Cloud Recovery

Auditability must be a goal

By Robert Grapes

February 3, 2010 03:00 PM EST

“The drive toward cloud computing continues to be a dominant infrastructure deployment theme for organizations looking to reduce costs, increase storage and optimize mobility. What many fail to realize is the trend towards cloud computing is continually forcing IT managers to rethink fundamental security issues as a barrage of new attacks and exploits continue to assault the cloud every day.

Compelling for any business model, cloud computing delivers a scalable, accessible and high-performing computing infrastructure that comes at an appealing price for organizations.

Similarly, operating in the cloud allows for the convergence of new and emerging technologies. Providing appeal to both the provider and the consumer, cloud computing enables new application deployment and recovery options, as well as new application business models. However, cloud computing may not be the panacea that the press and many organizations make it out to be. We must have trust and confidence in the platform on which we are deploying our applications and data. We must be able to maintain control of the information that drives our business. Ultimately, we must be able to prove that trust to our auditors. The solution, having not yet been defined, could be deemed “auditability.”

Cloud computing is made possible and viable through its use of new and emerging technologies. These same technologies also introduce new security threats that if left unaddressed could prove to be the Achilles’ heel of cloud computing. Auditability stems from an understanding of the threats and risks that face an application and its associated data. It is deployed to any system or platform and makes certain the commensurate security measures are taken to mitigate risks and monitor and address the threats. Traditional security risks and more sophisticated attacks are all threats that plague the deployment of applications and data in the cloud. It’s of the utmost importance that organizations understand and increase the auditability of their cloud computing deployments to ensure the best security solutions are in place to protect their systems.

Threat and Risk Assessment
Threat and risk assessments provide insight to the potential weaknesses of systems and applications that could be exploited by an attacker for malicious purposes. Often these assessments identify weaknesses that could provide opportunities for damage through simple negligence. An attack analysis, as part of these assessments, places one in the mindset of an attacker for the purposes of identifying all the possible ways a system could be breached. One should not be afraid of performing an attack analysis on existing systems and applications as it is better to find potential areas to exploit prior to deployment than by a malicious attacker once in production. To make an attack analysis more thorough, one should include external and internal attacks, static and dynamic analysis attacks, and manual and automated attack types. The more tests that are run, the more resilient the auditability reports will be to auditor scrutiny and the more confident an organization will be placing applications and data into the cloud.

Virtualization
Virtualization is the cornerstone technology upon which the cloud computing infrastructure is built. Without it, the capital and operating costs of the cloud would simply outweigh the return. With it, providers are able to deliver near-instant recovery options and portability, using snapshots and elastic computing capabilities. This offers cloud consumers the benefit of on-demand utilization of resources to meet peak computing needs without requiring the overhead and cost of standby and latent computing power, all at very reasonable costs.”

For the rest of the article, click here!