Rasheed 2014
Rasheed 2014
Rasheed 2014
G Model
JJIM-1286; No. of Pages 5
a r t i c l e i n f o a b s t r a c t
Article history: For many companies the remaining barriers to adopting cloud computing services are related to security.
Available online xxx One of these significant security issues is the lack of auditability for various aspects of security in the
cloud computing environment. In this paper we look at the issue of cloud computing security auditing
Keywords: from three perspectives: user auditing requirements, technical approaches for (data) security auditing
Cloud computing and current cloud service provider capabilities for meeting audit requirements. We also divide specific
Security audit
auditing issues into two categories: infrastructure security auditing and data security auditing. We find
Data integrity
ultimately that despite a number of techniques available to address user auditing concerns in the data
Standards compliance
auditing area, cloud providers have thus far only focused on infrastructure security auditing concerns.
© 2013 Published by Elsevier Ltd.
1. Introduction and motivation control is in place but the user may have no way to easily verify
or audit the backups that the cloud provider is making. Audit is an
Cloud computing has become one of the dominant IT paradigms important concern because it is a means through which the cus-
of the current age: fulfilling the need of users for dynamic, high- tomer can attest to the way in which their technology resources
capacity computing capabilities in diverse applications such as are being handled. Our discussion of security auditing will focus on
business intelligence and data archiving while essentially creat- customer and third-party auditing of cloud provider security con-
ing business value for cloud providers out of (what was at least trols and methods – not on the more general issues of cloud security
initially) surplus computing resources. With all emerging technolo- or technology auditing.
gies, however, the longevity of the paradigm will be determined by In this paper, we will attempt to look at the general subject
the way in which certain challenges are met. of cloud security auditing with the aim of providing answers to
One of those chief challenges for cloud computing, and one the following critical questions: (1) what are the specific auditing
which has made many organizations hesitant to adopt cloud solu- concerns which must be addressed to ensure broader adoption of
tions is security. The European Network and Information Security cloud computing technologies, (2) what is the current state of cloud
Agency (ENISA, 2009) surveyed concerns regarding cloud comput- audit in current offerings and (3) how many of the lingering audit
ing security and among the top ten risks, two of them (loss of issues could be resolved using existing research approaches and
governance and compliance risks) were traced to the same vul- how many demand still further work. In order to do that, we will
nerability: namely, that audit is not available to customers. Within examine user requirements for cloud auditing security along with
the context of cloud computing, therefore, the term security audit- some of the existing research solutions to get an idea of what could
ing actually entails two separate issues: the first is having the cloud realistically be integrated in cloud auditing security in the near
provider take appropriate means to ensure that data or infrastruc- future (as opposed to more unresolved issues that will require more
ture is secure (the ‘security’); the second is making it possible for long-term solutions). These two will be contrasted against what
the customer to verify that those security controls are indeed in cloud service providers are currently offering (i.e. vendor solutions
place and working as promised (the ‘auditing’). It is possible that a for cloud security auditing).
Cloud Service Provider (CSP) could have the first without the sec- In our analysis, we will look at audit issues which could poten-
ond (security with no auditing). For example: a cloud provider that tially arise in all of the various cloud offerings: Software as a
attempts to ensure data integrity through the use of backups. The Service, Platform as a Service, Storage as a Service and Infrastruc-
ture as a Service. We will subdivide these concerns, however, into
infrastructure security auditing and data security auditing. Infra-
∗ Tel.: +966 536895637. structure security is important to all of the different cloud service
E-mail address: [email protected] layers: a customer developing an application on a CSP provided
Please cite this article in press as: Rasheed, H. Data and infrastructure security auditing in cloud computing environments. International Journal
of Information Management (2013), http://dx.doi.org/10.1016/j.ijinfomgt.2013.11.002
ARTICLE IN PRESS
G Model
JJIM-1286; No. of Pages 5
development stack, for instance, may have the same concerns about Despite these changes, however, there remain aspects of the
how virtual machine images and snapshots are stored as a customer standard which may be difficult for cloud customers to meet. In
who is using complete virtual servers. discussing an architecture for security in public cloud offerings,
Data security issues, however, will be most critical for those the authors in Prafullchandra et al. (2011) outline risk factors
users above the infrastructure level: users relying on cloud for each of the core PCI DSS provisions. These risk factors have
databases, software development platforms, or complete applica- been discussed in detail in Rasheed (2011), but we will summa-
tions. If a cloud customer has their own virtual cloud infrastructure rize the most significant of them into seven categories: virtualized
then in most cases they will have the ability to implement their own network devices requiring greater documentation to demonstrate
systems to ensure data auditability because they have complete effective network separation, automatically provisioned systems
virtualized servers and direct access to install or setup whatever using default settings (risks from two core areas fall into this cat-
applications they desire. It is when the user does not have that level egory), exposure of volatile memory when it is written to disk,
of access – and consequently much of what happens to their data disclosure of private data on public networks, managing vulner-
is transparent – that their is more planning necessary to maintain ability patching on dynamic virtual systems, hypervisor-resident
auditability. access control methods (risks from three different core areas fall
into this category) and maintaining audit traces for all machine
2. User requirements for cloud security auditing activity.
Of these concerns some are easier to resolve than others. We
We divide the broad scope of user security needs with respect to will divide these concerns into three types based on the difficulty of
cloud computing auditing into two sub-areas: infrastructure secu- resolution: easy, moderate and difficult. The first one, for instance,
rity and data auditing. The infrastructure auditing concerns deal requiring greater documentation for effective network separation
with the systems that are used to process data and the security would merely require the cooperation of the cloud service provider
controls that are in place to protect those systems. These concerns (CSP) in allowing access to some of their network architecture
are distinguished by being agnostic to the actual nature of the busi- diagrams. And because there are CSPs beginning to this such as
ness or work being performed and merely ensuring that a secure Amazon (as will be discussed in detail in an upcoming section),
environment is available for business to be conducted. Data audit- there is a relatively simple resolution to this risk. The second risk
ing concerns have to do with the preservation of the data itself: its regarding automatic system provisioning is also easy to resolve:
confidentiality, integrity and availability. The data is distinguished the cloud customer merely needs to use the services of a provider
by being the information that is stored and processed on the infra- which allows customers to import their own customized images
structure systems mentioned previously and is inherently tied to to create virtual machines, rather than using base images provided
the nature of the business itself. by the CSP. The risk of volatile memory being written to the disk is
actually not specific to virtual machines (although it is more preva-
2.1. Infrastructure auditing needs lent): many modern operating systems have the capability for a
user to suspend the session, writing volatile memory to disk and
Because overall security in the IT industry is frequently driven powering off the machine. The risk is higher with virtualization,
by best practice standards, user concerns for cloud infrastructure however, because a single server may be responsible for manag-
security also seem to be driven by those standards. Two of the most ing snapshots of many virtual machines. The resolution difficulty
widely used and important standards for enterprise infrastructure for this risk is therefore moderate because the managing hyper-
security are International Standards Organization security standard visor will need to be one that supports granular access control
(ISO 27001) International Organization for Standardization (ISO) for virtual machines and encrypts backups. The risk of disclosing
(n.d.) and Payment Card Industry Data Security Standard (PCI DSS) private data is also easy to resolve, because the card processor
PCI Standards Security Council (2010). can simply ensure that all data transmitted over the network is
encrypted. There may be some need to determine what constitutes
2.1.1. Payment card industry data security standard a ‘public network’ if there are multiple virtual machines running
PCI DSS (PCI Standards Security Council, 2010) is a frequently on a public cloud host, but in the worst case the processor can
used security standard in IT because achieving certification is a pre- satisfy the requirement by encrypting traffic even between peer
requisite to being able to handle customer credit card information. servers.
The standard consists of 11 core requirements in six main areas: Managing vulnerability patching could be handled easily if the
building and maintaining a secure network, protecting cardholder individual machines are responsible for pulling their own updates
data, maintaining a vulnerability management program, imple- using the service provided by a specific operating system (e.g.
menting strong access control measures, regularly monitoring and Windows Update, Red Hat Network, etc.). If, however, the cloud
testing networks and maintaining an information security policy. customer will need to update multiple software packages and
Organizations wishing to gain certification against the require- thus wants to push updates and patches to their virtual machines
ments of this standard must get an assessment from a security this will depend upon the configuration options they have with
specialist approved by PCI DSS. their service provider. Depending on the CSP this could be a dif-
Because of the ambiguity of previous versions of PCI DSS ficult risk to resolve optimally. There are, however, CSPs such
regarding virtualization and multi-tenancy, version 2.0 (PCI as IBM (IBM, n.d.) that do offer private patch servers. The risk
Standards Security Council, 2010), was changed to clarify these regarding hypervisor-resident access control is of moderate diffi-
issues. In particular, the 2.0 standard establishes that virtual com- culty to resolve: the customer will need to ensure that the CSP they
ponents are also included under the heading of system components are using has an access control system in place whereby access priv-
to which the standard applies. It also changed the previous require- ileges are limited by job function and that access to the hypervisor
ment that each server implement only one primary function, so that and virtual machines are governed by that access control system.
it now allows for a single hardware server to host multiple virtual Lastly, the security risk for data logging is also of moderate difficulty
machines with different functions as long as each of the virtual to resolve: the cloud customer must ensure that the hypervisor run-
machines has only one primary function. This is a critical change to ning their virtual machines has logging capability, that it is enabled
allow merchants to become PCI certified using multi-tenant cloud and that those logs could be obtained if needed for certification
offerings. purposes.
Please cite this article in press as: Rasheed, H. Data and infrastructure security auditing in cloud computing environments. International Journal
of Information Management (2013), http://dx.doi.org/10.1016/j.ijinfomgt.2013.11.002
ARTICLE IN PRESS
G Model
JJIM-1286; No. of Pages 5
2.2. Data auditing needs et al. (2010), Wang, Chow, Wang, Ren and Lou (2011) and Wang,
Wang, Ren, Lou and Li (2011), the authors develop an approach for
We will focus on four essential data challenges that fall under the privacy-preserving third party data integrity checking that relies on
topic of data security auditing: data integrity, data confidentiality, a challenge protocol to verify pre-calculated cryptographic hashes
data lineage, data provenance and data remnance. Data integrity of file segments; the proposed scheme also supports batch data
means the “the preservation of data from unauthorized changes” auditing. Zhu et al. (2011) proposes a similar integrity checking
(Mather, Kumaraswamy & Latif, 2009) and this must be ensured for mechanism but assumes the Third Party Auditor (TPA) as a trustable
both data residing in a storage medium or being transferred over delegate of the original data owner and thus does not provide con-
the network. Data confidentiality is the need for users to “preserve trols for preventing the original data contents from being disclosed
data from unauthorized disclosure” (Mather et al., 2009): this prop- to the TPA.
erty must also be achieved for data resident in a storage medium
and being transferred over a network. 3.2. Data remnance
Traditionally, in much of the data processing literature data
lineage has been used interchangeably with provenance. Bose Data remnance in the cloud has received very little attention
and Frew (2005), for example defines lineage as “the origins and compared to the other user security concerns. There has been some
processing history,” of objects and processes. Within the specific work on proofs of secure erasure with mobile embedded devices
area of cloud computing, however, lineage has also taken on the (Karvelas, 2013; Perito & Tsudik, 2010). Many of assumptions used
additional meaning of referring to the ability to track exactly where by such proofs, however – such as assuming that the storage device
the data was located at any given time and being able to follow the has fixed memory of known size – do not hold for the cloud scenario
path of data (Mather et al., 2009). This is of special concern in cloud and thus there is still much work required on data remnance. In lieu
computing architectures because such systems may dynamically of such approaches, therefore, the assumption of the cloud provider
move virtualized systems and data for performance and scalabil- as an untrusted agent is even more significant: if erasure cannot be
ity reasons and some of the data may have compliance regulations proven and the client has no access to the storage medium then it
stating in which geographic areas the data can be stored. becomes even more important that the data which is given to the
Data provenance is defined in Mather et al. (2009) as the abil- CSP is in encrypted form to begin with.
ity to demonstrate that the data is computationally accurate and
was correctly calculated based on a certain delineated method. In 3.3. Data lineage and provenance
Simmhan, Plale and Gannon (2005) it is defined as “. . .information
that helps determine the derivation history of a data product, start- In Simmhan et al. (2005) the authors present a survey of data
ing from its original sources,” which includes both preceding data provenance techniques and systems along with a taxonomy of
elements used in the derivation as well as the derivation process. provenance approaches based on four main aspects: the subject
This issue is more complex than integrity because it also encom- of the provenance data (i.e. data or process), the representation
passes ensuring and verifying that changes made in an authorized of the data, its storage and dissemination. The majority of the sys-
manner are fundamentally correct. tems surveyed were systems for distributed processing of scientific
Data remnance is the possibility that some residual portions of data. Only one – Provenance Aware Service-oriented Architecture
data may remain after it was erased or removed (Mather et al., (PASOA) (Groth, Luck & Moreau, 2005) – proposes an open pro-
2009). The risk is that such remnants could be inadvertently tocol for data provenance that could potentially be leveraged for
exposed to a unauthorized third party. It is therefore a confiden- provenance infrastructures in the cloud computing domain. Among
tiality issue, but focused on retaining the confidentiality of data other capabilities, the system supports collecting data on the inputs
which was intended to be removed. and outputs of service invocation which must be agreed upon by
both the client and the service provider. All provenance messages
are assigned a unique ID which can be used to construct a process
3. Techniques for data security
oriented provenance trace of the original workflow.
In Bose and Frew (2005) a survey of data lineage/provenance
In the previous section, we provided an overview of the impor-
approaches is presented, in which techniques are classified based
tant issues in data auditing which may be of concern for cloud
on how changes are introduced into the data: command line base
service users. In this section we provide a brief overview of some
data processing, script and program-based data processing, work-
of the recent techniques proposed in those same areas of data
flow system based data processing, query-based data processing
auditing. Special attention will be given to approaches specifically
and service-based data processing. However, the issue of tracking
proposed for use in cloud environments or which could be easily
the physical location where data was processed was not discussed
adapted to cloud environments.
in the surveyed approaches and thus this aspect of data lineage has
yet to be addressed with approaches compatible with the cloud
3.1. Data confidentiality and integrity computing environment. However, judging by the breadth of the
available approaches for general data provenance, extension to also
Cryptography is a tool frequently used to ensure data confi- collect data about the physical location of the processing server
dentiality, privacy and integrity. In di Vimercati, Foresti, Jajodia, should be a straight-forward modification.
Paraboschi and Samarati (2007) the authors design an access con-
trol system for use in outsourced data storage (such as storage as 4. Provider security capabilities
a service offerings) that relies on issuing cryptographically derived
access tokens to users. A number of approaches also propose tech- 4.1. Security and compliance at leading cloud providers
niques for querying and searching data that resides encrypted on
the cloud server (Cao, Wang, Li, Ren & Lou, 2011; Li et al., 2010; In determining the spectrum of CSP security offerings, we looked
Wang, Cao, Li, Ren & Lou, 2010). at the top ten public cloud storage providers based on a recent
There has also been some recent work on applying the concepts survey by Gartner (Ruth & Chandrasekaran, 2012): Amazon Web
of remote data integrity checking to enable a storage customer to Services, AT&T, Google, HP, IBM, Internap, Microsoft, Nirvanix,
verify the integrity of their data stored in a public cloud. In Wang Rackspace and Softlayer. Of these, all also had Infrastructure as a
Please cite this article in press as: Rasheed, H. Data and infrastructure security auditing in cloud computing environments. International Journal
of Information Management (2013), http://dx.doi.org/10.1016/j.ijinfomgt.2013.11.002
ARTICLE IN PRESS
G Model
JJIM-1286; No. of Pages 5
Service offerings except for Microsoft (who only supports IaaS ser- 4.1.2. Data security
vices by providing software to its resellers) and Google whose IaaS CSP support for auditing data security is currently very limited.
is still in beta testing at the time of writing. In fact, the only CSP supporting real-time auditing of any sort
appears to be Amazon with its CloudWatch API (Amazon Web
Services, n.d.) and, as discussed previously in detail (Park, Spetka,
4.1.1. Infrastructure security Rasheed, Ratazzi & Han, 2012; Rasheed, 2011), this API only really
All of the companies we surveyed provided detailed informa- supports auditing performance statistics for various AWS offerings.
tion about their security controls and processes as well as the CloudAudit (Hoff, Johnston, Reese & Sapiro, 2010), an industry-wide
compliance certifications they have received such as PCI DSS, ISO effort to standardize on a way to present security compliance doc-
27001 and Safe Harbor. All of the companies also provide additional umentation seems to have made no further progress after an RFC
security services for their clients as add-ons to the basic service. (request for comments) submitted to the IETF in 2010. Furthermore,
For a few of the larger tech companies in the list (HP, IBM) this even basic support for data security in software, platform and stor-
includes custom-developed security platforms that are made avail- age level cloud offerings is also very limited. The lone exception
able to customers. For example, HP provides a technical white paper appears to be Amazon’s support for encryption of data through
(HP, n.d.) which gives an overview of its TippingPoint IPS technol- a Java API for its S3 storage-as-a-service offering. This partially
ogy which is primarily responsible for the security of its servers, resolves some confidentiality issues, but only in the case where
network hardware and data centers. In the paper they also dis- the data is not regularly updated.
cuss a CloudArmour solution which is a user-configurable IPS and
firewall for VMs running in their enterprise level cloud offering.
Other providers such as Amazon, AT&T, Rackspace and Internap 5. Related work
just provide add-on services such as managed firewalls, intrusion
detection/prevention or identity and access management as modu- In Zhou, Zhang, Xie, Qian and Zhou (2010), the authors dis-
lar, independent security services. Yet another model for providing cuss the cloud security issues of availability, confidentiality, data
additional security services was the use of specialized partners integrity, control and audit in addition to privacy issues. There is a
to provide third-party security as a service. Softlayer, for exam- significant discussion of how various CSPs are meeting the security
ple offers customers a free “PCI Compliance” account with McAfee challenges of the various areas, especially for the areas of avail-
Secure (a service that provides website monitoring and security ability, confidentiality, data integrity and control. The discussion of
certification). auditing challenges is more general. The authors advocate for audit-
Only one company (Amazon) supplemented the discussion of ing to take place in a software layer within the virtual operating
their own security certifications with detailed information about system and that such a system should provide minimal-overhead
how their customers could achieve standards compliance using monitoring of events and logs.
their public cloud offering. Like most other CSPs, they offer a page In Subashini and Kavitha (2011), a survey is presented of security
describing their security controls and certification; but they go fur- issues arising in service oriented architectures (and consequently
ther in detailing frequently asked questions by their customers cloud computing platforms because of their reliance on service ori-
regarding PCI DSS and ISO 27001 (Amazon Web Services, n.d.-a, entation). The authors divide security issues based on the cloud
n.d.-b). They also offer to provide customers with a set of docu- service level at which they occur: Software as a Service, Platform
ments to assist them in obtaining their own certification which as a Service and Infrastructure as a Service. In total fourteen broad
includes: the attestation of PCI compliance for AWS, high-level security issues are outlined for Software as a Service cloud offerings
documentation such as the description of the in-scope environ- including: data security, network security, data integrity and data
ment and more detailed documentation such as a detailed matrix segregation. The concerns listed for Platform as a Service and Infra-
of PCI DSS controls describing who is responsible for each indi- structure as a Service are more general, however, and no specific
vidual control. They provide a general rule regarding the balance issues are detailed. Data auditing is not listed as one of the secu-
between the security responsibilities of CSP and customers say- rity concerns at any service level and there is only a brief mention
ing, “for the portion of the PCI cardholder environment deployed how current cloud offerings address the security issues which are
in AWS, your QSA (Qualified Security Assessor) can rely on our raised.
validated service provider status, but you will still be required to In Chow et al. (2009) the authors provide an overview of the
satisfy all other PCI compliance and testing requirements, includ- security issues in the area of cloud computing by dividing them
ing how you manage the cardholder environment that you host into three categories: traditional security issues that are also prob-
with AWS” Amazon Web Services (b). AWS also asserts that sev- lematic in cloud computing, availability issues and issues arising
eral customers have achieved PCI DSS certification, although it from third party data control. Among the six data control issues
is not clear which parts of their infrastructure were hosted on listed is the difficulty of performing audits. They also outline two
AWS. research directions which could be used to alleviate some of the
Also AWS offers some guidance regarding the ISO 27001 data control issues and provide various types of auditability. The
standard. However, perhaps because the requirements for that first is the notion of a trusted monitor residing on the cloud server
standard are more high-level, no compliance pack is made which can audit the servers actions and provide verifiable proofs
available which details where the responsibility for certain con- of compliance to the data owner. The second is for data to be self-
trols lie. To illustrate this point, for example, PCI DSS requires describing, self-protecting and capable of creating a secure virtual
things such as the following: building and maintaining a secure environment for data access consistent with an embedded usage
network, protecting cardholder data, implement strong secu- policy.
rity measures and regular testing and monitoring of networks The authors in Chen, Paxson and Katz (2010) perform a gen-
(PCI Standards Security Council, 2010). ISO 27001, on the other eral analysis of cloud computing security issues, arguing that most
hand, requires systematically evaluating information security risks, of the security issues related to cloud computing were first con-
implementing information security controls and risk manage- fronted in the main-frame time-sharing computing era but that
ment and adopting an overarching management process for multi-party trust and the need for mutual auditability are secu-
security controls (International Organization for Standardization rity issues unique to the current formulation of cloud computing.
(ISO)). The research presented by Kaufman (2009) examines some of the
Please cite this article in press as: Rasheed, H. Data and infrastructure security auditing in cloud computing environments. International Journal
of Information Management (2013), http://dx.doi.org/10.1016/j.ijinfomgt.2013.11.002
ARTICLE IN PRESS
G Model
JJIM-1286; No. of Pages 5
legal and regulatory issues over whether the customer or the cloud Groth, P., Luck, M., & Moreau, L. (2005). A protocol for recording provenance in
service provider is responsible for maintaining data security for service-oriented grids. In Principles of distributed systems: 8th International con-
ference, OPODIS 2004, 15–17 December, Grenoble, France (pp. 124–129). Berlin,
information stored in the cloud. In Jansen and Grance (2011) the Heidelberg: Springer.
authors survey the security and privacy issues related to cloud com- Hoff, C., Johnston, S., Reese, G., & Sapiro, B. (2010). Cloudaudit 1.0 – automated audit,
puting and provides some guidelines for organizations considering assertion, assessment, and assurance api (a6) (Internet-draft). Fremont, CA, USA:
IETF Network Working Group.
utilizing cloud service offerings. HP. (n.d.). HP cloudsystem: Integrating security with hp tipping point (techni-
cal white paper). Palo Alto, CA, USA: Author. Retrieved February 2013, from:
6. Conclusion http://h20195.www2.hp.com/V2/GetPDF.aspx/4AA4-4247ENW.pdf
IBM. (n.d.). IBM infrastructure as a service (IaaS): Details: Security. Armonk,
NY, USA: Author. Retrieved February 2013 from: http://www-935.ibm.com/
Despite its significant growth, there are still some obstacles services/us/en/cloud-enterprise/tab-details-security.html
to the more widespread adoption of cloud computing services. International Organization for Standardization (ISO). (n.d.). International organiza-
tion for standardization. Retrieved June 2011, from: http://www.iso.org/
For many companies the most significant concern is security
Jansen, W., & Grance, T. (2011). Guidelines on security and privacy in
and specifically the lack of auditability. We have examined cloud public cloud computing: Special Report 800-144. Gaithersburg, MD:
computing auditing from three perspectives: user auditing require- National Institutes of Standards and Technology (NIST). Retrieved from:
http://www.nist.gov/manuscript-publication-search.cfm?pub id=909494
ments, technical approaches for security auditing and current cloud
Karvelas, N. P. (2013). Proofs of secure erasure. Athens, Greece: Masters thesis, Uni-
service provider capabilities for meeting audit requirements. User versity of Athens.
auditing requirements were further divided into infrastructure Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security
security auditing and data security auditing. Many of the infra- and Privacy, 7, 61–64.
Li, J., Wang, Q., Wang, C., Cao, N., Ren, K., & Lou, W. (2010). Fuzzy keyword search over
structure auditing requirements are driven by the need to achieve encrypted data in cloud computing. In Proceedings IEEE INFOCOM, 2010, 14–19
compliance with an IT security standard. For that reason we profiled March 2010 (pp. 1–5). San Diego, CA, USA: IEEE.
the infrastructure auditing requirements of the PCI DSS standard Mather, T., Kumaraswamy, S., & Latif, S. (2009). Cloud security and privacy: An enter-
prise perspective on risks and compliance. O’Reilly Media, Inc.
version 2.0 (PCI Standards Security Council, 2010). While most of Park, J. S., Spetka, E., Rasheed, H., Ratazzi, P., & Han, K. J. (2012). Near-real-time
the risks are easy to overcome with the co-operation of the CSP a cloud auditing for rapid response. In Advanced information networking and appli-
few such as patch management may present challenges depending cations workshops (WAINA), 26th international conference on 26–29 March 2012
(pp. 1252–1257). Fukuoka, Japan: IEEE.
on user requirements and provider infrastructure and configura- PCI Security Standards Council. (2010). Payment card industry (pci)
tion. Data auditing issues included confidentiality, integrity, data data security standard – requirements and security assessment pro-
remnance, data provenance and data lineage. There are a num- cedures version 2. 0. Wakefield, MA, USA: Author. Retrieved from:
https://www.pcisecuritystandards.org/documents/pci dss v2.pdf
ber of applicable approaches in each of these areas which could
Perito, D., & Tsudik, G. (2010). Secure code update for embedded devices via proofs
serve the data auditing needs of cloud service users with the of secure erasure. In D. Gritzalis, B. Preneel, & M. Theoharidou (Eds.), ESORICS
exception of data remnance which appears to be an open issue 2010 proceedings of the 15th European conference on research in computer security
2010, Athens, Greece (pp. 643–662). Berlin, Heidelberg: Springer.
within public cloud offerings. While most of the leading cloud
Prafullchandra, H., Owens, K., Richter, C., McAndrew, T., Overbeek, D., Chaubal,
providers have begun to provide significant detail about their own C., et al. (2011). PCI-compliant cloud reference architecture. HyTrust,
internal infrastructure security and compliance, only one carefully Savvis, Coalfire Systems. VMWare and Cisco Systems. Retrieved from:
addressed questions regarding how users of public cloud offerings http://www.hytrust.com/downloads/ht wp pcidss ref arch.pdf
Rasheed, H. (2011). Auditing for standards compliance in the cloud: Challenges and
could also achieve standards compliance. Unfortunately, among directions. In Proceedings of the 2011 international Arab conference on information
the cloud providers surveyed we did not find any with solutions technology (ACIT 2011), 10–13 December. Riyadh, Saudi Arabia: ACIT.
for user data security auditing. However, because the cloud ser- Ruth, G., & Chandrasekaran, A. (2012). Critical capabilities for public cloud storage
services. Stamford, CT: Gartner, Inc. Retrieved from: http://www.gartner.com/
vices market is driven and shaped by customer demands, if such technology/reprints.do?id=1-1D9C6ZM&ct=121216&st=sg
auditing features become a critical service differentiator for a suf- Simmhan, Y. L., Plale, B., & Gannon, D. (2005). A survey of data provenance in e-
ficient number of customers then CSPs will likely begin to offer science. SIGMOD Record, 34(3), 31–36.
Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery
them. models of cloud computing. Journal of Network and Computer Applications, 34(1),
1–11.
References The European Network and Information Security Agency (ENISA). (2009).
Cloud computing: Benefits, risks and recommendations for information secu-
rity. Heraklion, Greece: Author. Retrieved from: http://www.enisa.europa.
Amazon Web Services. (n.d.-a). Amazon CloudWatch. Retrieved February 2013,
eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at download/
from: http://aws.amazon.com/cloudwatch/
fullReport
Amazon Web Services. (n.d.-b). ISO 27001 Certification. Retrieved February 2013,
Wang, C., Cao, N., Li, J., Ren, K., & Lou, W. (2010). Secure ranked keyword search over
from: https://aws.amazon.com/security/iso-27001-certification-faqs/
encrypted cloud data. In Distributed computing systems (ICDCS), 2010 IEEE 30th
Amazon Web Services. (n.d.-c). PCI DSS Level 1 Compliance. Retrieved
international conference on June 2010 (pp. 253–262). IEEE.
February 2013, from: https://aws.amazon.com/security/pci-dss-level-1-
Wang, C., Chow, S. S., Wang, Q., Ren, K., & Lou, W. (2011). Privacy-preserving public
compliance-faqs/
auditing for secure cloud storage. IEEE Transactions on Computers.
Bose, R., & Frew, J. (2005). Lineage retrieval for scientific data processing: A survey.
Wang, Q., Wang, C., Ren, K., Lou, W., & Li, J. (2011). Enabling public verifiability
ACM Computing Surveys, 37(1), 1–28.
and data dynamics for storage security in cloud computing. IEEE Transactions on
Cao, N., Wang, C., Li, M., Ren, K., & Lou, W. (2011). Privacy-preserving
Parallel and Distributed Systems, 22(5), 847–859.
multi-keyword ranked search over encrypted cloud data. In Proceedings
Zhou, M., Zhang, R., Xie, W., Qian, W., & Zhou, A. (2010). Security and privacy in
IEEE INFOCOM 2011, 10–15 April 2011 (pp. 829–837). Shanghai, China:
cloud computing: A survey. In Semantics knowledge and grid (SKG), 2010 sixth
IEEE.
international conference on 1–3 November 2010 (pp. 105–112). Beijing, China:
Chen, Y., Paxson, V., & Katz, R. H. (2010). Whats new about cloud computing
IEEE.
security? Technical Report UCBEECS-2010-5. Berkeley, CA, USA: Depart-
Zhu, Y., Wang, H., Hu, Z., Ahn, G. J., Hu, H., Stephen, S., et al. (2011). Dynamic audit
ment of Electrical Engineering and Computer Sciences, University of
services for integrity verification of outsourced storages in clouds. In Proceedings
California at Berkeley. Retrieved from: http://www.eecs.berkeley.edu/Pubs/
of the 2011 ACM symposium on applied computing, SAC’11 (pp. 1550–1557). New
TechRpts/2010/EECS-2010-5.html
York, NY, USA: ACM.
Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., et al. (2009). Con-
trolling data in the cloud: outsourcing computation without outsourcing control. Hassan Rasheed, received his Ph.D. in Computer Engineering from the University
In Proceedings of the 2009 ACM workshop on cloud computing security (pp. 85–90). of Florida in 2009. He is currently an Assistant Professor at Taif University in Taif,
Chicago, IL: ACM. Saudi Arabia. His previous academic and industrial affiliations include the Air Force
di Vimercati, S. D. C., Foresti, S., Jajodia, S., Paraboschi, S., & Samarati, P. (2007). Research Lab, Morgan State University and the University of Florida. His research
A data outsourcing architecture combining cryptography and access control. interests include information and network security, business intelligence and text
In Proceedings of the 2007 ACM workshop on computer security architecture (pp. analytics.
63–69). Fairfax, VA, USA: ACM.
Please cite this article in press as: Rasheed, H. Data and infrastructure security auditing in cloud computing environments. International Journal
of Information Management (2013), http://dx.doi.org/10.1016/j.ijinfomgt.2013.11.002