Page 1045 - Cloud computing: From paradigm to operation
P. 1045

Security                                                   7


            8.11    Internal security audit

            Due to the wide range of security audit, this Recommendation only focuses on the internal security audit
            from the perspective of the operational security. A reliable and objective security audit can help to ensure
            that operational risk management activities have been thoroughly tested and reviewed, to enhance the
            transparency of cloud computing services, and even to meet the regulatory requirements.

            8.11.1  Requisites of security audit
            To ensure the objectivity and reliability of the security audit, CSPs and CSCs should negotiate to reach an
            agreement on the use of a common IT control and certification assurance framework, and the means how to
            collect,  store,  and  share  the  audit  trail  (such  as  system  logs,  activity  reports,  system  configurations).
            According to the security clause of the SLA between CSPs and CSCs, the security audit should be planned and
            targeted to satisfy some requisites:
            1)      Team and function: Firstly, the audit team members should include senior management, and staff
                    from  different  business  departments  (administrative,  and  technical)  to  ensure  fairness  and
                    scheduling  of  resource  during  the  audit  process.  Secondly,  the  audit  objective  should  include
                    verifying  the  security  management  architecture  of  CSPs  and/or  CSCs,  and  validating  the
                    effectiveness  and  correctness  of  risk  control  measures.  Thirdly,  the  audit  process  should  be
                    controlled by the audit team and should comply with the standardized workflow. Finally, the security
                    audit should be carried out repeatedly in a proper period.
            2)      Requisites for the audit process: Firstly, and based on the above, audit activities should be fully
                    recorded and well planned to avoid interrupting CSPs' or CSCs' business process. Secondly, the scope
                    of the audit objectives and required resources should be clearly defined and guaranteed for their
                    availability. Lastly, all the audit procedures and requirements should be documented as well as the
                    audit team members' responsibilities.
            3)      Protection of audit tools: The use of audit tools should be restricted and standardized to avoid the
                    misuse of cloud computing resources.
            8.11.2  Specific audit requirements

            Compared with the security audit procedures in the traditional information systems, the audit team members
            are especially required to be familiar with the challenges brought by virtualization and other cloud computing
            technologies. At the same time, the audit category need to expand from traditional security logs to the
            operation and maintenance of data, business data, and even the storage location of the user data. The audit
            items include but are not limited to:
            1)      Virtualization security audit: The main audit requirements include the means of encryption and
                    integrity check for virtual image files, isolation and reinforcement of different virtual machines,
                    access control and migration of virtual machines, monitoring of virtual machines processes, and
                    vulnerability  inspection  in  virtual  machines,  inner  traffic  monitoring  and  measures  over  the
                    virtualized network.
            2)      Cloud platform architecture and components security audit: It is crucial to audit the rationality and
                    effectiveness of the countermeasures including the policy of security domain division, the security
                    redundancy of network architecture and core components, the vulnerability scanning and security
                    reinforcement, the packaging and distribution of patches, and the configurations of the intrusion
                    prevention  system  (IPS)/intrusion  detection  system  (IDS),  firewalls  and  virtualization  security
                    devices.
            3)      Operation,  maintenance  and  business  behaviour  audit:  Audit  requirements  mainly  focus  on
                    operation and maintenance records, business access logs, access to data, and business behaviour
                    inspection.

            4)      Identity and access management (IAM) and access control audit: The audit requirements are critical
                    to ensure the correct operation in the cloud computing environment, which include the design and
                    deployment  of  multifactor  authentication,  access  control,  single  sign-on  (SSO),  segregation  of
                    duties, and management of privileged users.


                                                                                                        1037
   1040   1041   1042   1043   1044   1045   1046   1047   1048   1049   1050