Skip to main content
SpringerLink
Log in

A Unified Approach Toward Security Audit and Compliance in Cloud Computing

  • REVIEW PAPER
  • Published:
Journal of The Institution of Engineers (India): Series B Aims and scope Submit manuscript

Abstract

The use of cloud computing has become a reliable information technology solution over the past decade by providing numerous services and resources on a pay-as-you-use basis and evolving from concept to reality. Despite increasing demand and popularity, the adoption of the cloud is hindered mainly by security concerns. Successful cloud adoption and uncomplicated operation are possible if users, intermediaries, and service providers act reliably according to regulations by assuring shared responsibility policy. The biggest challenge in the audit and assurance of cloud computing is the lack of a de facto approach to meet an enterprise’s requirements. The primary focus is on the challenges and effectiveness of audit and assurance by conducting an exploratory study on industry best practices, auditing standards, required certifications, and regulatory compliance frameworks like GDPR, Sarbanes–Oxley, ENISA, ISO 27001, NIST, EU-SEC, OWASP, BSI C5, CIS, ANSSI, HIPAA, CCM, CSA STAR, PCI DSS, COBIT, and SOC in a cloud environment and classifying on basis of applicability. In this research paper, we provide general guidelines on auditing standards by referring to threads and vulnerabilities analyzed and suggesting a unified approach toward audit considerations in cloud computing environments.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Availability of Data and Material

No such data were used.

References

  1. H.A.S. Ahmed, M.H. Ali, L.M. Kadhum, M.F. Zolkipli, Y.A. Alsariera, A review of challenges and security risks of cloud computing. J. Telecommun. Electron. Comput. Eng. 9(1–2), 87–91 (2017)

    Google Scholar 

  2. A.R. Alobaidi, Z.N. Nuimi, Cloud computing security based on OWASP. 2022 5th International Conference on Computing and Informatics (ICCI) (2022), p. 22–28

  3. M. Anisetti, C.A. Ardagna, E. Damiani, F. Gaudenzi, A security benchmark for openstack. 2017 IEEE 10th International Conference on Cloud Computing (CLOUD) (2017), p. 294–301

  4. M. Moghadasi, S. Majid, G. Fazekas, Cloud computing auditing roadmap and process. Int. J. Adv. Comput. Sci. Appl. 9 (2018). https://doi.org/10.14569/IJACSA.2018.091265

  5. R. Kumar, R. Goyal, On cloud security requirements, threats, vulnerabilities and countermeasures: a survey. Comput. Sci. Rev. 33, 1–48 (2019). https://doi.org/10.1016/j.cosrev.2019.05.002

  6. U.M. Ismail, S. Islam, A unified framework for cloud security transparency and audit. J. Inf. Secur. Appl. 54, 102594 (2020)

    Google Scholar 

  7. G. Mateescu, V. Sgârciu, Cloud computing audit. Sci. Bull. UPB Ser. C: Electr. Eng. 77(3) (2015)

  8. N. Carter, Auditing the ISO 19011 Way (BSI British Standards Institution, 2003)

  9. J. Ryoo, S. Rizvi, W. Aiken, J. Kissell, Cloud security auditing: challenges and emerging approaches. IEEE Secur. Priv. 12(6), 68–74 (2014). https://doi.org/10.1109/MSP.2013.132

    Article  Google Scholar 

  10. X. Kontargyris, IT Laws in the Era of Cloud-Computing: A Comparative Analysis between EU and US Law on the Case Study of Data Protection and Privacy (Nomos) (Schriften der Albrecht Mendelssohn Bartholdy Graduate School of Law, 2018)

  11. D. Yimam, E.B. Fernandez, A survey of compliance issues in cloud computing. J. Internet Serv. Appl. 7(1), 1–12 (2016)

    Article  Google Scholar 

  12. S. Karkosková, Towards cloud computing management model based on ITIL processes. in Proceedings of the 2nd International Conference on Business and Information Management (2018)

  13. N. Cook, D. Milojicic, V. Talwar, Cloud management. J. Internet Serv. Appl. 3(1), 67–75 (2012)

    Article  Google Scholar 

  14. T. Forell, D. Milojicic, V. Talwar, Cloud management: challenges and opportunities. 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum (2011), p. 881–889

  15. S. Ismaeel, A. Miri, D. Chourishi, S.M.R. Dibaj, Open source cloud management platforms: a review. 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (2015), p. 470–475

  16. M. Niranjanamurthy, M.P. Amulya, N.M. Niveditha, P. Dayananda, Creating a custom virtual private cloud and launch an Elastic Compute Cloud (EC2) instance in your virtual private cloud. J. Comput. Theor. Nanosci. (American Scientific publishers), 17(15), 4565–4570 (2020). https://doi.org/10.1166/jctn.2020.9106

  17. R. Los, D. Shackleford, B. Sullivan, The notorious nine cloud computing top threats in 2013. Cloud Secur. Alliance, 2 (2013)

  18. S.O. Kuyoro, F. Ibikunle, O. Awodele, Cloud computing security issues and challenges. Int. J. Comput. Netw. 3(5), 247–255 (2011)

    Google Scholar 

  19. A. Dutta, G.C.A. Peng, A. Choudhary, Risks in enterprise cloud computing: the perspective of IT experts. J. Comput. Inf. Syst. 53(4), 39–48 (2013)

    Google Scholar 

  20. N. Tissir, S. el Kafhali, N. Aboutabit, Cybersecurity management in cloud computing: semantic literature review and conceptual framework proposal. J. Reliab. Intell. Environ. 7(2), 69–84 (2021)

    Article  Google Scholar 

  21. M. Chiregi, N. Jafari Navimipour, Cloud computing and trust evaluation: a systematic literature review of the state-of-the-art mechanisms. J. Electr. Syst. Inf. Technol. (2018)

  22. T. Rübsamen, Evidence-Based Accountability Audits for Cloud Computing. (Doctoral Dissertation, University of Plymouth, 2016)

  23. F. Simetinger, Audit and assurance specifics in cloud-based industry 4.0 environment. J. Syst. Integr. 9(3), 7–17 (2018). https://doi.org/10.20470/jsi.v9i3.349

  24. L. M. Brumă, “Cloud security audit – issues and challenges,” 2021 16th International Conference on Computer Science & Education (ICCSE), Lancaster, United Kingdom, pp. 263–266 (2021). https://doi.org/10.1109/ICCSE51940.2021.9569654

  25. U.M. Ismail, S. Islam, H. Mouratidis, Cloud Security Audit for Migration and Continuous Monitoring. 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1 (2015), p. 1081–1087. https://doi.org/10.1109/Trustcom.2015.486

  26. F. Doelitzscher, Security audit compliance for cloud computing. University of Plymouth 2014 Phd Thesis., PEARL (2014)

  27. A. Nagar, K.P. Joshi, A semantically rich knowledge representation of PCI DSS for cloud services. 6th International IBM Cloud Academy Conference ICACON 2018, Japan (2018)

  28. G. Ataya, PCI DSS audit and compliance. Inf. Secur. Tech. Rep. 15(4), 138–144 (2010)

    Article  Google Scholar 

  29. L. Elluri, K.P. Joshi, A knowledge representation of cloud data controls for EU GDPR compliance. 2018 IEEE World Congress on Services (SERVICES) (2018), p. 45–46

  30. S. Islam, M. Ouedraogo, C. Kalloniatis, H. Mouratidis, S. Gritzalis, Assurance of security and privacy requirements for cloud deployment models. IEEE Trans. Cloud Comput. 6(2), 387–400 (2018). https://doi.org/10.1109/TCC.2015.2511719

    Article  Google Scholar 

  31. H.M. Melaku, Context-based and adaptive cybersecurity risk management framework. Risks (2023)

  32. M. Barati, O. Rana, Checking GDPR compliance for cloud-based services. 2021 IEEE World Congress on Services (SERVICES) (2021), p. 2

  33. D. Kim, K.P. Joshi, A semantically rich knowledge graph to automate hipaa regulations for cloud health it services. in 2021 7th IEEE Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS) (2021), p. 7–12

  34. M. Kelly, E. Furey, K. Curran, How to achieve compliance with gdpr article 17 in a hybrid cloud environment. Science 3(1), 3 (2021)

    Article  Google Scholar 

  35. C. Mitchell, Privacy, compliance and the cloud. Guide to Security Assurance for Cloud Computing (2015), p. 3–14

  36. S. Okour, The impact of the application of IT governance according to (COBIT 5) framework in reduce cloud computing risks. Mod. Appl. Sci. 13(7), 25 (2019)

    Article  Google Scholar 

  37. P. Olajide, PCI DSS compliance validation of different levels of merchants in a multi-tenant private cloud (2013)

  38. M. Piazza, J. Fernandes, J. Anderson, A. Olmsted, Cloud payment processing without ritualistic sacrifices reducing PCI-DSS risk surface with thin clients. 2016 International Conference on Information Society (i-Society) (2016), p. 166–168

  39. C.E. Pugh, M. Hilley, Regulatory Compliance and Total Cost Influence on the Adoption of Cloud Technology: A Quantitative Study [Doctoral dissertation, Capella University]. In ProQuest Dissertations and Theses. (2021). https://www.proquest.com/dissertations-theses/regulatory-compliance-total-cost-influence-on/docview/2572572997/se-2

  40. G.A. Reid, S. Miller, Improving HIPAA Compliance Efforts with Modern Cloud Technologies [(Doctoral dissertation, Capitol Technology University).]. In ProQuest Dissertations and Theses. (2021). https://www.proquest.com/dissertations-theses/improving-hipaa-compliance-efforts-with-modern/docview/2595993643/se-2?accountid=12118

  41. C. Racuciu, S. Eftimie, Security threats and risks in cloud computing. Sci. Bull. Mircea Cel Batran Nav. Acad. 18(1), 105 (2015)

    Google Scholar 

  42. R. Ahmad, Cloud Security and Governance. Metropolia University of Applied Sciences, Master’s Thesis (Information Technology), (2021)

  43. S. Subashini, V. Kavitha, A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)

    Article  Google Scholar 

  44. L. Schubert, Ustutt-Hlrs, K.G. Jeffery, B.K. Neidecker-Lutz, L. Schubert, E. Ustutt-Hlrs, A Roadmap for Advanced Cloud Technologies Under H 2020 Recommendations by the Cloud Expert Group (2012)

  45. D. Wang, D. Zhong, L. Li, A Comprehensive Study of the Role of Cloud Computing on the Information Technology Infrastructure Library (ITIL) Processes (Library Hi Tech, 2021)

  46. R. Wu, G.-J. Ahn, H. Hu, Towards HIPAA-compliant healthcare systems in cloud computing. Int. J. Comput. Models Algorithms Med. 3(2), 1–22 (2012)

    Article  Google Scholar 

  47. G. Weir, A. Aßmuth, M. Whittington, B. Duncan, Cloud accounting systems, the audit trail, forensics and the EU GDPR: how hard can it be? British Accounting & Finance Association (BAFA) Annual Conference 2017 (2017)

Download references

Acknowledgments

The authors would like to thank PSOM Technologies Private Limited, Bengaluru, India, the Department of Electronics and Communication and Engineering, A J Institute of Engineering and Technology, Department of Computer Science and Engineering, NMAMIT NITTE, and  Upgrad Education Private Limited, Nishuvi, 75, Dr. Annie Besant Road, Worli, Mumbai, for the support for carrying out the research work

Funding

No funding.

Author information

Authors and Affiliations

  1. MS UpGrad Education Private Limited, Nishuvi, 75, Dr. Annie Besant Road, Worli, Mumbai, 400018, India

    Y. S. Rajesh

  2. PSOM Technologies Pvt Ltd, Bengaluru, India

    Y. S. Rajesh

  3. Department of Electronics and Communication Engineering, A J Institute of Engineering and Technology, Kottara-Mangalore, 575006, India

    V. G. Kiran Kumar

  4. Department of Computer Science and Engineering, N M A M Institute of Engineering and Technology, Karkala, India

    Asmita Poojari

Authors
  1. Y. S. Rajesh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. V. G. Kiran Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Asmita Poojari
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to V. G. Kiran Kumar.

Ethics declarations

Conflicts of Interest/Competing Interests

The authors declare that they have no conflicts of interest.

Consent for Publication

Authors give consent for publication in the journal.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Rajesh, Y.S., Kumar, V.G.K. & Poojari, A. A Unified Approach Toward Security Audit and Compliance in Cloud Computing. J. Inst. Eng. India Ser. B (2024). https://doi.org/10.1007/s40031-024-01034-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s40031-024-01034-x

Keywords

Search

Navigation