Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Cloud security auditing
Majumdar S., Madi T., Wang Y., Tabiban A., Oqaily M., Alimohammadifar A., Jarraya Y., Pourzandi M., Wang L., Debbabi M., Springer International Publishing, New York, NY, 2019. 166 pp. Type: Book (978-3-030231-27-9)
Date Reviewed: Jan 28 2020

Information technology (IT) systems auditing is important for good corporate governance, and essential where there is a need to formally demonstrate compliance with legislation and regulatory requirements. Information security management standards such as ISO 27001 and the Payment Card Industry Data Security Standard (PCI DSS), as well as the legislated requirements of various countries such as the US Health Insurance Portability and Accountability Act (HIPAA), all require regular systems compliance audits.

Many companies now leverage cloud services for major business IT systems. Along with advantages, however, comes the risk of losing control and governance due to an inherent lack of transparency and trust in cloud services and a higher risk of misconfigurations arising from significantly increased system complexity.

Whereas auditing physical in-house systems is a relatively straightforward process, cloud-based systems delivering high efficiencies through elastic infrastructure resourcing, self-provisioning, and virtualization on shared infrastructure present significant challenges to historical methods of auditing. Part of Springer’s “Advances in Information Security” series, this book discusses cloud security auditing solutions that can provide assurance of compliance with applicable laws, regulations, policies, and standards.

The authors begin by explaining the types of cloud components that businesses are using to improve IT system efficiency, the reasons that cloud security auditing is necessary, the phases of the audit process, and the “complications” that the use of cloud components present for traditional approaches to auditing.

Chapter 2 is basically a comprehensive review of contemporary literature on cloud security auditing categorized into three classes: retroactive, intercept-and-check, and proactive auditing approaches, along with a comparative study of all three. Chapter 3 discusses an approach that allows automatic auditing of cloud infrastructure from a structural perspective, covering the security between multiple cloud layers. The approach is then evaluated on OpenStack, an open-source cloud management platform, and the results are discussed.

Chapter 4 describes an offline framework for auditing consistent isolation between virtual networks in multi-tenant clouds, covering both layer 2 and overlay cloud layers. The approach is then modeled, assessed, and discussed using an OpenStack-managed cloud. The next chapter covers runtime security auditing of user-level access control and authentication mechanisms such as role-based access control (RBAC) and attribute-based access control (ABAC). Again, the proposed framework is implemented and assessed for efficiency and scalability using OpenStack.

Chapter 6 looks at a learning-based proactive auditing approach. The authors describe a standalone log processor that analyzes runtime events to build a probabilistic dependency model. The model can then be used to proactively audit and prevent security violations. Chapter 7 continues this theme to detail the design and implementation of a software addition to OpenStack for proactively enforcing security policies by intercepting and verifying the validity of user requests at runtime.

Finally, a short conclusion chapter succinctly describes the three approaches to cloud audit that are discussed in the book, including useful references back to the relevant chapters and the limitations of each. There is a thorough list of references but no index, although the table of contents is quite detailed.

The book provides a comprehensive review of the security issues associated with the flexible, shared, and virtualized IT infrastructure that is cloud computing, as well as the implications of these issues for security auditing. The book will be of interest to security practitioners, auditors, cloud providers, and systems administrators; general management personnel would benefit from the introduction and conclusion chapters. It’s an excellent and sobering eye-opener into the potential security risks when IT cloud services are rashly used.

Reviewer:  David B. Henderson Review #: CR146858 (2006-0119)
Bookmark and Share
  Reviewer Selected
Editor Recommended
Featured Reviewer
 
 
Security and Protection (D.4.6 )
 
 
Access Controls (D.4.6 ... )
 
 
Authentication (D.4.6 ... )
 
 
Cloud Computing (C.2.4 ... )
 
 
Organization And Design (D.4.7 )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
Practical UNIX security
Garfinkel S., Spafford G., O’Reilly & Associates, Inc., Sebastopol, CA, 1991. Type: Book (9780937175729)
Jun 1 1992
Trusted products evaluation
Chokhani S. Communications of the ACM 35(7): 64-76, 1992. Type: Article
Oct 1 1993
An experience using two covert channel analysis techniques on a real system design
Haigh J., Kemmerer R., McHugh J., Young W. IEEE Transactions on Software Engineering SE-13(2): 157-168, 1987. Type: Article
Nov 1 1987
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy