Mike Smith is a Director and the Principal Associate of an independent information systems consulting firm based in Rochester, Kent. With more than 30 years of senior level experience in financial and information systems management in the UK and overseas, Mike has worked in several industries, including automotive components manufacturing, copper and cobalt mining, civil and defence engineering, and the welfare-to-work sector. He reviews ‘Auditing Cloud Computing – A Security and Privacy Guide‘ (author Ben Halpert) exclusively for IT Governance.
“In this book, Ben Halpert has drawn together a number of contributions from various researchers and practitioners in the field of information security, with – as the title indicates – a clear focus on the particular challenges that cloud computing presents to InfoSec auditors. The book starts with a brief history of cloud computing and its characteristics, comparing these with the “traditional” model of computing. Attention is drawn to an interesting but often over-looked aspect of cloud computing – i.e. whilst the accessibility and economics of the approach make it attractive to smaller organisations, often because of a reduction in the perceived need for highly-skilled IT staff, this in itself can introduce other governance challenges that need to be addressed.
The auditing theme of the book introduces the concepts of InfoSec auditing and their adaptation to cloud computing, developing a suggested model of governance that takes account of the nuances of the cloud. Of particular interest is the emphasis on the tools of governance for cloud computing shifting away from organisational policies and procedures, focusing more on monitoring service level agreements. It is probably in this area that users of cloud services need to re-adjust their governance efforts, given the wide range of “flavours” that make up “cloud computing” as a generic term! The reference to a perceived reduced need for IT skills in cloud computing user organisations suggests that governance and control matters could become more complex by introducing vulnerabilities that might not be apparent to consumers of cloud services. This makes it essential for a clearly defined governance and risk management framework to be in place, with Service Level Agreements addressing each area of information security as measurable and reviewable elements. Attention is also drawn to the probability of lifecycle methodologies and control processes evolving to the extent that cloud providers will increasingly market their services on the basis of security attributes that differentiate them from other providers! An interesting point is made that auditability of cloud services is likely to benefit from “legacy complexities and corresponding vulnerabilities” being reduced through the adoption of the cloud. It goes on to stress that the cloud does not introduce any fundamentally new security risks that have not been encountered already, particularly as improved connectivity for and interaction between legacy systems have themselves introduced complexities that affect security.
The protection and security of information assets are covered in some detail, bringing in issues of changing regulation and legislation, the development of audit and governance frameworks and technological advances. Reference is made again to the shift of custodianship from user to provider based on residence, access, auditability, confidentiality and integrity, with resilience issues being referred to in a somewhat brief chapter on business continuity and disaster recovery.
Regulation in the provision of cloud computing services is discussed at some length, with references being made to the likely key players and developments in risk management, best practice, standards and regulation. The final chapter focuses on data storage, suggesting that the “morphing” of cloud storage will be necessary to facilitate an acceptable level of information security in cloud computing. The suggestion that “it depends on the customer to provide the level of security required” could be the basis for an interesting debate, and it is here that providers have an opportunity to seize the initiative and take the lead!
The book includes a useful and concise appendix entitled “Cloud Computing Audit Checklist”. Whilst this does not pretend to be a comprehensive plan or framework for auditing cloud computing services, it is useful as an overview that can be developed by providers and consumers of cloud computing services alike.
All in all, this is a useful and very readable book, with good coverage of the main issues that InfoSec auditors are likely to encounter when auditing cloud services. It would also be useful reading for those wishing to gain an understanding of “cloud computing” in general, whether existing or potential users of “the cloud”!”