Auditing the Cloud; what is the necessary comfort level?
Recorded: February 1 | 2012 View
Cloud Computing has been hailed as the long sought after answer of low cost computing , where users can remotely store their data into the cloud and enjoy the on-demand high quality applications and services from a shared platform of computing resources. By outsourcing their data storage, users can be relieved from the burden of local data storage and maintenance, in some cases eliminating IT departments all together.
However, no longer having physical possession of their data makes the data integrity protection in the Cloud environment sets the stage for a potentially lethal environment, especially for users with constrained computing resources and capabilities. Thus, allowing or even mandating 3rd party security and compliance audits for Cloud Service Providers (CSP) is of critical importance so that users can resort to an external audit party to check the integrity of outsourced data when needed.
The number one concern for many organizations that are either in the process of evaluating cloud computing services or have already procured cloud computing services is how to ensure adequate information security i.e. confidentiality, integrity and availability of critical data stored by the cloud service provider whilst also balancing the need for confidentiality versus integrity versus availability. This serious concern has created the need for standardization and consistency in audit and assurance practices in the cloud computing space, particularly third party audit and assurance. But as we saw during the early days of information security, the industry is again experiencing the development of a whole host of new so called "Standards" and frameworks (many industry specific) that claim to be able to audit the CSPs and ensure their integrity, security and quality. A "silver bullet" if you would. But how much is enough?
Over burdening the Cloud Service Providers with a multitude of continuous audits will most assuredly increase the cost of the service or at minimum drive out the little companies leaving the large providers with the lion's share thus running the risk of fewer choices and higher rates due to monopolies thus eliminating the reason why Cloud Computing is attractive in the first place, not to mention the internal costs associated with monitoring and managing the audit processes and reports.
Join our panel of experts as they discuss the issues surrounding the main concerns of Cloud Computing, the different audit approaches and tools that are being offered, the evaluation of those tools and what is a common sense, efficient and cost effective process to follow when evaluating a Cloud Service Provider.
Moderator: Marlin Pohlman is Chief Governance Officer at EMC. Within the Cloud Security Alliance he is Global Research Strategist, coordinating the activity of technical work groups within the alliance and acting as liaison with external cloud standards bodies. Dr. Pohlman works with the AICPA on the SSAE 16 Soc 2 cloud auditing best practice. Within the Cloud Security Alliance Dr. Pohlman is the active Co-Chair of the Controls Matrix and Consensus Assessments work groups as well as Co-chair of the Cloud Audit/A6 Standards Work Group and Consensus Assessment Questionnaire Work Group, he was the principal author of domain 2,4,7,12 & 13 of the CSA guidance. Within the Distributed Management Task Force he is a founding member of the Cloud Auditing Data Federation work group. Within the Open Group he is a primary contributor to Service Oriented Cloud Computing Infrastructure standard and Security Principles for Cloud and SOA the Within ISO SC27 WG1 Dr. Pohlman is the co-editor of the ISO 27017 Cloud Security Control Standard as well as an editor in the United Nations ITU-T Cloud Focus Group Requirements for Cloud Computing and a contributor to ISO 27036 Supply Chain for cloud computing and ITU-T X.srfctse (Security Requirements and Framework of Cloud Based Telecommunication Service Environment) X.sfcse (Security functional requirements for SaaS application environment) X.idmcc (Requirement of IdM in cloud computing).
Kevin Hardcastle, CISSP. Kevin joined Washington University – School of Medicine in September of 2007 as their Information Security Officer. Kevin directs all activities pertaining to the School of Medicine's Information Security Office, and is responsible for risk management, compliance, information security operations, information security awareness, program development and overall coordination of all aspects of information security. Kevin's previous responsibilities included performing project based security risk assessments and implementing an ISMS program to attain BS7799 and ISO27001 certifications for Reuters Americas data centers, managing the information security architecture program for Wellpoint and building the information security program for Blue Cross and Blue Shield of Missouri to meet HIPAA security regulations. He has spoken at The Internet Security Conference, Secure World, IT Security World and The Health Care Security and Privacy on the topic of HIPAA and building Information Security Frameworks. Kevin holds certifications as a BS7799 ISMS auditor, Certified Information System Security Professional and Certification by the Business Continuity Institute in Business Continuity Management.
Taiye Lambo is a security subject matter expert in the area of Information Security Governance; with 20+ years IT including 15 years of experience assisting various organizations globally to build robust, comprehensive, effective and sustainable information security programs through the integration of internationally accepted best practices, including ISO 27000, COBIT, COSO, ITIL and NIST. He founded the UK Honeynet project – www.honeynet.org.uk and the Holistic Information Security Practitioner (HISP) Institute – www.hispi.org and also founded the HISP Program, which is the first integrated training and certification for Governance, Risk Management and Compliance (GRC) which he has personally delivered in the following countries USA, UK, Greece, Jamaica and South Africa.
Raj Samani, VP & Chief Technology Officer, EMEA, McAfee. Raj is an active member of the Information Security industry, through involvement with numerous initiatives to improve the awareness and application of security. He is currently working as the VP, Chief Technologyl Officer for McAfee EMEA, having previously worked as the Chief Information Security Officer for a large public sector organisation in the UK. In addition, Raj is currently the Vice President for Communications in the ISSA UK Chapter, having previously established the UK mentoring programme.He is also on the advisory council for the Infosecurity Europe show, Infosecurity Magazine, and expert on both searchsecurity.co.uk, and Infosec portal.