Auditing the cloud.
| Author | Rapp, H. Peet |
| Position | Technology |
Within organizations, there are information technology auditors--employees or contractors--who, when not addressing the audit at hand, are becoming aware of what lies ahead for IT. What's coming is cloud computing.
Cloud computing offers processing and data storage when the company needs it, scaled to current needs and charges only for what an organization actually uses. Cloud computing does not require the traditional IT capital investment or skilled technical support that is often hard to find.
However, unless business-critical applications and data are uploaded on what are termed "private clouds"--application virtualization on servers either owned or controlled by the organization--IT audit red flags start flying.
Cloud Computing Defined
There are many varieties of cloud computing being offered. A point of confusion is that the terminology used by vendors, technology analysts and business writers is often not standardized. There now appears to be a coalescence of cloud computing terminology initially defined by the National Institute of Standards and Technology (NIST) and accepted by the Cloud Security Alliance (CSA) and ISACA (formerly the Information Systems Audit and Control Association).
This standardized terminology is detailed online in the ISACA whitepaper Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, which states that NIST and CISA "define cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."
The whitepaper identifies three service models: Infrastucture as a Service (laaS), Platform as a Service (PaaS) and software as a service (SaaS). (See chart on opposite page.) The following examines concerns associated with SaaS.
SaaS clients share with other SaaS clients the use of one application running on one or several servers, all using the same data memory area. This is referred to as multi-tenancy. There could be dozens or hundreds of other SaaS clients all sharing this same application. The comingled client data stored are to have attached meta-tags to track all data for each separate client. The data may be encrypted while stored or transmitted.
It's much like the trust you place with an attendant when checking your coat when you entrust the SaaS...
To continue reading
Request your trialCOPYRIGHT GALE, Cengage Learning. All rights reserved.
