Abstract image of a woman sitting on books and studying on a laptop

Cloud Audit and Compliance

Q
Quadrisk

The document discusses the complexities and risks associated with cloud computing, particularly in relation to auditing and security. It highlights issues such as confidentiality, integrity, and availability, noting that traditional auditing practices may not suffice in a cloud environment. The text also emphasizes the importance of understanding inherent and controllable risks, and provides insights into the need for robust internal controls and compliance with various regulations.

BusinessTechnology
Related topics:
Cloud Computing Insights
1 of 36
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Most read
29
30
31
Most read
32
33
34
35
36
  CA ANAND PRAKASH JANGID anand@quadrisk.com
Cloud Computing & Risk Auditing the cloud Audit consideration in cloud environment Questions Cloud & compliance
The Future is not, What it used to be
 I think there is a world market for maybe five computers.‟ o Thomas Watson, Chairman of IBM, 1943  „There is no reason why anyone would want a computer in the home.‟ o Ken Olson, Present, Chairman and founder of Digital Equipment Corporation, 1977  „640K should be enough for anybody.‟ o Bill Gates, 1981  „So far, Java seems like a stinker to me…I have a hunch that it won't be a very successful language.‟ o Paul Graham, Author
Cloud Audit and Compliance
GE: Global procurement hosting 500k suppliers and 100k users in six languages on SaaS platform to manage $55B/yr in spend  Eli Lilly : Using Amazon Web Services can deploy a new server in 3min vs 50days and a 64-node Linux cluster in 5min vs 100days  Nasdaq: Using Amazon Storage to store 30-80TB/day of trading 
    The cloud acts as a big black box, nothing inside the cloud is visible to the clients Clients have no idea or control over what happens inside a cloud Even if the cloud provider is honest, it can have malicious system admins who can tamper with the VMs and violate confidentiality and integrity Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks
Cloud Audit and Compliance
 Also a massive concentration of risk expected loss from a single breach can be significantly larger concentration of “users” represents a concentration of threats “Ultimately, you can outsource responsibility but you can‟t outsource accountability.” o o 
Cloud Audit and Compliance
Cloud Audit and Compliance
Why should we worry about Cloud???
 SA 300 - Planning an Audit of Financial Statements  SA 315- Identifying and assessing the risk of material misstatement through understanding the entity and its environment  SA 402 - Audit considerations relating to an entity using a service organization
 …. effect of information technology on the audit procedures, including the availability of data and the expected use of computer assisted audit techniques.  ……….management‟s commitment to the design, implementation and maintenance of sound internal control, including evidence of appropriate documentation of such internal control.
   Controls in IT systems consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. When IT is used to initiate, record, process or report transactions, or other financial data for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for material accounts or may be critical to the effective functioning of manual controls that depend on IT.
          Information Technology also poses specific risks to an entity‟s internal control, including, for example : Reliance on systems or programs that are inaccurately processing data,processing inaccurate data, or both. Unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorised or nonexistent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database. The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties. Unauthorised changes to data in master files. Unauthorised changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss of data or inability to access data as required.
 Para 3: “ Services provided by a service organization are relevant to the audit of a user entity‟s financial statements when those services, and the controls over them, are part of the user entity‟s information system, including related business processes, relevant to financial reporting”  Para 5 : Information available on general controls and computer systems controls relevant to the client's applications
 Para 34 of SA 400
 Confidentiality o Fear of loss of control over data • Will the sensitive data stored on a cloud remain confidential? • Will cloud compromises leak confidential client data o Will the cloud provider itself be honest and won‟t peek into the data?  Integrity o How do I know that the cloud provider is doing the computations correctly? o How do I ensure that the cloud provider really stored my data without tampering with it? 19
 Availability o Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? o What happens if cloud provider goes out of business? o Would cloud scale well-enough? o Often-voiced concern • Although cloud providers argue their downtime compares well with cloud user‟s own data centers 20
• Privacy issues raised via massive data mining – Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients • Increased attack surface – Entity outside the organization now stores and computes data, and so – Attackers can now target the communication link between cloud provider and client – Cloud provider employees can be phished 21
 Auditability and forensics (out of control of data) o Difficult to audit data held outside organization in a cloud o Forensics also made difficult since now clients don‟t maintain data locally  Legal quagmire and transitive trust issues o Who is responsible for complying with regulations? • e.g., IT ACT, Companies Act, SOX, HIPAA, GLBA , ? o If cloud provider subcontracts to third party clouds, will the data still be secure? 22
Cloud Computing is a security nightmare and it can't be handled in traditional ways. John Chambers CISCO CEO  Security is one of the most difficult task to implement in cloud computing. o Different forms of attacks in the application side and in the hardware components  Attacks with catastrophic effects only needs one security flaw 23
              Contractual discrepancies and gaps between business expectations and service provider capabilities Control gaps between processes performed by the service provider and the organization Compromised system security and confidentiality Invalid transactions or transactions processed incorrectly Costly compensating controls Reduced system availability and questionable integrity of information Poor software quality, inadequate testing and high number of failures Failure to respond to relationship issues with optimal and approved decisions Insufficient allocation of resources Unclear responsibilities and accountabilities Litigation, mediation or termination of the agreement, resulting in added costs and/or business disruption and/or total loss of the organization Inability to satisfy audit/assurance charter and requirements of regulators or external auditors Reputation Fraud
 
Cloud Audit and Compliance
27 Cloud Consumer Cloud Auditor Security Audit Privacy Impact Audit Performance Audit Cloud Provider Cloud Broker Cloud Orchestration Service Layer SaaS Cloud Service Management Business PaaS Service Intermediation Support IaaS Resource Abstraction Cloud Consumer and Control Layer Physical Resource Layer Hardware Facility Provisioning/ Configuration Service Aggregation Portability/ Interoperability Service Arbitrage Cloud Carrier Cross Cutting Concerns: Security, Privacy, etc
Data Breaches Denial of Service Data Loss Account or Service Traffic Hijacking Insecure Interfaces with APIs Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology vulnerabilities
Application and Interface Security Data Security and Information Lifecycle Management Audit Assurance and Compliance Business Continuity Management Change Control and Configuration management Datacenter Security Encryption and Key Management Governance and Risk Management Human Resources Identity and Access Management
  Risk Based Audit Approach Identify Risks that are present in the Cloud Environment o Inherent Risks – Risks that arise naturally o Controllable Risks – Risks arising due to insufficient Internal Controls     Identify controls that are in place to treat the identified risk Examine policy and procedure documents that are maintained for the cloud Environment Perform Sampling on the controls to determine design and operating effectiveness and gather audit evidence (SA 500 – Audit Evidence, SA 530 Audit Sampling) Prepare a report and present it to the entity
Identify controls that are in place to treat the identified risk o RCM Approach – Risk Control Matrix   Risk Control Matrix is a matrix of the controls in place for the identified Risk CCM v3 – Cloud Control Matrix Version 3 o www.cloudsecurityalliance.org o It is a matrix published by Cloud Security Alliance which has a list of all the controls that should be in place for an optimal Cloud Environment. o It also shows the compliance of controls mapped to statutes, standards and Frameworks.
ISO 27001 SSAE 16 PCIDSS Indian IT Act HIPAA Act
Cloud Audit and Compliance
When are these opportunities?? Half our life is spent trying to find something to do with the time we have rushed through life trying to save. Will Rogers
Questions???
ANAND PRAKASH JANGID | anand@quadrisk.com | +919620233516   www.quadrisk.com

More Related Content

PPTX
(ISC)2 CCSP - Certified Cloud Security Professional
Hatem ElSahhar
 
PPTX
Forcepoint Corporate Presentation_Short.pptx
caesar92
 
PPTX
Cloud Computing Unveiled: Challenges, Security Frameworks, and Best Practices
Boston Institute of Analytics
 
PPTX
Introduction to the CSA Cloud Controls Matrix
John Yeoh
 
PPTX
Cloud Security Assessment Methods.pptx
AdityaChawan4
 
PPTX
FedRAMP Certification & FedRAMP Marketplace
ControlCase
 
PDF
Blueprint for Security Architecture & Strategy.pdf
Fetri Miftach
 
PPTX
Sailpoint Online Training on IAM overview
ITJobZone.biz
 
(ISC)2 CCSP - Certified Cloud Security Professional
Hatem ElSahhar
 
Forcepoint Corporate Presentation_Short.pptx
caesar92
 
Cloud Computing Unveiled: Challenges, Security Frameworks, and Best Practices
Boston Institute of Analytics
 
Introduction to the CSA Cloud Controls Matrix
John Yeoh
 
Cloud Security Assessment Methods.pptx
AdityaChawan4
 
FedRAMP Certification & FedRAMP Marketplace
ControlCase
 
Blueprint for Security Architecture & Strategy.pdf
Fetri Miftach
 
Sailpoint Online Training on IAM overview
ITJobZone.biz
 

What's hot (20)

PDF
Cloud Auditing
Jonathan Sinclair
 
PPTX
Chap 6 cloud security
Raj Sarode
 
PPTX
Cloud computing risk assesment presentation
Ahmad El Tawil
 
PPTX
Cloud Security Architecture.pptx
Moshe Ferber
 
PPTX
Cloud Security
AWS User Group Bengaluru
 
PDF
Azure SQL Database
nj-azure
 
PDF
Aws
mahes3231
 
PPTX
Cloud security and security architecture
Vladimir Jirasek
 
PPTX
Cloud computing and its security issues
Jyoti Srivastava
 
PPTX
Security Baselines and Risk Assessments
Priyank Hada
 
PPTX
Public cloud
Dr.Neeraj Kumar Pandey
 
PDF
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
PPTX
Cloud computing and Cloud security fundamentals
Viresh Suri
 
PPT
Cloud security
Tushar Kayande
 
PPTX
Cloud computing Risk management
Padma Jella
 
PDF
Cloud Security Demystified
Michael Torres
 
PPTX
Cloud Security
AWS User Group Bengaluru
 
PPTX
Privacy in cloud computing
Ahmed Nour
 
PPTX
Cloud security
François Boucher
 
DOC
Cloud security
Mohamed Shalash
 
Cloud Auditing
Jonathan Sinclair
 
Chap 6 cloud security
Raj Sarode
 
Cloud computing risk assesment presentation
Ahmad El Tawil
 
Cloud Security Architecture.pptx
Moshe Ferber
 
Cloud Security
AWS User Group Bengaluru
 
Azure SQL Database
nj-azure
 
Aws
mahes3231
 
Cloud security and security architecture
Vladimir Jirasek
 
Cloud computing and its security issues
Jyoti Srivastava
 
Security Baselines and Risk Assessments
Priyank Hada
 
Public cloud
Dr.Neeraj Kumar Pandey
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Cloud computing and Cloud security fundamentals
Viresh Suri
 
Cloud security
Tushar Kayande
 
Cloud computing Risk management
Padma Jella
 
Cloud Security Demystified
Michael Torres
 
Cloud Security
AWS User Group Bengaluru
 
Privacy in cloud computing
Ahmed Nour
 
Cloud security
François Boucher
 
Cloud security
Mohamed Shalash
 
Ad

Viewers also liked (7)

PPTX
Cloud Compliance Auditing - Closer 2011
Jonathan Sinclair
 
PPTX
Identity Access Management 101
OneLogin
 
DOCX
Proposal pembuatan aplikasi
HIMATIF UIN SGD
 
PPTX
Identity and Access Management (IAM)
Identacor
 
PPT
Ppt 1
shanmugamsara
 
PPTX
Identity and Access Management Introduction
Aidy Tificate
 
PDF
Identity and Access Management 101
Jerod Brennen
 
Cloud Compliance Auditing - Closer 2011
Jonathan Sinclair
 
Identity Access Management 101
OneLogin
 
Proposal pembuatan aplikasi
HIMATIF UIN SGD
 
Identity and Access Management (IAM)
Identacor
 
Ppt 1
shanmugamsara
 
Identity and Access Management Introduction
Aidy Tificate
 
Identity and Access Management 101
Jerod Brennen
 
Ad

Similar to Cloud Audit and Compliance (20)

PDF
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
PDF
Cloud Cuckoo Land to Corporate Acceptance
Mark Henshaw
 
PPTX
Cloud is not an option, but is security?
Jody Keyser
 
DOCX
Cloud Computing - Emerging Opportunities in the CA Profession
Bharath Rao
 
PDF
Lecture27 cc-security2
Ankit Gupta
 
PPTX
Cloud Computing Security
Nithin Raj
 
PPT
Cloud Computing Security Challenges
Yateesh Yadav
 
PPTX
Cloud Computing Security Essentials for beginners
ssuser1e89a0
 
PPT
Cloud computing usa
harikamahandhra
 
PPTX
Cloud computing risks
sripriya78
 
PDF
Cloud_security_v2_chpater_9_s_version.pdf
alkabarala01
 
PPTX
Myppt1.pptx on ics subject for 6th semester
MayuraD1
 
PPT
Cloud computing final show
ahmad abdelhafeez
 
PPT
Cloud computing-security-issues
Aleem Mohammed
 
PPT
Auditing in the Cloud
tcarrucan
 
PPTX
Isaca cloud security presentation duncan unwin 16 jul13
Duncan Unwin
 
PPTX
The Top Cloud Security Issues
HTS Hosting
 
PDF
Cloud services and it security
East Midlands Cyber Security Forum
 
DOCX
Issue identification cloud computing
girish0984
 
PPTX
Cloud Cmputing Security
Devyani Vaidya
 
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
Cloud Cuckoo Land to Corporate Acceptance
Mark Henshaw
 
Cloud is not an option, but is security?
Jody Keyser
 
Cloud Computing - Emerging Opportunities in the CA Profession
Bharath Rao
 
Lecture27 cc-security2
Ankit Gupta
 
Cloud Computing Security
Nithin Raj
 
Cloud Computing Security Challenges
Yateesh Yadav
 
Cloud Computing Security Essentials for beginners
ssuser1e89a0
 
Cloud computing usa
harikamahandhra
 
Cloud computing risks
sripriya78
 
Cloud_security_v2_chpater_9_s_version.pdf
alkabarala01
 
Myppt1.pptx on ics subject for 6th semester
MayuraD1
 
Cloud computing final show
ahmad abdelhafeez
 
Cloud computing-security-issues
Aleem Mohammed
 
Auditing in the Cloud
tcarrucan
 
Isaca cloud security presentation duncan unwin 16 jul13
Duncan Unwin
 
The Top Cloud Security Issues
HTS Hosting
 
Cloud services and it security
East Midlands Cyber Security Forum
 
Issue identification cloud computing
girish0984
 
Cloud Cmputing Security
Devyani Vaidya
 

Recently uploaded (20)

PDF
France's Top 5 Promising EdTech Companies to Watch in 2025.pdf
educationexcellencem
 
PDF
The Future of Marketing: AI, Funnels & MBA Careers | My Annual IIM Lucknow Talk
Amit Haralalka
 
PDF
Second Hand Fashion Call to Action March 2025
agatadrynko
 
PDF
Comments on Clouds that Assimilate Parts I&II.pdf
Brij Consulting, LLC
 
PDF
the role of manager in strategic alliances
AdvisorCampaigns
 
PDF
Handouts for Housekeeping.pdfhsjsnvvbdjsnwb
MarkallainFrancisco
 
DOCX
Center Enamel Can Provide Pressure Vessels for Maldives Chemical Industry.docx
cecvessels
 
PDF
Value-based IP Management at Siemens: A Cross-Divisional Analysis
MIPLM
 
PPT
Retail Management and Retail Markets and Concepts
SurbhiChoudhary37
 
PDF
Pink Cute Simple Group Project Presentation.pdf
francesloreen01
 
PDF
Consumer Behavior in the Digital Age (www.kiu.ac.ug)
publication11
 
PDF
Clouds that Assimilate the Build Parts I&II .pdf
Brij Consulting, LLC
 
PPTX
Week2: Market and Marketing Aspect of Feasibility Study.pptx
IgoFebrianto1
 
PDF
Diversity and Inclusion Initiatives in Corporate Settings (www.kiu.ac.ug)
publication11
 
PDF
dataZense for Data Analytics unleashed features
Chainsys SEO
 
PDF
From Legacy to Velocity: how we rebuilt everything in 8 months.
Product-Tech Team
 
PDF
The Impact of Historical Events on Legal Communication Styles (www.kiu.ac.ug)
publication11
 
PPTX
IMM marketing mix of four ps give fjcb jjb
aruntambralli3813
 
PPTX
Chapter 2 strategic Presentation (6).pptx
5624212u
 
PPT
BCG内部幻灯片撰写. slide template BCG.slide template
d746tpyhkt
 
France's Top 5 Promising EdTech Companies to Watch in 2025.pdf
educationexcellencem
 
The Future of Marketing: AI, Funnels & MBA Careers | My Annual IIM Lucknow Talk
Amit Haralalka
 
Second Hand Fashion Call to Action March 2025
agatadrynko
 
Comments on Clouds that Assimilate Parts I&II.pdf
Brij Consulting, LLC
 
the role of manager in strategic alliances
AdvisorCampaigns
 
Handouts for Housekeeping.pdfhsjsnvvbdjsnwb
MarkallainFrancisco
 
Center Enamel Can Provide Pressure Vessels for Maldives Chemical Industry.docx
cecvessels
 
Value-based IP Management at Siemens: A Cross-Divisional Analysis
MIPLM
 
Retail Management and Retail Markets and Concepts
SurbhiChoudhary37
 
Pink Cute Simple Group Project Presentation.pdf
francesloreen01
 
Consumer Behavior in the Digital Age (www.kiu.ac.ug)
publication11
 
Clouds that Assimilate the Build Parts I&II .pdf
Brij Consulting, LLC
 
Week2: Market and Marketing Aspect of Feasibility Study.pptx
IgoFebrianto1
 
Diversity and Inclusion Initiatives in Corporate Settings (www.kiu.ac.ug)
publication11
 
dataZense for Data Analytics unleashed features
Chainsys SEO
 
From Legacy to Velocity: how we rebuilt everything in 8 months.
Product-Tech Team
 
The Impact of Historical Events on Legal Communication Styles (www.kiu.ac.ug)
publication11
 
IMM marketing mix of four ps give fjcb jjb
aruntambralli3813
 
Chapter 2 strategic Presentation (6).pptx
5624212u
 
BCG内部幻灯片撰写. slide template BCG.slide template
d746tpyhkt
 

Cloud Audit and Compliance

  • 2. Cloud Computing & Risk Auditing the cloud Audit consideration in cloud environment Questions Cloud & compliance
  • 4.  I think there is a world market for maybe five computers.‟ o Thomas Watson, Chairman of IBM, 1943  „There is no reason why anyone would want a computer in the home.‟ o Ken Olson, Present, Chairman and founder of Digital Equipment Corporation, 1977  „640K should be enough for anybody.‟ o Bill Gates, 1981  „So far, Java seems like a stinker to me…I have a hunch that it won't be a very successful language.‟ o Paul Graham, Author
  • 6. GE: Global procurement hosting 500k suppliers and 100k users in six languages on SaaS platform to manage $55B/yr in spend  Eli Lilly : Using Amazon Web Services can deploy a new server in 3min vs 50days and a 64-node Linux cluster in 5min vs 100days  Nasdaq: Using Amazon Storage to store 30-80TB/day of trading 
  • 7.     The cloud acts as a big black box, nothing inside the cloud is visible to the clients Clients have no idea or control over what happens inside a cloud Even if the cloud provider is honest, it can have malicious system admins who can tamper with the VMs and violate confidentiality and integrity Clouds are still subject to traditional data confidentiality, integrity, availability, and privacy issues, plus some additional attacks
  • 9.  Also a massive concentration of risk expected loss from a single breach can be significantly larger concentration of “users” represents a concentration of threats “Ultimately, you can outsource responsibility but you can‟t outsource accountability.” o o 
  • 12. Why should we worry about Cloud???
  • 13.  SA 300 - Planning an Audit of Financial Statements  SA 315- Identifying and assessing the risk of material misstatement through understanding the entity and its environment  SA 402 - Audit considerations relating to an entity using a service organization
  • 14.  …. effect of information technology on the audit procedures, including the availability of data and the expected use of computer assisted audit techniques.  ……….management‟s commitment to the design, implementation and maintenance of sound internal control, including evidence of appropriate documentation of such internal control.
  • 15.    Controls in IT systems consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. When IT is used to initiate, record, process or report transactions, or other financial data for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for material accounts or may be critical to the effective functioning of manual controls that depend on IT.
  • 16.           Information Technology also poses specific risks to an entity‟s internal control, including, for example : Reliance on systems or programs that are inaccurately processing data,processing inaccurate data, or both. Unauthorised access to data that may result in destruction of data or improper changes to data, including the recording of unauthorised or nonexistent transactions, or inaccurate recording of transactions. Particular risks may arise where multiple users access a common database. The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties thereby breaking down segregation of duties. Unauthorised changes to data in master files. Unauthorised changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss of data or inability to access data as required.
  • 17.  Para 3: “ Services provided by a service organization are relevant to the audit of a user entity‟s financial statements when those services, and the controls over them, are part of the user entity‟s information system, including related business processes, relevant to financial reporting”  Para 5 : Information available on general controls and computer systems controls relevant to the client's applications
  • 18.  Para 34 of SA 400
  • 19.  Confidentiality o Fear of loss of control over data • Will the sensitive data stored on a cloud remain confidential? • Will cloud compromises leak confidential client data o Will the cloud provider itself be honest and won‟t peek into the data?  Integrity o How do I know that the cloud provider is doing the computations correctly? o How do I ensure that the cloud provider really stored my data without tampering with it? 19
  • 20.  Availability o Will critical systems go down at the client, if the provider is attacked in a Denial of Service attack? o What happens if cloud provider goes out of business? o Would cloud scale well-enough? o Often-voiced concern • Although cloud providers argue their downtime compares well with cloud user‟s own data centers 20
  • 21. • Privacy issues raised via massive data mining – Cloud now stores data from a lot of clients, and can run data mining algorithms to get large amounts of information on clients • Increased attack surface – Entity outside the organization now stores and computes data, and so – Attackers can now target the communication link between cloud provider and client – Cloud provider employees can be phished 21
  • 22.  Auditability and forensics (out of control of data) o Difficult to audit data held outside organization in a cloud o Forensics also made difficult since now clients don‟t maintain data locally  Legal quagmire and transitive trust issues o Who is responsible for complying with regulations? • e.g., IT ACT, Companies Act, SOX, HIPAA, GLBA , ? o If cloud provider subcontracts to third party clouds, will the data still be secure? 22
  • 23. Cloud Computing is a security nightmare and it can't be handled in traditional ways. John Chambers CISCO CEO  Security is one of the most difficult task to implement in cloud computing. o Different forms of attacks in the application side and in the hardware components  Attacks with catastrophic effects only needs one security flaw 23
  • 24.               Contractual discrepancies and gaps between business expectations and service provider capabilities Control gaps between processes performed by the service provider and the organization Compromised system security and confidentiality Invalid transactions or transactions processed incorrectly Costly compensating controls Reduced system availability and questionable integrity of information Poor software quality, inadequate testing and high number of failures Failure to respond to relationship issues with optimal and approved decisions Insufficient allocation of resources Unclear responsibilities and accountabilities Litigation, mediation or termination of the agreement, resulting in added costs and/or business disruption and/or total loss of the organization Inability to satisfy audit/assurance charter and requirements of regulators or external auditors Reputation Fraud
  • 27. 27 Cloud Consumer Cloud Auditor Security Audit Privacy Impact Audit Performance Audit Cloud Provider Cloud Broker Cloud Orchestration Service Layer SaaS Cloud Service Management Business PaaS Service Intermediation Support IaaS Resource Abstraction Cloud Consumer and Control Layer Physical Resource Layer Hardware Facility Provisioning/ Configuration Service Aggregation Portability/ Interoperability Service Arbitrage Cloud Carrier Cross Cutting Concerns: Security, Privacy, etc
  • 28. Data Breaches Denial of Service Data Loss Account or Service Traffic Hijacking Insecure Interfaces with APIs Malicious Insiders Abuse of Cloud Services Insufficient Due Diligence Shared Technology vulnerabilities
  • 29. Application and Interface Security Data Security and Information Lifecycle Management Audit Assurance and Compliance Business Continuity Management Change Control and Configuration management Datacenter Security Encryption and Key Management Governance and Risk Management Human Resources Identity and Access Management
  • 30.   Risk Based Audit Approach Identify Risks that are present in the Cloud Environment o Inherent Risks – Risks that arise naturally o Controllable Risks – Risks arising due to insufficient Internal Controls     Identify controls that are in place to treat the identified risk Examine policy and procedure documents that are maintained for the cloud Environment Perform Sampling on the controls to determine design and operating effectiveness and gather audit evidence (SA 500 – Audit Evidence, SA 530 Audit Sampling) Prepare a report and present it to the entity
  • 31. Identify controls that are in place to treat the identified risk o RCM Approach – Risk Control Matrix   Risk Control Matrix is a matrix of the controls in place for the identified Risk CCM v3 – Cloud Control Matrix Version 3 o www.cloudsecurityalliance.org o It is a matrix published by Cloud Security Alliance which has a list of all the controls that should be in place for an optimal Cloud Environment. o It also shows the compliance of controls mapped to statutes, standards and Frameworks.
  • 34. When are these opportunities?? Half our life is spent trying to find something to do with the time we have rushed through life trying to save. Will Rogers
  • 36. ANAND PRAKASH JANGID | [email protected] | +919620233516   www.quadrisk.com

Editor's Notes

  • #2: NIST SP 500-292. This body of work brought together the various stakeholders to develop the taxonomy to communicate the components and offerings of cloud computing in a vendor-neutral way. It does not seek to stifle innovation by defining a prescribed technical solution. Actor/Role-based model and the necessary architectural components for managing and providing cloud services such as service deployment, service orchestration, cloud service management, security and privacy. A Cloud Consumer is an individual or organization that acquires and uses cloud products and services. The purveyor of products and services is the Cloud Provider. The Cloud Broker acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value-added cloud services as well. The Cloud Auditor provides a valuable inherent function for the government by conducting the independent performance and security monitoring of cloud services. The Cloud Carrier is the organization who has the responsibility of transferring the data akin to the power distributor for the electric grid.