Trust is Good, Control is Better: Creating Secure Clouds by Continuous Auditing

Cloud service certifications (CSC) attempt to assure a high level of security and compliance. However, considering that cloud services are part of an ever-changing environment, multi-year validity periods may put in doubt reliability of such certifications. We argue that continuous auditing (CA) of selected certification criteria is required to assure continuously reliable and secure cloud services, and thereby increase trustworthiness of certifications. CA of cloud services is still in its infancy, thus, we conducted a thorough literature review, interviews, and workshops with practitioners to conceptualize an architecture for continuous cloud service auditing. Our study shows that various criteria should be continuously audited. Yet, we reveal that most of existing methodologies are not applicable for third party auditing purposes. Therefore, we propose a conceptual CA architecture, and highlight important components and processes that have to be implemented. Finally, we discuss benefits and challenges that have to be tackled to diffuse the concept of continuous cloud service auditing. We contribute to knowledge and practice by providing applicable internal and third party auditing methodologies for auditors and providers, linked together in a conceptual architecture. Further on, we provide groundings for future research to implement CA in cloud service contexts.

[1]  Ernesto Damiani,et al.  Towards the Certification of Cloud Services , 2013, 2013 IEEE Ninth World Congress on Services.

[2]  Patrick P. C. Lee,et al.  Enabling Data Integrity Protection in Regenerating-Coding-Based Cloud Storage , 2012, SRDS.

[3]  Changsheng Wan,et al.  Securing continuous auditing in wireless network , 2011, 2011 International Conference on E-Business and E-Government (ICEE).

[4]  Ali Sunyaev,et al.  A Taxonomic Perspective on Certification Schemes: Development of a Taxonomy for Cloud Service Certification Criteria , 2014, 2014 47th Hawaii International Conference on System Sciences.

[5]  Vincent S. Lai,et al.  Continuous auditing with a multi-agent system , 2007, Decis. Support Syst..

[6]  Chun-Hsiu Yeh,et al.  Developing Continuous Audit and Integrating Information Technology in E-business , 2008, 2008 IEEE Asia-Pacific Services Computing Conference.

[7]  Thomas Kunz,et al.  Technische Unterstützung von Audits bei Cloud-Betreibern , 2013, Datenschutz und Datensicherheit - DuD.

[8]  R. Nithiavathy Data integrity and data dynamics with secure storage service in cloud , 2013, 2013 International Conference on Pattern Recognition, Informatics and Mobile Engineering.

[9]  Jingwei Yang,et al.  Research on Continuous Auditing Based on Multi-agent and Web Services , 2012, 2012 International Conference on Management of e-Commerce and e-Government.

[10]  Miklos A. Vasarhelyi,et al.  Principles of Analytic Monitoring for Continuous Assurance , 2004 .

[11]  Chu-Hsing Lin,et al.  A Cloud-aided RSA Signature Scheme for Sealing and Storing the Digital Evidences in Computer Forensics , 2012 .

[12]  Jinping Gao Technical Framework Model of Continuous Online Assurance , 2010, 2010 International Conference on E-Business and E-Government.

[13]  Miklos A. Vasarhelyi,et al.  The acceptance and adoption of continuous auditing by internal auditors: A micro analysis , 2012, Int. J. Account. Inf. Syst..

[14]  Mark Gall,et al.  Language Classes for Cloud Service Certification Systems , 2015, 2015 IEEE World Congress on Services.

[15]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[16]  Robert L. Braun,et al.  Computer‐assisted audit tools and techniques: analysis and perspectives , 2003 .

[17]  Uday S. Murthy,et al.  A continuous auditing web services model for XML-based accounting systems , 2004, Int. J. Account. Inf. Syst..

[18]  Benny Rochwerger,et al.  A Monitoring and Audit Logging Architecture for Data Location Compliance in Federated Cloud Infrastructures , 2011, 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum.

[19]  Jinjun Chen,et al.  Authorized Public Auditing of Dynamic Big Data Storage on Cloud with Efficient Verifiable Fine-Grained Updates , 2014, IEEE Transactions on Parallel and Distributed Systems.

[20]  Pascual,et al.  The Continuous Auditing , 2016 .

[21]  Xiaohua Jia,et al.  An Efficient and Secure Dynamic Auditing Protocol for Data Storage in Cloud Computing , 2013, IEEE Transactions on Parallel and Distributed Systems.

[22]  M. Vasarhelyi THE CONTINUOUS AUDIT OF ONLINE SYSTEMS , 1991 .

[23]  Miklos A. Vasarhelyi,et al.  Continuous monitoring of business process controls: A pilot implementation of a continuous auditing system at Siemens , 2006, Int. J. Account. Inf. Syst..

[24]  Ali Sunyaev,et al.  Dynamic Certification of Cloud Services , 2013, 2013 International Conference on Availability, Reliability and Security.

[25]  Rafael Accorsi Automated Privacy Audits to Complement the Notion of Control for Identity Management , 2007, IDMAN.

[26]  Kishore Singh,et al.  Continuous Auditing and Continuous Monitoring in ERP Environments: Case Studies of Application Implementations , 2014, J. Inf. Syst..

[27]  Timon C. Du,et al.  Mobile agents for a brokering service in the electronic marketplace , 2005, Decis. Support Syst..

[28]  William C. Chu,et al.  A Portable Interceptor Mechanism on SOAP for Continuous Audit , 2006, 2006 13th Asia Pacific Software Engineering Conference (APSEC'06).

[29]  Nurmazilah Mahzan,et al.  Examining the adoption of computer-assisted audit tools and techniques: Cases of generalized audit software use by internal auditors , 2014 .

[30]  Gilbert Hamann,et al.  Abstracting Execution Logs to Execution Events for Enterprise Applications (Short Paper) , 2008, 2008 The Eighth International Conference on Quality Software.

[31]  Hui Du,et al.  Meeting Challenges and Expectations of Continuous Auditing in the Context of Independent Audits of Financial Statements , 2007 .

[32]  Carol E. Brown,et al.  A Review and Analysis of the Existing Research Streams in Continuous Auditing , 2007 .

[33]  Julian Schütte,et al.  Generating Threat Profiles for Cloud Service Certification Systems , 2016, 2016 IEEE 17th International Symposium on High Assurance Systems Engineering (HASE).

[34]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[35]  Tommie Singleton,et al.  A 25‐year retrospective on the IIA’s SAC projects , 2003 .

[36]  Ernesto Damiani,et al.  A model-based approach to reliability certification of services , 2012, 2012 6th IEEE International Conference on Digital Ecosystems and Technologies (DEST).

[37]  Frank Doelitzscher,et al.  An agent based business aware incident detection system for cloud environments , 2012, Journal of Cloud Computing: Advances, Systems and Applications.

[38]  M. D. Myers,et al.  Qualitative Research in Business & Management , 2008 .

[39]  Ali Sunyaev,et al.  What is Really Going On at Your Cloud Service Provider? Creating Trustworthy Certifications by Continuous Auditing , 2015, 2015 48th Hawaii International Conference on System Sciences.

[40]  Ali Sunyaev,et al.  Dynamic Certification of Cloud Services: Trust, but Verify! , 2016, IEEE Security & Privacy.

[41]  Miklos A. Vasarhelyi,et al.  Audit Automation for Implementing Continuous Auditing: Principles and Problems , 2008 .

[42]  Khaled M. Khan,et al.  Trust in Cloud Services: Providing More Controls to Clients , 2013, Computer.

[43]  A Santoro,et al.  On-line monitoring. , 1995, Nephrology, dialysis, transplantation : official publication of the European Dialysis and Transplant Association - European Renal Association.

[44]  Siani Pearson,et al.  Toward Accountability in the Cloud , 2011, IEEE Internet Computing.

[45]  Qiang Fu,et al.  Execution Anomaly Detection in Distributed Systems through Unstructured Log Analysis , 2009, 2009 Ninth IEEE International Conference on Data Mining.

[46]  Simon D. Kent,et al.  The utilisation of generalized audit software (GAS) by external auditors , 2012 .

[47]  Jon B. Woodroof,et al.  Continuous audit implications of Internet technology: triggering agents over the Web in the domain of debt covenant compliance , 2001, Proceedings of the 34th Annual Hawaii International Conference on System Sciences.

[48]  Stefan Luckner,et al.  Formal Specification of Web Service Contracts for Automated Contracting and Monitoring , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[49]  Philipp Stephanow,et al.  Towards Continuous Certification of Infrastructure-as-a-Service Using Low-Level Metrics , 2015, 2015 IEEE 12th Intl Conf on Ubiquitous Intelligence and Computing and 2015 IEEE 12th Intl Conf on Autonomic and Trusted Computing and 2015 IEEE 15th Intl Conf on Scalable Computing and Communications and Its Associated Workshops (UIC-ATC-ScalCom).

[50]  Sebastian Lehrig,et al.  Systematically Deriving Quality Metrics for Cloud Computing Systems , 2015, ICPE.

[51]  Uday S. Murthy,et al.  Information fusion in continuous assurance , 2012, ECIS.

[52]  Stephen S. Yau,et al.  Dynamic Audit Services for Outsourced Storages in Clouds , 2013, IEEE Transactions on Services Computing.

[53]  Steve G. Sutton,et al.  Continuous Auditing in ERP System Environments: The Current State and Future Directions , 2010, J. Inf. Syst..

[54]  Deron Liang,et al.  An Analysis of Using State of the Art Technologies to Implement Real-Time Continuous Assurance , 2010, 2010 6th World Congress on Services.

[55]  K.J.Jagdish Devi Parvathy Mohan Dynamic Audit Services for Outsourced Storages in Clouds , 2014 .

[56]  Gian Pietro Picco,et al.  Understanding code mobility , 1998, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[57]  Krzysztof Zielinski,et al.  Dynamic monitoring framework for the SOA execution environment , 2010, ICCS.

[58]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[59]  Miklos A. Vasarhelyi,et al.  The case for process mining in auditing: Sources of value added and areas of application , 2013, Int. J. Account. Inf. Syst..

[60]  Ali Sunyaev,et al.  Cloud services certification , 2013, CACM.

[61]  Miklos A. Vasarhelyi,et al.  The Continuous Audit of Online Systems1 , 2018 .

[62]  Mohand Tahar Kechadi,et al.  Cloud Forensics , 2011, IFIP Int. Conf. Digital Forensics.

[63]  Rafael Accorsi,et al.  Automated Privacy Audits Based on Pruning of Log Data , 2008, 2008 12th Enterprise Distributed Object Computing Conference Workshops.

[64]  Gerhard Koschorreck Automated Audit of Compliance and Security Controls , 2011, 2011 Sixth International Conference on IT Security Incident Management and IT Forensics.

[65]  Chien-Ho Wu,et al.  On an agent-based architecture for collaborative continuous auditing , 2008, 2008 12th International Conference on Computer Supported Cooperative Work in Design.

[66]  J. Ramya Rajalakshmi,et al.  Anonymizing log management process for secure logging in the cloud , 2014, 2014 International Conference on Circuits, Power and Computing Technologies [ICCPCT-2014].

[67]  Shih-Jen Chen,et al.  A Mechanism on Risk Analysis of Information Security with Dynamic Assessment , 2011, 2011 Third International Conference on Intelligent Networking and Collaborative Systems.