Abstract
The use of cloud computing has become a reliable information technology solution over the past decade by providing numerous services and resources on a pay-as-you-use basis and evolving from concept to reality. Despite increasing demand and popularity, the adoption of the cloud is hindered mainly by security concerns. Successful cloud adoption and uncomplicated operation are possible if users, intermediaries, and service providers act reliably according to regulations by assuring shared responsibility policy. The biggest challenge in the audit and assurance of cloud computing is the lack of a de facto approach to meet an enterprise’s requirements. The primary focus is on the challenges and effectiveness of audit and assurance by conducting an exploratory study on industry best practices, auditing standards, required certifications, and regulatory compliance frameworks like GDPR, Sarbanes–Oxley, ENISA, ISO 27001, NIST, EU-SEC, OWASP, BSI C5, CIS, ANSSI, HIPAA, CCM, CSA STAR, PCI DSS, COBIT, and SOC in a cloud environment and classifying on basis of applicability. In this research paper, we provide general guidelines on auditing standards by referring to threads and vulnerabilities analyzed and suggesting a unified approach toward audit considerations in cloud computing environments.
Similar content being viewed by others
Availability of Data and Material
No such data were used.
References
H.A.S. Ahmed, M.H. Ali, L.M. Kadhum, M.F. Zolkipli, Y.A. Alsariera, A review of challenges and security risks of cloud computing. J. Telecommun. Electron. Comput. Eng. 9(1–2), 87–91 (2017)
A.R. Alobaidi, Z.N. Nuimi, Cloud computing security based on OWASP. 2022 5th International Conference on Computing and Informatics (ICCI) (2022), p. 22–28
M. Anisetti, C.A. Ardagna, E. Damiani, F. Gaudenzi, A security benchmark for openstack. 2017 IEEE 10th International Conference on Cloud Computing (CLOUD) (2017), p. 294–301
M. Moghadasi, S. Majid, G. Fazekas, Cloud computing auditing roadmap and process. Int. J. Adv. Comput. Sci. Appl. 9 (2018). https://doi.org/10.14569/IJACSA.2018.091265
R. Kumar, R. Goyal, On cloud security requirements, threats, vulnerabilities and countermeasures: a survey. Comput. Sci. Rev. 33, 1–48 (2019). https://doi.org/10.1016/j.cosrev.2019.05.002
U.M. Ismail, S. Islam, A unified framework for cloud security transparency and audit. J. Inf. Secur. Appl. 54, 102594 (2020)
G. Mateescu, V. Sgârciu, Cloud computing audit. Sci. Bull. UPB Ser. C: Electr. Eng. 77(3) (2015)
N. Carter, Auditing the ISO 19011 Way (BSI British Standards Institution, 2003)
J. Ryoo, S. Rizvi, W. Aiken, J. Kissell, Cloud security auditing: challenges and emerging approaches. IEEE Secur. Priv. 12(6), 68–74 (2014). https://doi.org/10.1109/MSP.2013.132
X. Kontargyris, IT Laws in the Era of Cloud-Computing: A Comparative Analysis between EU and US Law on the Case Study of Data Protection and Privacy (Nomos) (Schriften der Albrecht Mendelssohn Bartholdy Graduate School of Law, 2018)
D. Yimam, E.B. Fernandez, A survey of compliance issues in cloud computing. J. Internet Serv. Appl. 7(1), 1–12 (2016)
S. Karkosková, Towards cloud computing management model based on ITIL processes. in Proceedings of the 2nd International Conference on Business and Information Management (2018)
N. Cook, D. Milojicic, V. Talwar, Cloud management. J. Internet Serv. Appl. 3(1), 67–75 (2012)
T. Forell, D. Milojicic, V. Talwar, Cloud management: challenges and opportunities. 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum (2011), p. 881–889
S. Ismaeel, A. Miri, D. Chourishi, S.M.R. Dibaj, Open source cloud management platforms: a review. 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (2015), p. 470–475
M. Niranjanamurthy, M.P. Amulya, N.M. Niveditha, P. Dayananda, Creating a custom virtual private cloud and launch an Elastic Compute Cloud (EC2) instance in your virtual private cloud. J. Comput. Theor. Nanosci. (American Scientific publishers), 17(15), 4565–4570 (2020). https://doi.org/10.1166/jctn.2020.9106
R. Los, D. Shackleford, B. Sullivan, The notorious nine cloud computing top threats in 2013. Cloud Secur. Alliance, 2 (2013)
S.O. Kuyoro, F. Ibikunle, O. Awodele, Cloud computing security issues and challenges. Int. J. Comput. Netw. 3(5), 247–255 (2011)
A. Dutta, G.C.A. Peng, A. Choudhary, Risks in enterprise cloud computing: the perspective of IT experts. J. Comput. Inf. Syst. 53(4), 39–48 (2013)
N. Tissir, S. el Kafhali, N. Aboutabit, Cybersecurity management in cloud computing: semantic literature review and conceptual framework proposal. J. Reliab. Intell. Environ. 7(2), 69–84 (2021)
M. Chiregi, N. Jafari Navimipour, Cloud computing and trust evaluation: a systematic literature review of the state-of-the-art mechanisms. J. Electr. Syst. Inf. Technol. (2018)
T. Rübsamen, Evidence-Based Accountability Audits for Cloud Computing. (Doctoral Dissertation, University of Plymouth, 2016)
F. Simetinger, Audit and assurance specifics in cloud-based industry 4.0 environment. J. Syst. Integr. 9(3), 7–17 (2018). https://doi.org/10.20470/jsi.v9i3.349
L. M. Brumă, “Cloud security audit – issues and challenges,” 2021 16th International Conference on Computer Science & Education (ICCSE), Lancaster, United Kingdom, pp. 263–266 (2021). https://doi.org/10.1109/ICCSE51940.2021.9569654
U.M. Ismail, S. Islam, H. Mouratidis, Cloud Security Audit for Migration and Continuous Monitoring. 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1 (2015), p. 1081–1087. https://doi.org/10.1109/Trustcom.2015.486
F. Doelitzscher, Security audit compliance for cloud computing. University of Plymouth 2014 Phd Thesis., PEARL (2014)
A. Nagar, K.P. Joshi, A semantically rich knowledge representation of PCI DSS for cloud services. 6th International IBM Cloud Academy Conference ICACON 2018, Japan (2018)
G. Ataya, PCI DSS audit and compliance. Inf. Secur. Tech. Rep. 15(4), 138–144 (2010)
L. Elluri, K.P. Joshi, A knowledge representation of cloud data controls for EU GDPR compliance. 2018 IEEE World Congress on Services (SERVICES) (2018), p. 45–46
S. Islam, M. Ouedraogo, C. Kalloniatis, H. Mouratidis, S. Gritzalis, Assurance of security and privacy requirements for cloud deployment models. IEEE Trans. Cloud Comput. 6(2), 387–400 (2018). https://doi.org/10.1109/TCC.2015.2511719
H.M. Melaku, Context-based and adaptive cybersecurity risk management framework. Risks (2023)
M. Barati, O. Rana, Checking GDPR compliance for cloud-based services. 2021 IEEE World Congress on Services (SERVICES) (2021), p. 2
D. Kim, K.P. Joshi, A semantically rich knowledge graph to automate hipaa regulations for cloud health it services. in 2021 7th IEEE Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS) (2021), p. 7–12
M. Kelly, E. Furey, K. Curran, How to achieve compliance with gdpr article 17 in a hybrid cloud environment. Science 3(1), 3 (2021)
C. Mitchell, Privacy, compliance and the cloud. Guide to Security Assurance for Cloud Computing (2015), p. 3–14
S. Okour, The impact of the application of IT governance according to (COBIT 5) framework in reduce cloud computing risks. Mod. Appl. Sci. 13(7), 25 (2019)
P. Olajide, PCI DSS compliance validation of different levels of merchants in a multi-tenant private cloud (2013)
M. Piazza, J. Fernandes, J. Anderson, A. Olmsted, Cloud payment processing without ritualistic sacrifices reducing PCI-DSS risk surface with thin clients. 2016 International Conference on Information Society (i-Society) (2016), p. 166–168
C.E. Pugh, M. Hilley, Regulatory Compliance and Total Cost Influence on the Adoption of Cloud Technology: A Quantitative Study [Doctoral dissertation, Capella University]. In ProQuest Dissertations and Theses. (2021). https://www.proquest.com/dissertations-theses/regulatory-compliance-total-cost-influence-on/docview/2572572997/se-2
G.A. Reid, S. Miller, Improving HIPAA Compliance Efforts with Modern Cloud Technologies [(Doctoral dissertation, Capitol Technology University).]. In ProQuest Dissertations and Theses. (2021). https://www.proquest.com/dissertations-theses/improving-hipaa-compliance-efforts-with-modern/docview/2595993643/se-2?accountid=12118
C. Racuciu, S. Eftimie, Security threats and risks in cloud computing. Sci. Bull. Mircea Cel Batran Nav. Acad. 18(1), 105 (2015)
R. Ahmad, Cloud Security and Governance. Metropolia University of Applied Sciences, Master’s Thesis (Information Technology), (2021)
S. Subashini, V. Kavitha, A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)
L. Schubert, Ustutt-Hlrs, K.G. Jeffery, B.K. Neidecker-Lutz, L. Schubert, E. Ustutt-Hlrs, A Roadmap for Advanced Cloud Technologies Under H 2020 Recommendations by the Cloud Expert Group (2012)
D. Wang, D. Zhong, L. Li, A Comprehensive Study of the Role of Cloud Computing on the Information Technology Infrastructure Library (ITIL) Processes (Library Hi Tech, 2021)
R. Wu, G.-J. Ahn, H. Hu, Towards HIPAA-compliant healthcare systems in cloud computing. Int. J. Comput. Models Algorithms Med. 3(2), 1–22 (2012)
G. Weir, A. Aßmuth, M. Whittington, B. Duncan, Cloud accounting systems, the audit trail, forensics and the EU GDPR: how hard can it be? British Accounting & Finance Association (BAFA) Annual Conference 2017 (2017)
Acknowledgments
The authors would like to thank PSOM Technologies Private Limited, Bengaluru, India, the Department of Electronics and Communication and Engineering, A J Institute of Engineering and Technology, Department of Computer Science and Engineering, NMAMIT NITTE, and Upgrad Education Private Limited, Nishuvi, 75, Dr. Annie Besant Road, Worli, Mumbai, for the support for carrying out the research work
Funding
No funding.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflicts of Interest/Competing Interests
The authors declare that they have no conflicts of interest.
Consent for Publication
Authors give consent for publication in the journal.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Rajesh, Y.S., Kumar, V.G.K. & Poojari, A. A Unified Approach Toward Security Audit and Compliance in Cloud Computing. J. Inst. Eng. India Ser. B (2024). https://doi.org/10.1007/s40031-024-01034-x
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s40031-024-01034-x