Information technology audits fall into either the internal or external categories. Internal audits address work done by the organization employees. These look at organizational processes and primarily focus on process optimization and risk management. External audits look at an organization's ability to meet legal and regulatory requirements from an outside perspective. Audits can also evaluate data availability, integrity, and confidentiality issues. A cloud solution requires a three-way negotiation among service organizations, cloud service providers (CSPs), and end users. The goal is to ensure productivity while maintaining an acceptable degree of security.
Cloud security audits look at whether security-relevant data is transparent to CSP customers, data encryption policies, and protections that address the co-located customer environment. The scale, scope, and complexity of cloud computing audits are also significantly different than a traditional enterprise equivalent. A significant challenge, however, lies in an auditor's cloud computing knowledge. Cloud security auditors must know cloud computing terminology and have a working knowledge of a cloud system's service design and delivery method.
Cloud security audits must make sure that all security-relevant data is available to CSP customers. Transparency enables rapid identification of potential security risks and threats. It also helps in the creation and development of appropriate enterprise countermeasures and recommendations. Access to accurate information reduces the risk of cyber security threats.
Data should be encrypted at rest, in motion, and, if possible, when in use. Encryption may not always be the most efficient solution and encryption key management options aren't always acceptable. Encryption and decryption performance shortcomings may make encryption at rest non-viable. Data in motion is usually encrypted using transport layer technologies like secure socket layer. Homomorphic encryption or encryption in use can allow encrypted queries to search encrypted texts without search engine decryption. It has the potential to solve the security issue of encrypted data at rest in both traditional IT and cloud infrastructures, but performance is still lacking.
While co-location enables the economic advantages of the multi-tenant environment, it also introduces some significant security concerns. An audit must ensure that the CSP hypervisors can reliably insulate virtual machines (VMs) from the physical computing hardware. A CSP must balance the multiple ways to build and manage cloud infrastructure hypervisors each with business needs and relevant security issues. In spite of the need to establish standardize cloud computing structures and multi-tenant security, no official standard exists.
With cloud computing, a single physical machine will typically host many virtual machines. Hosting multiple VMs can drastically increase the number of hosts that need to be audited. This increase can make the scale, scope, and complexity of cloud audits overwhelming. Standardization can dramatically assist in making the auditing process smoother and faster despite the larger scale of cloud computing. Another critical factor to consider is an adjustment of the audit scope.
While increased numbers of IT elements requiring audit drive scale issues, new technology types cause scope increases. An example is the examination of hypervisor security in the multi-tenant environment. Also, many cloud environments include intangible and logical elements that also require an audit. Auditors must be aware of these differences and take this complexity into account.
Cloud service performance can vary based on the specific CSP. Within the same CSP, performance can also be dependent on service configuration, time (time of day, the day of the week, week of the month, and so on) and geographic location. Performance variance of over 1000% in compute services alone has been observed. Since pricing is typically a fixed rate tied to a specific metric, this will often lead to widely-differing price/performance values
Compute metrics recommended for auditing are CPU and input/output (I/O) performance. Network metrics such as latency and bandwidth allocation should also be measured from multiple CSP locations
