Advertisement

Understanding Cloud Audits

  • Frank DoelitzscherEmail author
  • Christoph Reich
  • Martin Knahl
  • Nathan Clarke
Chapter
Part of the Computer Communications and Networks book series (CCN)

Abstract

Audits of IT infrastructures can mitigate security problems and establish trust in a provider’s infrastructure and processes. Cloud environments especially lack trust due to non-transparent architectures and missing security and privacy measures taken by a provider. But traditional audits do not cover cloud computing-specific security. To provide a secure and trustable cloud environment, audit tasks need to have knowledge about their environment and cloud-specific characteristics. Furthermore, they need to be automated whenever possible to be able to run on a regular basis and immediately if a certain infrastructure event takes place, like deployment of a new cloud instance. In this chapter, research about cloud-specific security problems and cloud audits gets presented. An analysis about how traditional audits need to change to address cloud-specific attributes is given. Additionally, the agent-based “Security Audit as a Service” architecture gets presented as a solution to the identified problems.

Keywords

Audit Cloud Security Security Audit as a Service Trust 

Notes

Acknowledgement

This research is supported by the German Federal Ministry of Education and Research (BMBF) through the research grant number 01BY1116.

References

  1. 1.
    Mell, P., Grance, T.: Effectively and securely using the cloud computing paradigm. US National Institute of Standards and Technology, Tech. Rep., 2009. [Online]. Available: http://csrc.nist.gov/groups/SNS/cloud-computing
  2. 2.
    Spring, J.: Monitoring cloud computing by layer, Part 1. Secur. Privacy IEEE 9(2), 66–68 (2011). March–April 2011CrossRefGoogle Scholar
  3. 3.
    Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O’Reilly Media, Sebastopol, CA (2009)Google Scholar
  4. 4.
    Brunette, G., Mogull, R.: Security guidance for critical areas of focus in Cloud ComputingV2. 1. CSA (Cloud Security Alliance), USA. Online: http://www.cloudsecurityalliance.org/­guidance/csaguide.v2 (2009)Google Scholar
  5. 5.
    Dölitzscher, F., Reich, C., Sulistio, A.: Designing cloud services adhering to government privacy laws. In: Proceedings of 10th IEEE International Conference on Computer and Information Technology (CIT 2010), Bradford, West Yorkshire, UK, 29 June–1 July 2010, pp. 930–935 (2010)Google Scholar
  6. 6.
    Chung, M.: Audit in the cloud. http://www.slideshare.net/eburon/audit-in-the-cloud-kpmg. KPMG (2010)
  7. 7.
    Sotto, L.J., Treacy, B.C., McLellan, M.L.: Privacy and data security risks in cloud computing. Electron. Comm. Law Rep. Feb 2010 (2010)Google Scholar
  8. 8.
    Chen, Y., Paxson, V., Katz, R.H.: What’s new about cloud computing security? EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2010-5, Jan 2010 (2010)Google Scholar
  9. 9.
    European Network and Information Security Agency: Cloud Computing Security Risk Assessment. Tech. Rep., Nov 2009 (2009)Google Scholar
  10. 10.
    Grobauer, B., Walloschek, T., Stocker, E.: Understanding cloud computing vulnerabilities. Secur. Privacy IEEE 9(2), 50–57 (2011). March–April 2011CrossRefGoogle Scholar
  11. 11.
    Liebermann Software: 2011 Survey of IT Professionals Password Practices and Outcomes. Tech. Rep., 2011 (2011)Google Scholar
  12. 12.
    Amazon Web Services: AWS achieves PCI DSS level 1 compliance and ISO 27001 certification. http://aws.amazon.com/de/about-aws/newsletters/2010/12/15/december-2010—pci-compliance-and-iso27001-certification//187-6806868-8856222 (2010, Dec) [Online]Google Scholar
  13. 13.
    Kortchinsky, K.: Cloudburst. Tech. Rep., June 2009. [Online]. Available: http://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-PAPER.pdf (2009)
  14. 14.
    Rutkowska, J.: Xen owning trilogy: code, demos and q35 attack details. Sept 2008. [Online]. Available: http://theinvisiblethings.blogspot.com/2008/09/xen-0wning-trilogy-code-demos-and-q35.html (2008)
  15. 15.
    Cloud Security Alliance: Top Threats to Cloud Computing V1.0. [Online]. Available: https://cloudsecurityalliance.org/topthreats.html (2010)
  16. 16.
    Federal Office for Information Security: Security recommendations for cloud computing provider. Tech. Rep., 2011 (2011)Google Scholar
  17. 17.
    German Parliament: German Data Protection Act. Deutscher Taschenbuch Verlag, Munich (2010). ISBN: 3406561632Google Scholar
  18. 18.
    ComputerworldUK: Law Enforcement Agencies Access Rights to Your Cloud Data. http://blogs.computerworlduk.com/cloud-vision/2011/07/law-enforcement-agencies-access-rights-to-your-cloud-data/index.htm (2011, July)
  19. 19.
    Spafford, E.H., Zamboni, D.: Intrusion detection using autonomous agents. Comput. Netw. 34(4), 547–570 (2000) (Recent Advances in Intrusion Detection Systems)CrossRefGoogle Scholar
  20. 20.
    Ries, T., Fusenig, V., Vilbois, C., Engel, T.: Verification of data location in cloud networking, In: 2011 Fourth IEEE International Conference on Utility and Cloud Computing (UCC), Melbourne, Australia, Dec 2011. pp. 439–444Google Scholar
  21. 21.
    Massonet, P., Naqvi, S., Ponsard, C., Latanicki, J., Rochwerger, B., Villari, M.: A monitoring and audit logging architecture for data location compliance in federated cloud infrastructures. In: 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and PhD Forum (IPDPSW), Anchorage, Alaska, May 2011, pp. 1510–1517Google Scholar
  22. 22.
    Spring, J.: Monitoring cloud computing by layer, part 2. Secur. Privacy IEEE 9(3), 52–55 (2011). May–JuneCrossRefGoogle Scholar
  23. 23.
    Tancock, D., Pearson, S., Charlesworth, A.: A privacy impact assessment tool for cloud computing. In: 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom), Indianapolis, IN, 30 Nov–3 Dec 2010, pp. 667–676Google Scholar
  24. 24.
    Wang, C., Wang, Q., Ren, K., Lou, W.: Privacy-preserving public auditing for data storage security in cloud computing. In: INFOCOM, 2010 Proceedings IEEE, San Diego, CA, March 2010, pp. 1–9Google Scholar
  25. 25.
    Zhu, Y., Ahn, G., Hu, H., Yau, S., An, H., Chen, S.: Dynamic audit services for outsourced storages in clouds. IEEE Trans. Serv. Comput. 99, 1 (2011)Google Scholar
  26. 26.
    Office of Government Commerce: Service Operation Book (Itil). The Stationery Office, London (2007). No. 978-0113310463Google Scholar
  27. 27.
    American Institute of Certified Public Accountants: The SSAE16 Auditing Standard. http://www.ssae-16.com
  28. 28.
    Vaquero, L., Rodero-Merino, L., Morán, D.: Locking the sky: a survey on IAAS cloud security. Computing 91, 93–118 (2011)CrossRefzbMATHGoogle Scholar
  29. 29.
    Sinclair, J.: Cloud Compliance Auditing – Closer 2011. SAP Research. http://www.slideshare.net/jonathansinclair86/closer-2011 (2011, May)
  30. 30.
    Sinclair, J.: Cloud Auditing. SAP Research. http://www.slideshare.net/jonathansinclair86/cloud-auditing (2010, Oct)
  31. 31.
    Lundin, M.: Industry issues and standards – effectively addressing compliance requirements. ISACA San Francisco Chapter, Consumer Information Protection Event (2009, April)Google Scholar
  32. 32.
    A6: Cloudaudit. http://cloudaudit.org/ (2011)
  33. 33.
    EuroCloud Deutschland_eco e.V.: Eurocloud Star Audit SAAS Certificate. http://www.saas-audit.de (2011, Oct)
  34. 34.
    Cloud Security Alliance: Cloud Security Control Matrix: https://cloudsecurityalliance.org/research/initiatives/cloud-controls-matrix/ (2011, Oct)
  35. 35.
    EuroCloud Deutschland_eco e.V.: Eurocloud Quick Reference. http://www.saas-audit.de/files/2011/04/110223-Quick_Reference_en.pdf (2011, Oct)
  36. 36.
  37. 37.
  38. 38.
  39. 39.
    Youseff, L., Butrico, M., Da Silva, D.: Toward a unified ontology of cloud computing. In: Grid Computing Environments Workshop, 2008. GCE’08, Austin, TX, Nov 2008, pp. 1–10 (2008)Google Scholar
  40. 40.
    Doelitzscher, F., Reich, C., Knahl, M., Clarke, N.: An autonomous agent based incident detection system for cloud environments. In: Proceedings of 3rd IEEE International Conference on Cloud Computing Technology and Science (IEEE CloudCom 2011), Athens, Greece, 29 Nov–1 Dec (2011)Google Scholar
  41. 41.
    Bradshaw, J.M.: An Introduction to Software Agents. MIT Press, Cambridge, MA (1997)Google Scholar
  42. 42.
    Grimshaw, D.: JADE Administration Tutorial. http://jade.tilab.com/doc/tutorials/JADEAdmin. (2011, July)
  43. 43.
    Cucurull, J., Martí, R., Navarro-Arribas, G., Robles, S., Overeinder, B., Borrell, J.: Agent mobility architecture based on IEEE-FIPA standards. Comput. Commun. 32(4), 712–729 (2009)CrossRefGoogle Scholar
  44. 44.
    Sulistio, A., Reich, C., Dölitzscher, F.: Cloud infrastructure & applications – CloudIA. In: Proceedings of the 1st International Conference on Cloud Computing (CloudCom’09), Beijing, China, December (2009)Google Scholar
  45. 45.
    Halpert, B.: Auditing Cloud Computing: A Security and Privacy Guide. Wiley, Hoboken (2011). No. 978-0470874745CrossRefGoogle Scholar

Copyright information

© Springer-Verlag London 2013

Authors and Affiliations

  • Frank Doelitzscher
    • 1
    Email author
  • Christoph Reich
    • 1
  • Martin Knahl
    • 1
  • Nathan Clarke
    • 2
    • 3
  1. 1.Cloud Research LabFurtwangen UniversityFurtwangen im SchwarzwaldGermany
  2. 2.Centre for Security, Communications and Network ResearchUniversity of PlymouthPlymouthUK
  3. 3.School of Computing and SecurityEdith Cowan UniversityPerthAustralia

Personalised recommendations