Cloud computing is a paradigm evolution that benefits from virtualisation technologies and introduces “everything-as-a-service” as a technical and business concept supported by pay-per-use pricing models. Whilst the on-demand characteristics of this novel paradigm provide revolutionary advances in technical ability, the changes while incorporating this into an IT infrastructure raise many complex problems and risks with regards to auditing. Auditing is the process of tracing and logging significant events the take place during the system run-time for analysis, and can be seen as a vital tool in validating and securing systems.

1. Auditing in Cloud Computing
SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS
Jonathan Sinclair
SAP Research, CEC Belfast
SAP (UK) Ltd.
25th March 2010

2. Agenda
1. Background
1.1 Cloud Computing
1.2 IT Auditing
2. Why do Business’ care?
3. Traditional view
4. Services: The New Delivery Model
5. Current Auditing Areas & Problems
6. Challenges for Auditing in Cloud
© SAP 2010 / Page 2

3. Cloud Computing
a definition framework
Compliance, Governance, Regulation, Security, Risk
Reference: “Rational Survivability Blog”. Chris Hoff. http://www.rationalsurvivability.com/blog/?p=519
© SAP 2010 / Page 3

4. IT Auditing
setting the scene
Definition of IT Auditing
The process of collecting and evaluating evidence to determine whether a computer
system (information system) safeguards assets, maintains data integrity, achieves
organizational goals effectively and consumes resources efficiently.
Definition: Information Systems Control and Audit, Ron Weber
• PCI DSS
Financial and • Gramm-Leach-Bliley Act (US)
Commerce
• Sarbanes–Oxley (SOX)
Social and • SAS70
Labour • HIPAA
• EU Directive on Data Security
Public Safety • Data Protection Act (UK)
• Federal Information Security Act (US)
• ISO 27k (International Standards
Security Organisation)
© SAP 2010 / Page 4

5. Why do Business’ care?
Auditing for Compliance
Regulation: A principle, rule, or law designed to control or govern conduct
Legal
Co-
Social
operative
Regulation
Self Market
© SAP 2010 / Page 5

6. Why do Business’ care?
Auditing for Governance and Risk
IT Governance is concerned with how the performance and risk of an IT landscape is
administered.
Processes
Institutions Customs
Governance
Laws Policies
© SAP 2010 / Page 6

7. Why do Business’ care?
Auditing for Security
IT Security in Cloud is mainly concerned with data access and user privileges, in both
the physical and virtual layers.
Technical
Admin Security Physical
Virtual
© SAP 2010 / Page 7

8. Past
deep dive
 User
 Access Rights
 Policies
 Reporting, Logging
 Network
 VPN, Firewall, Intrusion Detection
 Event Logging
 Application
 User Privileges
 Logging (Access, Transactions, Change Management)
 DB
 User Privileges
 Security Policies (Password Encryption, Data Encryption)
 Logging (Access, Record Management)
 Data Replication
© SAP 2010 / Page 8

9. Auditing was hard but now :
1:1 mapping doesn’t exist anymore
• Ex: VMs, Virtual Landscapes, etc..
What typically used to be static is not anymore
• Ex: Dynamic change of IP, domain, Datacenter, server etc.
Audit Analysis – Data Storm problem
• How to retrieve, correlate and extract meaningful data from a ever increasing
number of data sources.
• Tracking change becomes a priority
Auditing is becoming a service
• Consumers may need to track the Business Processes across multiples providers,
an audit trail may span multiple domains
© SAP 2010 / Page 9

10. Services: The New Delivery Model
• License model
• Customization required
Past Software • Managed by customer:
• customer buys application.
as Product
• Pay per use / Subscription model
• Remote delivery
Present Software • Managed by service provider:
• customer buys access to application
as Service
• Composite Services
• Business-process-focused
Future Business • Services provisioned by service provider:
• customer buys a service with no awareness of application.
Services
© SAP 2010 / Page 10

11. Present
deep dive
(taken from 2006 JavaOne Conference | Session TS-1591)
 Business Continuity
 Contract of BC Procedures
 Disaster Recovery Procedures
 Permissions of External Services
 Logging (Access, Data Management)
© SAP 2010 / Page 11

12. Future?
outlook
Adapted from (Chris Hoff - Draft v4.0)
© SAP 2010 / Page 12

13. Data Confidentiality, Privacy, Integrity
Problems:
• Data stored, transmitted and processed outside of the organisation
• Shared computing environments
• No physical control of data
• Physical and logical access managed by the provider
• No controls to prevent data modification
• No logging events on data (access, modification, transmission)
Implementation Challenges:
• Data logging and monitoring
• Separation of user directories and access control
• Data security (encryption, key management, digital signatures)
• Access control & reviews (firewalls, VPN)
• Data Isolation
• Define standards (information classification, encryption)
• Procedural reviews (redundancy, error recovery)
© SAP 2010 / Page 13

14. Service Availability
Problems:
Network connectivity
Bottlenecking
Multi-tenancy
Availability
Limited ability for change control
Provider viability
Reliance on provider’s disaster recovery procedures
Implementation Challenges:
Caching to address potential network issues
SLAs
ISP Network Availability
Change Control Process
Multiple Providers
Data Retrieval Process
© SAP 2010 / Page 14

15. Regulations and Compliance
Problems:
Data subject to new laws
Exposure to foreign governments and subpoenas
Retention requirements vary among jurisdictions
Audit of provider’s environment
Increased complexity to comply with standards
Implementation Challenges
Storage and transmission policies for jurisdictions
Agreement for privacy laws
Provider security certifications
External Audit review
Limit types of data transmission
© SAP 2010 / Page 15

16. Problems arising from Cloud for Auditing
Compliance,
IT Auditing Governance,
Regulation,
Security & Risk
Application Change Patch
Licensing SLAs Networking Fraud
Controls Management Management
Privacy Identity Access
Outsourcing Compensation
Assurance
Prevention
Business
Management
Improve Assess Continuity
Responsibility Performance Deficiency
Risk
Regulation
© SAP 2010 / Page 16

17. Challenges for Auditing in Cloud
Federation of
Architecture
audit logs Compliance Audit-based
and protocols
from analysis of access of
for storage
distributed federated physical /
and retrieval
sources audit logs for network-
of secure
across SLA’s and based
distributed
multiples Regulation resources
audit logs
domains
© SAP 2010 / Page 17

18. Thank you!
Jonathan Sinclair
Research Associate
SAP Research CEC Belfast
SAP [UK] Ltd
The Concourse, Queen‘s Road
Queen‘s Island, Titanic Quarter
Belfast BT3 9DT
T +44 (0)28 9078 5749
F +44 (0)28 9078 5777
E jonathan.sinclair@sap.com
www.sap.com/research
© SAP 2010 / Page 18