Outline
- Abstract
- Keywords
- 1. Introduction and Motivation
- 2. User Requirements for Cloud Security Auditing
- 2.1. Infrastructure Auditing Needs
- 2.1.1. Payment Card Industry Data Security Standard
- 2.2. Data Auditing Needs
- 3. Techniques for Data Security
- 3.1. Data Confidentiality and Integrity
- 3.2. Data Remnance
- 3.3. Data Lineage and Provenance
- 4. Provider Security Capabilities
- 4.1. Security and Compliance at Leading Cloud Providers
- 4.1.1. Infrastructure Security
- 4.1.2. Data Security
- 5. Related Work
- 6. Conclusion
- References
رئوس مطالب
- چکیده
- کلید واژه ها
- 1. مقدمه و انگیزه
- 2. الزامات کاربر برای حسابرسی امنیت ابری
- 2.1. نیازهای حسابرسی زیرساختاری
- 2.1.1. استاندارد امنیت داده کارتهای پرداخت صنعتی
- 3. تکنیک برای امنیت داده
- 3.1. یکپارچگی و محرمانه بودن اطلاعات
- 3.2. باقیمانده ی داده
- 3.3. منشا و رده ی داده ها
- 4. ارائه دهنده ی قابلیتهای امنیتی
- 4.1. امنیت و انطباق در ارائه دهندگان ابری
- 4.1.1. زیرساختارهای امنیتی
- 4.1.2. امنیت داده ها
- 5. کارهای مرتبط
- 6. نتیجه گیری
Abstract
For many companies the remaining barriers to adopting cloud computing services are related to security. One of these significant security issues is the lack of auditability for various aspects of security in the cloud computing environment. In this paper we look at the issue of cloud computing security auditing from three perspectives: user auditing requirements, technical approaches for (data) security auditing and current cloud service provider capabilities for meeting audit requirements. We also divide specific auditing issues into two categories: infrastructure security auditing and data security auditing. We find ultimately that despite a number of techniques available to address user auditing concerns in the data auditing area, cloud providers have thus far only focused on infrastructure security auditing concerns.
Keywords: Cloud computing - Data integrity - Security audit - Standards complianceConclusions
Despite its significant growth, there are still some obstacles to the more widespread adoption of cloud computing services. For many companies the most significant concern is security and specifically the lack of auditability. We have examined cloud computing auditing from three perspectives: user auditing requirements, technical approaches for security auditing and current cloud service provider capabilities for meeting audit requirements. User auditing requirements were further divided into infrastructure security auditing and data security auditing. Many of the infrastructure auditing requirements are driven by the need to achieve compliance with an IT security standard. For that reason we profiled the infrastructure auditing requirements of the PCI DSS standard version 2.0 (PCI Standards Security Council, 2010). While most of the risks are easy to overcome with the co-operation of the CSP a few such as patch management may present challenges depending on user requirements and provider infrastructure and configuration. Data auditing issues included confidentiality, integrity, data remnance, data provenance and data lineage. There are a number of applicable approaches in each of these areas which could serve the data auditing needs of cloud service users with the exception of data remnance which appears to be an open issue within public cloud offerings. While most of the leading cloud providers have begun to provide significant detail about their own internal infrastructure security and compliance, only one carefully addressed questions regarding how users of public cloud offerings could also achieve standards compliance. Unfortunately, among the cloud providers surveyed we did not find any with solutions for user data security auditing. However, because the cloud services market is driven and shaped by customer demands, if such auditing features become a critical service differentiator for a sufficient number of customers then CSPs will likely begin to offer them.