Network Security News

The modern word 'cloud' is the synonym for the distributed computing, distributed file storage, content delivery networks, all in one. The metaphor is very meaningful, one should only imagine clouds floating all above, denying any boundaries and imaginary barriers. The 'clouds' are the response to many modern challenges, including such security horrors as DDoS. However, it's very hard to update the way people think, when reality changes so quickly. Audit Advice and Resources tells about that in Obscured by clouds.

The story goes, IT organizations are quickly moving data, apps, infrastructure and the kitchen sink up, up and away into the clouds. The rationale for this latest migration is the usual suspects of reduced cost and efficiencies. And, like the outsourcing migration before it (which continues today, though there is evidence of the pace becoming slower, see http://www.zdnetasia.com/news/business/0,39044229,62055327,00.htm ), there is no stopping it. So, what does this mean to IT auditors? How do we effectively audit something that is still in the early adolescence of its maturity? Fortunately, while the technology may change, many of the controls and risks associated with data, applications, infrastructure, etc. remain the same. What has changed from an audit perspective is the manner in which these areas are operating and who is operating them.

Traditionally, if you wanted to audit these areas, you went to the data center of your organization, spoke with the various administrators and likely completed the entire audit never having left the building, or at least the company. Then, operations and application development became outsourced functions and the auditor was required to contact the outsource provider of the services, hopefully obtain a SAS70 (or similar document attesting to the controls of the organization, not that this is a substitute for you own testing), speak with both local administrators/vendor management personnel as well as the outsourcers administrators or if the contract provided, go onsite to the outsourcer and audit the environment. A little more leg work, more phone calls and another layer of people involved, but not substantially different than before. Now, we’ve evolved into the world of virtual environments and clouds. What should be the auditor’s approach within these new environments?

I suggest that our approach is really not that much different than before. We need to gain an understanding of the environment – irrespective of whose running it -, speak with the administrators and those responsible for it and apply our control tests. The differences lie in the magnitude of risk associated with our old friends, access controls, change management, data (access, storage, transmission, backup, etc.), network security and privacy – to name a few. Given that others are now processing, storing, and transmitting our data within the same big virtual cloud as hundreds of other companies, the risks associated with the control of our data are significantly greater than when the operations were taking place down the hall by people you could physically go see and speak to.

Key to controlling these risks is the language in the contract. What are the auditors’ rights within the contract? Do you have the right to go onsite to the cloud provider and audit your environment (highly unlikely), are your resources permitted to be shared with other company’s (hopefully not), what exactly is your level of access as an auditor to your environment within the cloud managed by the vendor? Ideally, your access or ability to audit should be no different than it ever was, just your means of access might change and who you need to inform of your testing procedures. If you’re denied access or the ability to audit, validate the language in the service providers’ agreement and if the ‘right to audit’ isn’t there to your management’s satisfaction, consult with your company’s legal consul to determine what can be done.

You should still be able to execute your audits as before, but beware of the increased risks associated with how and what your organization has moved into the cloud and how it impacts your control testing.

Data flow freely between datacenters, the security requires to invent new approaches, to match the changing ideology of data processing. Monitoring becomes a problem, at times - a matter of scientific research, since data source vanishes, becomes obscured; it's hard to tell where given data has arrived from, let alone control their circulation. Distribute data processing requires distributed security means, able to handle old tasks - provide access control, monitor network activity and trace the origin of problems to their sources.

This article was brought to you by the developers of IPHost Network Monitor, network and server monitoring software.