When faced with the paradigm change and nature of services provided through cloud computing, there are many
challenges for assurance providers. What can be done to improve the assurance professional’s ability to provide direct
and indirect users of cloud computing with trust in the software services and infrastructure that make up the cloud?
Some of the key assurance issues that will need to be addressed are:
• Transparency—Service providers must demonstrate the existence of effective and robust security controls, assuring
customers that their information is properly secured against unauthorized access, change and destruction. Key questions
to decide are: How much transparency is enough? What needs to be transparent? Will transparency aid malefactors?
Key areas where supplier transparency is important include: What employees (of the provider) have access to
customer information? Is segregation of duties between provider employees maintained? How are different customers’
information segregated? What controls are in place to prevent, detect and react to breaches?
• Privacy—With privacy concerns growing across the globe it will be imperative for cloud computing service providers
to prove to existing and prospective customers that privacy controls are in place and demonstrate their ability to
prevent, detect and react to breaches in a timely manner. Information and reporting lines of communication need to
be in place and agreed on before service provisioning commences. These communication channels should be tested
periodically during operations.
• Compliance—Most organizations today must comply with a litany of laws, regulations
and standards. There are concerns with cloud computing that data may not be stored in one
place and may not be easily retrievable. It is critical to ensure that if data are demanded by
authorities, it can be provided without compromising other information. Audits completed
by legal, standard and regulatory authorities themselves demonstrate that there can be
plenty of overreach in such seizures. When using cloud services there is no guarantee that
an enterprise can get its information when needed, and some providers are even reserving
the right to withhold information from authorities.
• Trans-border information flow—When information can be stored anywhere in
the cloud, the physical location of the information can become an issue. Physical
location dictates jurisdiction and legal obligation. Country laws governing personally
identifiable information (PII) vary greatly. What is allowed in one country can be a
violation in another.
• Certification—Cloud computing service providers will need to provide their customers assurance that they are doing
the “right” things. Independent assurance from third-party audits and/or service auditor reports should be a vital part of
any assurance program.
The use of standards and frameworks will help businesses gain assurance around their cloud computing supplier’s
internal controls and security. At the time of writing, there are no publicly available standards specific to the cloud
computing paradigm. However, existing standards should be consulted to address the relevant areas and businesses
should look to adjust their existing control frameworks. Cloud computing represents a rare opportunity to rework security
and IT controls for a better tomorrow. Many businesses will no doubt grab this opportunity to improve both efficiency
and built-in security of their IT portfolio.
No comments:
Post a Comment