Scenarios
What Is a Cloud? Establishing the Context—Defining Cloud
Solutions and their Characteristics
What Makes a Cloud Solution?
Understanding the Characteristics
Service Based
On-Demand Self-Service
Broad Network Access
Scalable and Elastic
Unpredictable Demand
Demand Servicing
Resource Pooling
Managed Shared Service
Auditability
Service Termination and Rollback
Charge by Quality of Service and Use
Capability to Monitor and Quantify Use
Monitor and Enforce Service Policies
Compensation for Location Independence
Multitenancy
Authentication and Authorization
Confidentiality
Integrity
Authenticity
Availability
Accounting and Control
Collaboration Oriented Architecture
Federated Access and ID Management
The Cloud Security Continuum and a Cloud Security Reference
Model
Cloud Characteristics, Data Classification, and Information
Lifecycle Management
Cloud Characteristics and Privacy and the Protection
of Information Assets
Information Asset Lifecycle and Cloud Models
Data Privacy in the Cloud
Data Classification in the Context of the Cloud
Regulatory and Compliance Implications
A Cloud Information Asset Protection and Privacy Playbook
In Summary
Chapter 7: Business Continuity and Disaster Recovery
Business Continuity Planning and Disaster Recovery
Planning Overview
Problem Statement
The Planning Process
The Auditor’s Role
Augmenting Traditional Disaster Recovery with Cloud Services
Cloud Computing and Disaster Recovery: New Issues to Consider
Cloud Computing Continuity
Audit Points to Emphasize
In Summary
Chapter 8: Global Regulation and Cloud Computing
What is Regulation?
Federal Information Security Management Act
Sarbanes-Oxley Law
Health Information Privacy Accountability Act
GrahamLeachBliley Act
Privacy Laws
Why Do Regulations Occur?
Some Key Takeaways
The Real World—A Mixing Bowl
Some Key Takeaways
The Regulation Story
Privacy
International Export Law and Interoperable Compliance
Effective Audit
Identifying Risk
In Summary
Chapter 9: Cloud Morphing: Shaping the Future of Cloud Computing
Security and Audit
Where Is the Data?
A Shift in Thinking
Cloud Security Alliance
CloudAudit 1.0
Cloud Morphing Strategies
Virtual Security
Data in the Cloud
Cloud Storage
Database Classes in the Cloud
Perimeter Security
Cryptographic Protection of the Data
In Summary
Appendix: Cloud Computing Audit Checklist
About the Editor
About the Contributors
Index