- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
About this book
The auditor's guide to ensuring correct security and privacy practices in a cloud computing environment
Many organizations are reporting or projecting a significant cost savings through the use of cloud computingāutilizing shared computing resources to provide ubiquitous access for organizations and end users. Just as many organizations, however, are expressing concern with security and privacy issues for their organization's data in the "cloud." Auditing Cloud Computing provides necessary guidance to build a proper audit to ensure operational integrity and customer data protection, among other aspects, are addressed for cloud based resources.
- Provides necessary guidance to ensure auditors address security and privacy aspects that through a proper audit can provide a specified level of assurance for an organization's resources
- Reveals effective methods for evaluating the security and privacy practices of cloud services
- A cloud computing reference for auditors and IT security professionals, as well as those preparing for certification credentials, such as Certified Information Systems Auditor (CISA)
Timely and practical, Auditing Cloud Computing expertly provides information to assist in preparing for an audit addressing cloud computing security and privacy for both businesses and cloud based service providers.
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā even offline. Perfect for commutes or when youāre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Auditing Cloud Computing by Ben Halpert in PDF and/or ePUB format, as well as other popular books in Business & Auditing. We have over one million books available in our catalogue for you to explore.
Information
Chapter 1
Introduction to Cloud Computing
Cloud computing has taken the IT world by storm. Often viewed as the utopia of utility computing, cloud computing offers flexibility and financial benefits second to none. It also lowers the entry point to high performance computing, allowing organizations to leverage computing power that they have neither the capital budget nor operational expertise to acquire. This chapter provides background as to where cloud computing came from, what cloud computing is, and discusses some of the advantages and challenges with cloud computing.
History
Computing has evolved significantly over the last 60 years. In the early days, a large central computer would be used by an entire company. This gradually evolved to departmental computers in the 1970s and later personal computers in the 1980s and 1990s. Although cloud computing is a new term, as a concept it was predicted by computer scientist John McCarthy in the 1960s. McCarthy asserted: āComputation may someday be organized as a public utility.ā
McCarthy had the foresight to predict what we today refer to as cloud computing. In the mid-1960s, Intel co-founder Gordon E. Moore famously predicted that the number of transistors (or computing power) that could be inexpensively placed on an integrated circuit would double every two years. This is commonly known as Moore's law. By the late 1990s, Moore's law had guided computing to heights beyond many organizations' predictions. Much of this demand was fueled by the now popular World Wide Web (WWW), which brought an age of networking and collaboration that had not been seen before.
By the mid-2000s, many companies had discovered that their largest IT purchases were often left idle and only fully utilized during peak demand. These organizations were very large IT or academic organizations. This had researchers wondering how best to leverage the latent processing power. Thus, the initial underpinnings of cloud computing were born.
In 2007, Google, IBM, Carnegie Mellon, MIT, Stanford University, UC Berkeley, the University of Maryland, and the University of Washington collaborated to begin research into cloud computing. Before long, many analyst groups began reporting on the significant market share being established by cloud computing. Many standards organizations and consortiums such as the Open Group, OASIS, and DMTF had also begun working groups to define cloud computing standards.
Defining Cloud Computing
Cloud computing is regarded as an evolutionary rather than a revolutionary step. In other words, cloud computing hasn't drastically altered existing technologies, but rather it has succeeded as a result of the collaboration of several existing technologies.
The actual definition of cloud computing is frequently contested. Most will agree that any computing model that qualifies as cloud computing must at minimum have the following criteria:
Elasticity
Cloud computing is typified by its ability to rapidly scale the capacity of the provided service up or down with little to no interaction from the consumer. This characteristic, known as elasticity, is key to cloud computing.
In some delivery models of cloud computing, elasticity is often facilitated through virtualization, although cloud computing does not require virtualization.
Multitenancy
Clouds are inherently multitenantedāeven private clouds, which run the workload of a single corporation posses multiple tenants, be they workloads or individual users. This multitenancy and multitenant amortization of the shared compute resource is part of the reason for the economic benefits of cloud computing.
Economics
With cloud computing services, the expectation is that the consumer is charged for the amount of time used on the resource. Cloud computing changes the computing barrier to entry for high performance computing resources, by allowing consumers to use only what they need for the time in which they need it. In turn, this has allowed organizations to effectively respond to peak demand requirements without having excess compute resources sitting idle during dormant periods. Clouds can achieve this by distributing the load across multiple shared resources and relying on economies of scale.
Abstraction
The most significant change with cloud computing is that of abstraction. As we will describe in the following section, most cloud providers provide one or more service layers to their consumers. The operational aspect of the layers supporting the service is insulated from the customer. So, a Software as a Service (SaaS) customer will interact with the application itself, but not with the operating system or hardware of the respective cloud. This key difference allows organizations that do not have the necessary system administration skills or compute facilities to leverage enterprise applications hosted by others.
Many of the technologies that assist in providing these capabilities have been present for many years. Virtualization and autonomic response are areas of computing that have been well understood for decades, as has the Internet. Providers of cloud computing were able to assemble these disparate technologies into the above capabilities, ultimately defining cloud computing.
Cloud Computing Services Layers
Cloud computing providers provide different kinds of services to cloud computing consumers. In order to understand the different layers of service, it's important to understand how they would relate in a noncloud computing scenario. See Exhibit 1.1.
Exhibit 1.1 Traditional Model versus Cloud Computing Model
The kind of service being provided has many implications on the provider, including how they address concerns such as security, resiliency, compliance, and multitenancy. Cloud computing services fall into one of the following categories, as shown in Exhibit 1.2.
Exhibit 1.2 Categories of Cloud Computing Services
Infrastructure as a Service
Infrastructure as a Service (IaaS) providers allow their customers access to different kinds of infrastructure. The provider typically provides this service by dividing a very large physical infrastructure resource into smaller virtual resources for access by the consumer. Sometimes the service provided is a complete virtual machine with an operating system. In other instances the service provided is simply for storage, or perhaps a bare virtual machine with no operating system. In cases where the operating system or other software is included, the cost of the required license is either amalgamated into the cost for the service, or included as an additional surcharge.
IaaS providers are often service providers to other cloud providers (see Integrator). Many current Platform as a Service providers leverage IaaS providers for extra capacity on demand. One of the more popular IaaS providers is Amazon, who provides their EC2 IaaS.
Platform as a Service
Platform as a Service (PaaS) providers extend the software stack provided by IaaS to include middleware. Middleware generically refers to software such as a DB2 database, or runtime environments such as a Java Runtime Environment (JRE) or a Websphere application server. This middleware is a prerequisite to running more sophisticated applications, and provides a rich operating environment for the application to exploit. PaaS providers have two methods in which they facilitate the extra capacity needed for a large multitenant system. In some cases, they provide IaaS style virtual machines to the consumer. In other cases they provide an interface through which applications in the case of a runtime environment, or data in the case of a database, can be uploaded. A popular example of a PaaS is Microsoft's Windows Azure platform.
Each method has its advantages and challenges. With an IaaS style approach, the provider typically has more control and stronger separation between tenants. This approach is less efficient, however, as common overhead such as the operating system and the virtual machine itself are duplicated across multiple tenants.
In the second case, the underlying infrastructure is addressed in a much more efficient manner, with a single system image and middleware overhead amortized amongst multiple clients. Conversely, the main challenge with this approach lies in the degree of separation that can be provided between tenants. A runtime environment that is not robust or a misconfigured database can allow one user to adversely affect the quality of service of other users.
Software as a Service
Application as a Service, or Software as a Service (SaaS) providers as they are more commonly known, typically provide a rich web-based interface to their customers. The customer, in most cases, is completely abstracted from the nuances of the application running behind the scenes. Tenant separation is often done at the application layer, leaving a common application, platform, and infrastructure layer underneath. Popular examples of SaaS include Google Apps and Salesforce.com.
SaaS providers typically increase the capacity of their systems through scale up or scale out methodsādepending on the characteristics of the application. SaaS applications that scale up are usually moved to larger platforms as their capacity requirements grow. SaaS applications that scale out are typically run on large clusters of servers. As additional capacity is required, the provider adds additional machines to the cluster.
As there is a significant amount of shared resources used between tenants in an SaaS environment, the ability of one tenant to affect the quality of service of other tenants is always a concern. The ability for an SaaS provider to adequately fence or insulate one tenant from another is key to maintaining quality of service.
Roles in Cloud Computing
The cloud-computing paradigm defines three key roles. These roles each have different responsibilities and expectations relative to one another. Any party might have multiple roles depending on the context. See Exhibit 1.3.
Exhibit 1.3 Three Key Roles
Consumer
Simply defined, a consumer consumes any service that is provided. In Exhibit 1.3, the SaaS provider exposes an SaaS to the SaaS consumer. The consumer is permitted access to this service for a fee of some sort, though in many instances this fee is augmented or replaced through advertising revenue. The consumer has no responsibility, nor access beyond the SaaS provided to them.
Provider
The providers in this case are both the PaaS provider and the SaaS provider. The PaaS provider provides a PaaS to the SaaS provider. The SaaS provider in turn provides an SaaS to the consumer. Ultimately, the provider is anyone who provides a service to one or more consumers.
Integrator
The integrator role is sometimes referred to as a broker. The integrator essentially assembles the services of many providers under a new service. In some cases, this might involve integrating multiple providers of the same serviceāfor example, the integration of multiple IaaS providers to provide a more resilient or fully-featured IaaS service. In other cases, per our diagram, the integrator might consume another provider's service (in this case PaaS) in order to run a service of their own. The integrator's service is ultimately exposed as an SaaS to the SaaS consumer.
Depending on the perspective, we will see that each party can have multiple roles. The SaaS provider is ultimately a consumer of the PaaS provider, and an integrator of the PaaS service with its SaaS.
Cloud Computing Deployment Models
Cloud computing has a number of different deployment models. A deployment model is a particular method o...
Table of contents
- Cover
- Title Page
- Copyright
- Dedication
- Preface
- Chapter 1: Introduction to Cloud Computing
- Chapter 2: Cloud-Based IT Audit Process
- Chapter 3: Cloud-Based IT Governance
- Chapter 4: System and Infrastructure Lifecycle Management for the Cloud
- Chapter 5: Cloud-Based IT Service Delivery and Support
- Chapter 6: Protection and Privacy of Information Assets in the Cloud
- Chapter 7: Business Continuity and Disaster Recovery
- Chapter 8: Global Regulation and Cloud Computing
- Chapter 9: Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit
- Appendix: Cloud Computing Audit Checklist
- About the Editor
- About the Contributors
- Index