An auditor’s perspective on The Cloud

In the last publication of ISACA Journal for 2009, Sailesh Gadia of KPMG writes “Cloud Computing: An Auditor’s Perspective“.

The article is of particular interest to me, as I have an upcoming audit and applications in the Cloud.

Gadia cites these risks.

  • User administration of cloud resources occurs over the Internet. Unless the cloud user sets up a secure or an encrypted line, the communication happens over the Internet in clear text.
  • Administrators use browsers for administration of cloud instances, and as we all know, browsers have known security vulnerabilities and could lead to security issues.
  • IT’s secure environment is in effect extended to the cloud service provider, which from the IT perspective is a great unknown.
  • Security models and standards are still emerging, which complicates and compounds security threats and responsibilities.
  • The virtualization technology inherent in cloud computing is a risk in itself. Virtual machine and hypervisor root kits are a viable and likely threat and instances may not be sufficiently isolated from one another.
  • The database administrator may unintentionally leave data on disk devices provided by the cloud service provider.
  • The cloud vendor’s employees likely have access to sensitive data stored on their servers.
  • There are still concerns over availability, citing last years and GoogleApps outages.
  • Vendor failure is a real possibility, resulting in questions of moving production and recovering data assets.

He recommends these as best practices in the Cloud, from the perspective of ISACAs “CIA” (Confidentiality, Availability and Integrity).

  • “Store only nonprivate data in the cloud. Cloud users can retain sensitive information in-house and reconnect after processing data in the cloud. For example, before using a cloud service provider, a health care claims processor made some modifications to its architecture to ensure that it was secure. The main modification to the architecture was reduction/elimination of protected health information (PHI) in the data processed by the cloud service provider. The health care claims processor simply encrypts and sends the data it needs processed to the cloud while it retains the majority of the PHI in house and reconnects it with the processed data upon their return.
  • Use data-at-rest encryption when using a Database as a Service (DaaS) cloud service provider.
  • Avoid database-level integration between DaaS and on-premises data, as it requires opening special network ports.
  • Retain highly customized and transaction-heavy applications in house.
  • Secure network connections for cloud administration.
  • Use more than one cloud service provider or use a cloud service provider with multilocation/multicountry presence (depending on need).
  • Audit and log administrator actions and key entry points.

Cloud standards are emerging and there are indeed inherent loose ends, but clouds are in our future.