Page 114 - Cloud computing: From paradigm to operation
P. 114
1 Framework and requirements for cloud computing
A.4 The cloud service provider–Auditor relationship
A cloud auditor should audit to agreed specifications, policies and agreements.
Audit specifications could be standards set by the cloud service provider, set by the auditor, or standards set
independently, possibly as required by law. Whichever standard is used can depend on who the target of the
auditor's audit result is. If the target of the audit result is a cloud service customer who wants some
independent assurance then the audit should use an independently set standard.
Policies are set by the provider for auditing the provider's infrastructures and services. These policies are set
by the business during the governance processes.
The cloud service agreement can include terms relating to the audit of the cloud service provider and
possibly of the cloud service customer. Similar agreements can be in place between a primary cloud service
provider and secondary cloud service providers. The responsibilities of the auditor are the same in each case.
The cloud auditor's cloud computing activities are security audit, privacy impact audit and performance
audit. For all of these cloud computing activities, the cloud auditor can obtain audit evidence from the cloud
service provider. The form of the audit evidence will vary depending on the type of audit and the standard(s)
that apply to the audit. The evidence might take the form of procedural documents, or the form of log
records. In any case, the cloud service provider can have a means by which the cloud auditor can obtain the
required evidence.
In Figure 10-2, the perform audit activity of the cloud auditor makes requests for audit evidence to the cloud
service provider through the administration access functional component of the cloud service provider,
invoking the necessary administration capabilities.
A.4.1 Security audit
Various standards exist for system security audit. ISO/IEC 27001 is one such standard, covering information
security management. There are also many other organizations which provide auditable standards for cloud
security.
A.4.2 Privacy impact audit
Various data protection authorities (e.g., the Privacy Commissioner in Canada and the Information
Commissioner in the UK) publish guidelines on the assessment and/or audit of the privacy impact of
programs, policies or systems. The protection of PII is typically subject to regulation and/or legislation, but
one of the issues relating to the cloud service is that the cloud service customer can be in a different
jurisdiction to that which applies to the cloud service provider. The situation can be made more complex if
the cloud service provider operates multiple data centres in different jurisdictions and moves data or service
execution between these data centres (e.g., for the purposes of service continuity or for the efficient use of
resources).
ISO/IEC 27018 is a standard which defines the information security controls applicable to a cloud service
provider when acting as a data processor. ISO/IEC is also dealing with the wider aspects of privacy (see the
ISO/IEC 29100 series of standards, for example).
A cloud auditor should assess the protection of personally identifiable information aspects of a cloud service
and the cloud service provider's operations against data protection regulations of the appropriate
jurisdictions, following the guidelines issued by the data protection authorities and relevant standards.
A.4.3 Performance audit
Performance audit assesses the ability of the cloud service provider to meet the performance targets
specified for their cloud services, typically documented in the SLA.
106