SlideShare a Scribd company logo

Cloud Auditing

Jonathan Sinclair
Jonathan Sinclair

Cloud computing is a paradigm evolution that benefits from virtualisation technologies and introduces “everything-as-a-service” as a technical and business concept supported by pay-per-use pricing models. Whilst the on-demand characteristics of this novel paradigm provide revolutionary advances in technical ability, the changes while incorporating this into an IT infrastructure raise many complex problems and risks with regards to auditing. Auditing is the process of tracing and logging significant events the take place during the system run-time for analysis, and can be seen as a vital tool in validating and securing systems.

Technology
1 of 18
Auditing in Cloud Computing SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Jonathan Sinclair SAP Research, CEC Belfast SAP (UK) Ltd. 25th March 2010
Agenda 1. Background 1.1 Cloud Computing 1.2 IT Auditing 2. Why do Business’ care? 3. Traditional view 4. Services: The New Delivery Model 5. Current Auditing Areas & Problems 6. Challenges for Auditing in Cloud © SAP 2010 / Page 2
Cloud Computing a definition framework Compliance, Governance, Regulation, Security, Risk Reference: “Rational Survivability Blog”. Chris Hoff. http://www.rationalsurvivability.com/blog/?p=519 © SAP 2010 / Page 3
IT Auditing setting the scene Definition of IT Auditing The process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently. Definition: Information Systems Control and Audit, Ron Weber • PCI DSS Financial and • Gramm-Leach-Bliley Act (US) Commerce • Sarbanes–Oxley (SOX) Social and • SAS70 Labour • HIPAA • EU Directive on Data Security Public Safety • Data Protection Act (UK) • Federal Information Security Act (US) • ISO 27k (International Standards Security Organisation) © SAP 2010 / Page 4
Why do Business’ care? Auditing for Compliance Regulation: A principle, rule, or law designed to control or govern conduct Legal Co- Social operative Regulation Self Market © SAP 2010 / Page 5
Why do Business’ care? Auditing for Governance and Risk IT Governance is concerned with how the performance and risk of an IT landscape is administered. Processes Institutions Customs Governance Laws Policies © SAP 2010 / Page 6
Why do Business’ care? Auditing for Security IT Security in Cloud is mainly concerned with data access and user privileges, in both the physical and virtual layers. Technical Admin Security Physical Virtual © SAP 2010 / Page 7
Past deep dive  User  Access Rights  Policies  Reporting, Logging  Network  VPN, Firewall, Intrusion Detection  Event Logging  Application  User Privileges  Logging (Access, Transactions, Change Management)  DB  User Privileges  Security Policies (Password Encryption, Data Encryption)  Logging (Access, Record Management)  Data Replication © SAP 2010 / Page 8
Auditing was hard but now : 1:1 mapping doesn’t exist anymore • Ex: VMs, Virtual Landscapes, etc.. What typically used to be static is not anymore • Ex: Dynamic change of IP, domain, Datacenter, server etc. Audit Analysis – Data Storm problem • How to retrieve, correlate and extract meaningful data from a ever increasing number of data sources. • Tracking change becomes a priority Auditing is becoming a service • Consumers may need to track the Business Processes across multiples providers, an audit trail may span multiple domains © SAP 2010 / Page 9
Services: The New Delivery Model • License model • Customization required Past Software • Managed by customer: • customer buys application. as Product • Pay per use / Subscription model • Remote delivery Present Software • Managed by service provider: • customer buys access to application as Service • Composite Services • Business-process-focused Future Business • Services provisioned by service provider: • customer buys a service with no awareness of application. Services © SAP 2010 / Page 10
Present deep dive (taken from 2006 JavaOne Conference | Session TS-1591)  Business Continuity  Contract of BC Procedures  Disaster Recovery Procedures  Permissions of External Services  Logging (Access, Data Management) © SAP 2010 / Page 11
Future? outlook Adapted from (Chris Hoff - Draft v4.0) © SAP 2010 / Page 12
Data Confidentiality, Privacy, Integrity Problems: • Data stored, transmitted and processed outside of the organisation • Shared computing environments • No physical control of data • Physical and logical access managed by the provider • No controls to prevent data modification • No logging events on data (access, modification, transmission) Implementation Challenges: • Data logging and monitoring • Separation of user directories and access control • Data security (encryption, key management, digital signatures) • Access control & reviews (firewalls, VPN) • Data Isolation • Define standards (information classification, encryption) • Procedural reviews (redundancy, error recovery) © SAP 2010 / Page 13
Service Availability Problems: Network connectivity Bottlenecking Multi-tenancy Availability Limited ability for change control Provider viability Reliance on provider’s disaster recovery procedures Implementation Challenges: Caching to address potential network issues SLAs ISP Network Availability Change Control Process Multiple Providers Data Retrieval Process © SAP 2010 / Page 14
Regulations and Compliance Problems: Data subject to new laws Exposure to foreign governments and subpoenas Retention requirements vary among jurisdictions Audit of provider’s environment Increased complexity to comply with standards Implementation Challenges Storage and transmission policies for jurisdictions Agreement for privacy laws Provider security certifications External Audit review Limit types of data transmission © SAP 2010 / Page 15
Problems arising from Cloud for Auditing Compliance, IT Auditing Governance, Regulation, Security & Risk Application Change Patch Licensing SLAs Networking Fraud Controls Management Management Privacy Identity Access Outsourcing Compensation Assurance Prevention Business Management Improve Assess Continuity Responsibility Performance Deficiency Risk Regulation © SAP 2010 / Page 16
Challenges for Auditing in Cloud Federation of Architecture audit logs Compliance Audit-based and protocols from analysis of access of for storage distributed federated physical / and retrieval sources audit logs for network- of secure across SLA’s and based distributed multiples Regulation resources audit logs domains © SAP 2010 / Page 17
Thank you! Jonathan Sinclair Research Associate SAP Research CEC Belfast SAP [UK] Ltd The Concourse, Queen‘s Road Queen‘s Island, Titanic Quarter Belfast BT3 9DT T +44 (0)28 9078 5749 F +44 (0)28 9078 5777 E jonathan.sinclair@sap.com www.sap.com/research © SAP 2010 / Page 18

Recommended

Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and ComplianceQuadrisk
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 
AWS vs Azure vs Google (GCP) - Slides
AWS vs Azure vs Google (GCP) - SlidesAWS vs Azure vs Google (GCP) - Slides
AWS vs Azure vs Google (GCP) - SlidesTobyWilman
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesDheeraj Negi
 
Azure purview
Azure purviewAzure purview
Azure purviewShafqat Turza
 
01 Data Mining: Concepts and Techniques, 2nd ed.
01 Data Mining: Concepts and Techniques, 2nd ed.01 Data Mining: Concepts and Techniques, 2nd ed.
01 Data Mining: Concepts and Techniques, 2nd ed.Institute of Technology Telkom
 
Introduction to Microsoft Azure Cloud
Introduction to Microsoft Azure CloudIntroduction to Microsoft Azure Cloud
Introduction to Microsoft Azure CloudDinesh Kumar Wickramasinghe
 

Recommended

Cloud Audit and Compliance
Cloud Audit and ComplianceCloud Audit and Compliance
Cloud Audit and ComplianceQuadrisk
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityNinh Nguyen
 
AWS vs Azure vs Google (GCP) - Slides
AWS vs Azure vs Google (GCP) - SlidesAWS vs Azure vs Google (GCP) - Slides
AWS vs Azure vs Google (GCP) - SlidesTobyWilman
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesDheeraj Negi
 
Azure purview
Azure purviewAzure purview
Azure purviewShafqat Turza
 
01 Data Mining: Concepts and Techniques, 2nd ed.
01 Data Mining: Concepts and Techniques, 2nd ed.01 Data Mining: Concepts and Techniques, 2nd ed.
01 Data Mining: Concepts and Techniques, 2nd ed.Institute of Technology Telkom
 
Introduction to Microsoft Azure Cloud
Introduction to Microsoft Azure CloudIntroduction to Microsoft Azure Cloud
Introduction to Microsoft Azure CloudDinesh Kumar Wickramasinghe
 
Paas
PaasPaas
PaasNikunjPansari
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud ComputingInternational School Of Management Excellence
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Ravindra Dastikop
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security PresentationAjay p
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computingAhmed Nour
 
Data
DataData
DataMirza Ćutuk
 
IaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud ComputingIaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud ComputingSoftware Park Thailand
 
Multi-Tenant Approach
Multi-Tenant ApproachMulti-Tenant Approach
Multi-Tenant ApproachPerfectial, LLC
 
Big Data Security and Governance
Big Data Security and GovernanceBig Data Security and Governance
Big Data Security and GovernanceDataWorks Summit/Hadoop Summit
 
What is Virtualization and its types & Techniques.What is hypervisor and its ...
What is Virtualization and its types & Techniques.What is hypervisor and its ...What is Virtualization and its types & Techniques.What is hypervisor and its ...
What is Virtualization and its types & Techniques.What is hypervisor and its ...Shashi soni
 
Big Data Analytics with Hadoop
Big Data Analytics with HadoopBig Data Analytics with Hadoop
Big Data Analytics with HadoopPhilippe Julio
 
OLAP OnLine Analytical Processing
OLAP OnLine Analytical ProcessingOLAP OnLine Analytical Processing
OLAP OnLine Analytical ProcessingWalid Elbadawy
 
Big data storage
Big data storageBig data storage
Big data storageVikram Nandini
 
Business Intelligence Architecture
Business Intelligence ArchitectureBusiness Intelligence Architecture
Business Intelligence ArchitecturePhilippe Julio
 
Introduction to AWS Cloud Computing
Introduction to AWS Cloud ComputingIntroduction to AWS Cloud Computing
Introduction to AWS Cloud ComputingAmazon Web Services
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)Srikanth Kappagantula
 
Big data-analytics-cpe8035
Big data-analytics-cpe8035Big data-analytics-cpe8035
Big data-analytics-cpe8035Neelam Rawat
 
Big data unit 2
Big data unit 2Big data unit 2
Big data unit 2RojaT4
 
Ppt 1
Ppt 1Ppt 1
Ppt 1shanmugamsara
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 

More Related Content

What's hot

Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Ravindra Dastikop
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security PresentationAjay p
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computingAhmed Nour
 
What is Virtualization and its types & Techniques.What is hypervisor and its ...
What is Virtualization and its types & Techniques.What is hypervisor and its ...What is Virtualization and its types & Techniques.What is hypervisor and its ...
What is Virtualization and its types & Techniques.What is hypervisor and its ...Shashi soni
 
Big Data Analytics with Hadoop
Big Data Analytics with HadoopBig Data Analytics with Hadoop
Big Data Analytics with HadoopPhilippe Julio
 
OLAP OnLine Analytical Processing
OLAP OnLine Analytical ProcessingOLAP OnLine Analytical Processing
OLAP OnLine Analytical ProcessingWalid Elbadawy
 
Business Intelligence Architecture
Business Intelligence ArchitectureBusiness Intelligence Architecture
Business Intelligence ArchitecturePhilippe Julio
 
Introduction to AWS Cloud Computing
Introduction to AWS Cloud ComputingIntroduction to AWS Cloud Computing
Introduction to AWS Cloud ComputingAmazon Web Services
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)Srikanth Kappagantula
 
Big data-analytics-cpe8035
Big data-analytics-cpe8035Big data-analytics-cpe8035
Big data-analytics-cpe8035Neelam Rawat
 
Big data unit 2
Big data unit 2Big data unit 2
Big data unit 2RojaT4
 

What's hot (20)

Paas
PaasPaas
Paas
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)Infrastructure as a Service ( IaaS)
Infrastructure as a Service ( IaaS)
 
Cloud security Presentation
Cloud security PresentationCloud security Presentation
Cloud security Presentation
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computing
 
Data
DataData
Data
 
IaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud ComputingIaaS, SaaS, PasS : Cloud Computing
IaaS, SaaS, PasS : Cloud Computing
 
Multi-Tenant Approach
Multi-Tenant ApproachMulti-Tenant Approach
Multi-Tenant Approach
 
Big Data Security and Governance
Big Data Security and GovernanceBig Data Security and Governance
Big Data Security and Governance
 
What is Virtualization and its types & Techniques.What is hypervisor and its ...
What is Virtualization and its types & Techniques.What is hypervisor and its ...What is Virtualization and its types & Techniques.What is hypervisor and its ...
What is Virtualization and its types & Techniques.What is hypervisor and its ...
 
Big Data Analytics with Hadoop
Big Data Analytics with HadoopBig Data Analytics with Hadoop
Big Data Analytics with Hadoop
 
OLAP OnLine Analytical Processing
OLAP OnLine Analytical ProcessingOLAP OnLine Analytical Processing
OLAP OnLine Analytical Processing
 
Big data storage
Big data storageBig data storage
Big data storage
 
Business Intelligence Architecture
Business Intelligence ArchitectureBusiness Intelligence Architecture
Business Intelligence Architecture
 
Introduction to AWS Cloud Computing
Introduction to AWS Cloud ComputingIntroduction to AWS Cloud Computing
Introduction to AWS Cloud Computing
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
 
Big data-analytics-cpe8035
Big data-analytics-cpe8035Big data-analytics-cpe8035
Big data-analytics-cpe8035
 
Big data unit 2
Big data unit 2Big data unit 2
Big data unit 2
 

Viewers also liked

Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 
Secure auditing and deduplicating data in cloud
Secure auditing and deduplicating data in cloudSecure auditing and deduplicating data in cloud
Secure auditing and deduplicating data in cloudnexgentech15
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptPrivacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptGirish Chandra
 
Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Jonathan Sinclair
 
Privacy preserving public auditing for secure cloud storage
Privacy preserving public auditing for secure cloud storagePrivacy preserving public auditing for secure cloud storage
Privacy preserving public auditing for secure cloud storageMustaq Syed
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud
Privacy Preserving Public Auditing for Data Storage Security in Cloud Privacy Preserving Public Auditing for Data Storage Security in Cloud
Privacy Preserving Public Auditing for Data Storage Security in Cloud Girish Chandra
 
POLICY MAKING PROCESS
POLICY MAKING PROCESSPOLICY MAKING PROCESS
POLICY MAKING PROCESSYammie Daud
 
The [social] future of public financial management
The [social] future of public financial managementThe [social] future of public financial management
The [social] future of public financial managementFreeBalance
 
thwackCamp 2013: Leveraging the Power of Custom Properties
thwackCamp 2013: Leveraging the Power of Custom PropertiesthwackCamp 2013: Leveraging the Power of Custom Properties
thwackCamp 2013: Leveraging the Power of Custom PropertiesSolarWinds
 
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUD
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUDSECURE AUDITING AND DEDUPLICATING DATA IN CLOUD
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUDNexgen Technology
 
Financial Systems Design Framework
Financial Systems Design FrameworkFinancial Systems Design Framework
Financial Systems Design FrameworkIFMR
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersMichael Davis
 
PUBLIC INTEGRITY AUDITING FOR SHARED DYNAMIC CLOUD DATA WITH GROUP USER REVO...
PUBLIC INTEGRITY AUDITING FOR SHARED DYNAMIC CLOUD DATA WITH GROUP USER REVO... PUBLIC INTEGRITY AUDITING FOR SHARED DYNAMIC CLOUD DATA WITH GROUP USER REVO...
PUBLIC INTEGRITY AUDITING FOR SHARED DYNAMIC CLOUD DATA WITH GROUP USER REVO...Nexgen Technology
 
Privacy preserving public auditing
Privacy preserving public auditingPrivacy preserving public auditing
Privacy preserving public auditingvmshimavm
 

Viewers also liked (20)

Ppt 1
Ppt 1Ppt 1
Ppt 1
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 
Secure auditing and deduplicating data in cloud
Secure auditing and deduplicating data in cloudSecure auditing and deduplicating data in cloud
Secure auditing and deduplicating data in cloud
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.pptPrivacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
Privacy Preserving Public Auditing for Data Storage Security in Cloud.ppt
 
Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011Cloud Compliance Auditing - Closer 2011
Cloud Compliance Auditing - Closer 2011
 
Privacy preserving public auditing for secure cloud storage
Privacy preserving public auditing for secure cloud storagePrivacy preserving public auditing for secure cloud storage
Privacy preserving public auditing for secure cloud storage
 
Privacy Preserving Public Auditing for Data Storage Security in Cloud
Privacy Preserving Public Auditing for Data Storage Security in Cloud Privacy Preserving Public Auditing for Data Storage Security in Cloud
Privacy Preserving Public Auditing for Data Storage Security in Cloud
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Sample of Minutes of meeting
Sample of Minutes of meetingSample of Minutes of meeting
Sample of Minutes of meeting
 
POLICY MAKING PROCESS
POLICY MAKING PROCESSPOLICY MAKING PROCESS
POLICY MAKING PROCESS
 
Review_2013
Review_2013Review_2013
Review_2013
 
The [social] future of public financial management
The [social] future of public financial managementThe [social] future of public financial management
The [social] future of public financial management
 
Towards Indicators of Strength of Public Management Systems
Towards Indicators of Strength of Public Management SystemsTowards Indicators of Strength of Public Management Systems
Towards Indicators of Strength of Public Management Systems
 
thwackCamp 2013: Leveraging the Power of Custom Properties
thwackCamp 2013: Leveraging the Power of Custom PropertiesthwackCamp 2013: Leveraging the Power of Custom Properties
thwackCamp 2013: Leveraging the Power of Custom Properties
 
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUD
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUDSECURE AUDITING AND DEDUPLICATING DATA IN CLOUD
SECURE AUDITING AND DEDUPLICATING DATA IN CLOUD
 
Financial Systems Design Framework
Financial Systems Design FrameworkFinancial Systems Design Framework
Financial Systems Design Framework
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
 
PUBLIC INTEGRITY AUDITING FOR SHARED DYNAMIC CLOUD DATA WITH GROUP USER REVO...
PUBLIC INTEGRITY AUDITING FOR SHARED DYNAMIC CLOUD DATA WITH GROUP USER REVO... PUBLIC INTEGRITY AUDITING FOR SHARED DYNAMIC CLOUD DATA WITH GROUP USER REVO...
PUBLIC INTEGRITY AUDITING FOR SHARED DYNAMIC CLOUD DATA WITH GROUP USER REVO...
 
Privacy preserving public auditing
Privacy preserving public auditingPrivacy preserving public auditing
Privacy preserving public auditing
 
Oruta project report
Oruta project reportOruta project report
Oruta project report
 

Similar to Cloud Auditing

SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011Satish Hemachandran
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise CloudIndu Kodukula
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Introduction to SOA & its Open Source Framework
Introduction to SOA & its Open Source FrameworkIntroduction to SOA & its Open Source Framework
Introduction to SOA & its Open Source FrameworkThanachart Numnonda
 
Overview of Identity and Access Management Product Line
Overview of Identity and Access Management Product LineOverview of Identity and Access Management Product Line
Overview of Identity and Access Management Product LineNovell
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera
 
Sunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera
 
Brave new world of encryption v1
Brave new world of encryption v1Brave new world of encryption v1
Brave new world of encryption v1Khazret Sapenov
 
Moving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudMoving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudVISI
 
Sun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationSun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationOracleIDM
 
Compliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementCompliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementNoam Bunder
 
Real User Experience Insight
Real User Experience InsightReal User Experience Insight
Real User Experience Insightruiruitang
 
Real User Experience Insight
Real User Experience InsightReal User Experience Insight
Real User Experience Insightruiruitang
 
Real User Experience Insight
Real User Experience InsightReal User Experience Insight
Real User Experience Insightruiruitang
 
Service Availability and Performance Management - PCTY 2011
Service Availability and Performance Management - PCTY 2011Service Availability and Performance Management - PCTY 2011
Service Availability and Performance Management - PCTY 2011IBM Sverige
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloudInterop
 
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist, LLC
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking
 
PCTY 2012, Risk Based Access Control v. Pat Wardrop
PCTY 2012, Risk Based Access Control v. Pat WardropPCTY 2012, Risk Based Access Control v. Pat Wardrop
PCTY 2012, Risk Based Access Control v. Pat WardropIBM Danmark
 

Similar to Cloud Auditing (20)

SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
Introduction to SOA & its Open Source Framework
Introduction to SOA & its Open Source FrameworkIntroduction to SOA & its Open Source Framework
Introduction to SOA & its Open Source Framework
 
Overview of Identity and Access Management Product Line
Overview of Identity and Access Management Product LineOverview of Identity and Access Management Product Line
Overview of Identity and Access Management Product Line
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk Consulting
 
Sunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide shareSunera business & technology risk consulting services -slide share
Sunera business & technology risk consulting services -slide share
 
Brave new world of encryption v1
Brave new world of encryption v1Brave new world of encryption v1
Brave new world of encryption v1
 
Moving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudMoving Enterprise Applications to the Cloud
Moving Enterprise Applications to the Cloud
 
Sun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationSun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformation
 
Compliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementCompliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement Management
 
Real User Experience Insight
Real User Experience InsightReal User Experience Insight
Real User Experience Insight
 
Real User Experience Insight
Real User Experience InsightReal User Experience Insight
Real User Experience Insight
 
Real User Experience Insight
Real User Experience InsightReal User Experience Insight
Real User Experience Insight
 
Service Availability and Performance Management - PCTY 2011
Service Availability and Performance Management - PCTY 2011Service Availability and Performance Management - PCTY 2011
Service Availability and Performance Management - PCTY 2011
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
Managing a public cloud
Managing a public cloudManaging a public cloud
Managing a public cloud
 
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAsAdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
AdvisorAssist Presentation: Cloud Computing and Compliance For RIAs
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance RequirementsIBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking: Automated Systems help meet new Compliance Requirements
 
PCTY 2012, Risk Based Access Control v. Pat Wardrop
PCTY 2012, Risk Based Access Control v. Pat WardropPCTY 2012, Risk Based Access Control v. Pat Wardrop
PCTY 2012, Risk Based Access Control v. Pat Wardrop
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Cloud Auditing

  • 1. Auditing in Cloud Computing SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Jonathan Sinclair SAP Research, CEC Belfast SAP (UK) Ltd. 25th March 2010
  • 2. Agenda 1. Background 1.1 Cloud Computing 1.2 IT Auditing 2. Why do Business’ care? 3. Traditional view 4. Services: The New Delivery Model 5. Current Auditing Areas & Problems 6. Challenges for Auditing in Cloud © SAP 2010 / Page 2
  • 3. Cloud Computing a definition framework Compliance, Governance, Regulation, Security, Risk Reference: “Rational Survivability Blog”. Chris Hoff. http://www.rationalsurvivability.com/blog/?p=519 © SAP 2010 / Page 3
  • 4. IT Auditing setting the scene Definition of IT Auditing The process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently. Definition: Information Systems Control and Audit, Ron Weber • PCI DSS Financial and • Gramm-Leach-Bliley Act (US) Commerce • Sarbanes–Oxley (SOX) Social and • SAS70 Labour • HIPAA • EU Directive on Data Security Public Safety • Data Protection Act (UK) • Federal Information Security Act (US) • ISO 27k (International Standards Security Organisation) © SAP 2010 / Page 4
  • 5. Why do Business’ care? Auditing for Compliance Regulation: A principle, rule, or law designed to control or govern conduct Legal Co- Social operative Regulation Self Market © SAP 2010 / Page 5
  • 6. Why do Business’ care? Auditing for Governance and Risk IT Governance is concerned with how the performance and risk of an IT landscape is administered. Processes Institutions Customs Governance Laws Policies © SAP 2010 / Page 6
  • 7. Why do Business’ care? Auditing for Security IT Security in Cloud is mainly concerned with data access and user privileges, in both the physical and virtual layers. Technical Admin Security Physical Virtual © SAP 2010 / Page 7
  • 8. Past deep dive  User  Access Rights  Policies  Reporting, Logging  Network  VPN, Firewall, Intrusion Detection  Event Logging  Application  User Privileges  Logging (Access, Transactions, Change Management)  DB  User Privileges  Security Policies (Password Encryption, Data Encryption)  Logging (Access, Record Management)  Data Replication © SAP 2010 / Page 8
  • 9. Auditing was hard but now : 1:1 mapping doesn’t exist anymore • Ex: VMs, Virtual Landscapes, etc.. What typically used to be static is not anymore • Ex: Dynamic change of IP, domain, Datacenter, server etc. Audit Analysis – Data Storm problem • How to retrieve, correlate and extract meaningful data from a ever increasing number of data sources. • Tracking change becomes a priority Auditing is becoming a service • Consumers may need to track the Business Processes across multiples providers, an audit trail may span multiple domains © SAP 2010 / Page 9
  • 10. Services: The New Delivery Model • License model • Customization required Past Software • Managed by customer: • customer buys application. as Product • Pay per use / Subscription model • Remote delivery Present Software • Managed by service provider: • customer buys access to application as Service • Composite Services • Business-process-focused Future Business • Services provisioned by service provider: • customer buys a service with no awareness of application. Services © SAP 2010 / Page 10
  • 11. Present deep dive (taken from 2006 JavaOne Conference | Session TS-1591)  Business Continuity  Contract of BC Procedures  Disaster Recovery Procedures  Permissions of External Services  Logging (Access, Data Management) © SAP 2010 / Page 11
  • 12. Future? outlook Adapted from (Chris Hoff - Draft v4.0) © SAP 2010 / Page 12
  • 13. Data Confidentiality, Privacy, Integrity Problems: • Data stored, transmitted and processed outside of the organisation • Shared computing environments • No physical control of data • Physical and logical access managed by the provider • No controls to prevent data modification • No logging events on data (access, modification, transmission) Implementation Challenges: • Data logging and monitoring • Separation of user directories and access control • Data security (encryption, key management, digital signatures) • Access control & reviews (firewalls, VPN) • Data Isolation • Define standards (information classification, encryption) • Procedural reviews (redundancy, error recovery) © SAP 2010 / Page 13
  • 14. Service Availability Problems: Network connectivity Bottlenecking Multi-tenancy Availability Limited ability for change control Provider viability Reliance on provider’s disaster recovery procedures Implementation Challenges: Caching to address potential network issues SLAs ISP Network Availability Change Control Process Multiple Providers Data Retrieval Process © SAP 2010 / Page 14
  • 15. Regulations and Compliance Problems: Data subject to new laws Exposure to foreign governments and subpoenas Retention requirements vary among jurisdictions Audit of provider’s environment Increased complexity to comply with standards Implementation Challenges Storage and transmission policies for jurisdictions Agreement for privacy laws Provider security certifications External Audit review Limit types of data transmission © SAP 2010 / Page 15
  • 16. Problems arising from Cloud for Auditing Compliance, IT Auditing Governance, Regulation, Security & Risk Application Change Patch Licensing SLAs Networking Fraud Controls Management Management Privacy Identity Access Outsourcing Compensation Assurance Prevention Business Management Improve Assess Continuity Responsibility Performance Deficiency Risk Regulation © SAP 2010 / Page 16
  • 17. Challenges for Auditing in Cloud Federation of Architecture audit logs Compliance Audit-based and protocols from analysis of access of for storage distributed federated physical / and retrieval sources audit logs for network- of secure across SLA’s and based distributed multiples Regulation resources audit logs domains © SAP 2010 / Page 17
  • 18. Thank you! Jonathan Sinclair Research Associate SAP Research CEC Belfast SAP [UK] Ltd The Concourse, Queen‘s Road Queen‘s Island, Titanic Quarter Belfast BT3 9DT T +44 (0)28 9078 5749 F +44 (0)28 9078 5777 E jonathan.sinclair@sap.com www.sap.com/research © SAP 2010 / Page 18