Cloud computing is the delivery of applications, systems, or infrastructure services over a network. Organizations use cloud services from a service provider to save money from having to provide that

Cloud computing is the delivery of applications, systems, or infrastructure services over a network. Organizations use cloud services from a service provider to save money from having to provide that service themselves. Cloud-based services realize an economy of scale since they have a single system accessed by many customers. The provider uses logical separation to make each company separate from another company. Thus, the company using these services has reduced costs and a reduced need for specialized expertise, leaving it free to focus on its core competencies.

Cloud-based systems face the same threats as information systems and are an attractor of cyber-attacks. They use multitenancy and logical separation for their different customers and safeguards to keep the customer systems separate and to separate them from malware threats.

A concern for an organization storing data in a cloud-based service is data sovereignty that describes the data owner’s control over its data. Since the infrastructure and other components are managed by the cloud services provider, the customer lacks direct control over the data.

In data jurisdiction an organization located in one legal jurisdiction is the legal owner of data located on a cloud service provider’s system, which may physically be located in one or more separate jurisdictions. Thus, the applicability and reach of security and privacy laws gets rather complicated. A few well-tested legal precedents help organizations and providers understand the full extent of legal jurisdiction in different situations. For example, the U.S. Patriot Act gives federal law enforcement secret subpoena powers that include examination of data in cloud-based systems.

Controls and audits: Firms using cloud services may need monitoring security controls. In some cases, the effectiveness of some controls may be difficult to establish since they are in the control of the cloud provider. A cloud service organization can have objective audits of key controls performed by external, independent audit firms. Depending on the location and nature of services provided, these external audits can carry enough weight to be accepted by a client organization’s internal and external auditors. Two examples of external cloud-based audit standards are: International Standard on Assurance Engagements No 3402 and Statement on Standards for Attestation Engagements No 16. For both audit standards, the cloud service provider selects the controls to be audited, and a qualified external audit firm performs audits of those controls according to well-established auditing procedures.

Case Assignment

Visit the Cloud Security Alliance at https://cloudsecurityalliance.org/

·         Describe the security standards that have been developed to secure cloud implementations.

·         Describe the CSA STAR program.

·         What types of training does CSA provide to security professionals and cloud providers?

·         Provide your recommendations to a financial firm that will be using the service of a cloud provider. Describe the security and audit assurance the financial firm would need.