Auditing Cloud Computing: A Security and Privacy Guide

( 2 )


Companies are increasingly looking to Cloud Computing to improveoperational efficiency, reduce head counts, and help with thebottom line. But security and privacy concerns present a strongbarrier to entry. In an age when the consequences and potentialcosts of mistakes could quickly become catastrophic for companiesthat handle confidential and private customer data, auditors and ITsecurity professionals must develop better ways of evaluating thesecurity and privacy practices of Cloud services. Auditing ...

See more details below
Other sellers (Hardcover)
  • All (7) from $33.61   
  • New (5) from $36.08   
  • Used (2) from $33.61   
Auditing Cloud Computing: A Security and Privacy Guide

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$37.49 price
(Save 42%)$65.00 List Price


Companies are increasingly looking to Cloud Computing to improveoperational efficiency, reduce head counts, and help with thebottom line. But security and privacy concerns present a strongbarrier to entry. In an age when the consequences and potentialcosts of mistakes could quickly become catastrophic for companiesthat handle confidential and private customer data, auditors and ITsecurity professionals must develop better ways of evaluating thesecurity and privacy practices of Cloud services. Auditing CloudComputing presents a collection of white papers written byrenowned thought leaders in the field of auditing Cloud Computingto show you how to audit your company's hosted services.

Providing a holistic view to this elastic, on-demand service,Auditing Cloud Computing is your one-stop reference to CloudComputing and the many questions that may arise during preparationof an audit program or throughout the course of an audit orassessment. Edited by renowned information security researcher andpractitioner Ben Halpert, this volume gathers a team of prominentCloud experts who have labored to provide insight into many aspectsthat you and your organization will encounter during your forayinto the Cloud.

Written for Cloud consumers, providers, and integrators,Auditing Cloud Computing explores:

  • The history, relevant definitions, deployment models, andchallenges of Cloud computing
  • What you can expect when creating audit programs for Cloudenvironments
  • How the industry efforts of CSA, NIST, ISACA, and ENISA haveinfluenced security and compliance programs
  •   Implementing, extending, and maintaining a governanceprogram for Cloud activities
  • How to leverage existing lifecycle controls
  • Cross-cloud deployments
  • Cloud-based IT delivery and support
  • How "radical simplification" and "securely shared" conceptsapply to all Cloud deployment models, even private Clouds
  • Architecture considerations for Cloud service delivery andsupport
  • The Cloud security continuum
  • Business Continuity Planning (BCP) and Disaster RecoveryPlanning (DRP)
  •   Regulations along with Cloud-specificconsiderations
  • Shaping the future of Cloud Computing security and audit

Learn how to conduct a proper audit to ensure the security andprivacy of your company's data in the Cloud with the necessaryguidance found in Auditing Cloud Computing.

Read More Show Less

Editorial Reviews

From the Publisher
"To summarize, the book is a good review of the current situation in the field. Every CISO and CIO should be aware of the developments in the cloud regardless of the intention of actually implementing its use." (, April 2012)
Read More Show Less

Product Details

  • ISBN-13: 9780470874745
  • Publisher: Wiley
  • Publication date: 8/9/2011
  • Series: Wiley Corporate F&A Series, #21
  • Edition number: 1
  • Pages: 206
  • Product dimensions: 6.30 (w) x 9.20 (h) x 1.00 (d)

Meet the Author

BEN HALPERT, CISSP, is an information security researcher and practitioner. He has keynoted and presented sessions at numerous conferences and was a contributing author to Readings and Cases in the Management of Information Security and the Encyclopedia of Information Ethics and Security. Halpert writes a monthly security column for Mobile Enterprise magazine as well as an IT blog ( He is also an adjunct instructor and on the advisory board of numerous colleges and universities.

Read More Show Less

Table of Contents

Preface xiii

Chapter 1: Introduction to Cloud Computing 1

History 1

Defining Cloud Computing 2

Elasticity 2

Multitenancy 3

Economics 3

Abstraction 3

Cloud Computing Services Layers 4

Infrastructure as a Service 5

Platform as a Service 5

Software as a Service 6

Roles in Cloud Computing 6

Consumer 6

Provider 6

Integrator 7

Cloud Computing Deployment Models 8

Private 8

Community 8

Public 9

Hybrid 9

Challenges 9

Availability 10

Data Residency 10

Multitenancy 11

Performance 11

Data Evacuation 12

Supervisory Access 12

In Summary 13

Chapter 2: Cloud-Based IT Audit Process 15

The Audit Process 16

Control Frameworks for the Cloud 18

ENISA Cloud Risk Assessment 20

FedRAMP 20

Entities Using COBIT 21

CSA Guidance 21

CloudAudit/A6—The Automated Audit, Assertion, Assessment,and Assurance API 22

Recommended Controls 22

Risk Management and Risk Assessment 26

Risk Management 27

Risk Assessment 27

Legal 28

In Summary 29

Chapter 3: Cloud-Based IT Governance 33

Governance in the Cloud 36

Understanding the Cloud 36

Security Issues in the Cloud 37

Abuse and Nefarious Use of Cloud Computing 38

Insecure Application Programming Interfaces 39

Malicious Insiders 39

Shared Technology Vulnerabilities 39

Data Loss/Leakage 40

Account, Service, and Traffic Hijacking 40

Unknown Risk Profile 40

Other Security Issues in the Cloud 41

Governance 41

IT Governance in the Cloud 44

Managing Service Agreements 44

Implementing and Maintaining Governance for Cloud Computing46

Implementing Governance as a New Concept 46

Preliminary Tasks 46

Adopt a Governance Implementation Methodology 48

Extending IT Governance to the Cloud 49

In Summary 52

Chapter 4: System and Infrastructure Lifecycle Management forthe Cloud 57

Every Decision Involves Making a Tradeoff 57

Example: Business Continuity/Disaster Recovery 59

What about Policy and Process Collisions? 60

The System and Management Lifecycle Onion 61

Mapping Control Methodologies onto the Cloud 62

Information Technology Infrastructure Library 63

Control Objectives for Information and Related Technology 64

National Institute of Standards and Technology 65

Cloud Security Alliance 66

Verifying Your Lifecycle Management 67

Always Start with Compliance Governance 67

Verification Method 68

Illustrative Example 70

Risk Tolerance 72

Special Considerations for Cross-Cloud Deployments 73

The Cloud Provider’s Perspective 74

Questions That Matter 75

In Summary 76

Chapter 5: Cloud-Based IT Service Delivery and Support79

Beyond Mere Migration 80

Architected to Share, Securely 80

Single-Tenant Offsite Operations (Managed Service Providers)81

Isolated-Tenant Application Services (Application ServiceProviders) 81

Multitenant (Cloud) Applications and Platforms 82

Granular Privilege Assignment 82

Inherent Transaction Visibility 84

Centralized Community Creation 86

Coherent Customization 88

The Question of Location 90

Designed and Delivered for Trust 91

Fewer Points of Failure 91

Visibility and Transparency 93

In Summary 93

Chapter 6: Protection and Privacy of Information Assets inthe Cloud 97

The Three Usage Scenarios 99

What Is a Cloud? Establishing the Context—Defining CloudSolutions and their Characteristics 100

What Makes a Cloud Solution? 101

Understanding the Characteristics 104

Service Based 104

On-Demand Self-Service 104

Broad Network Access 104

Scalable and Elastic 105

Unpredictable Demand 105

Demand Servicing 105

Resource Pooling 105

Managed Shared Service 105

Auditability 105

Service Termination and Rollback 106

Charge by Quality of Service and Use 106

Capability to Monitor and Quantify Use 106

Monitor and Enforce Service Policies 107

Compensation for Location Independence 107

Multitenancy 107

Authentication and Authorization 108

Confidentiality 108

Integrity 108

Authenticity 108

Availability 108

Accounting and Control 109

Collaboration Oriented Architecture 109

Federated Access and ID Management 109

The Cloud Security Continuum and a Cloud Security ReferenceModel 110

Cloud Characteristics, Data Classification, and InformationLifecycle Management 113

Cloud Characteristics and Privacy and the Protection ofInformation Assets 113

Information Asset Lifecycle and Cloud Models 114

Data Privacy in the Cloud 118

Data Classification in the Context of the Cloud 119

Regulatory and Compliance Implications 119

A Cloud Information Asset Protection and Privacy Playbook121

In Summary 124

Chapter 7: Business Continuity and Disaster Recovery129

Business Continuity Planning and Disaster Recovery PlanningOverview 129

Problem Statement 130

The Planning Process 131

The Auditor’s Role 133

Augmenting Traditional Disaster Recovery with Cloud Services135

Cloud Computing and Disaster Recovery: New Issues to Consider136

Cloud Computing Continuity 136

Audit Points to Emphasize 138

In Summary 139

Chapter 8: Global Regulation and Cloud Computing 143

What is Regulation? 144

Federal Information Security Management Act 146

Sarbanes-Oxley Law 146

Health Information Privacy Accountability Act 146

Graham/Leach/Bliley Act 147

Privacy Laws 147

Why Do Regulations Occur? 148

Some Key Takeaways 149

The Real World—A Mixing Bowl 149

Some Key Takeaways 151

The Regulation Story 151

Privacy 153

International Export Law and Interoperable Compliance 154

Effective Audit 155

Identifying Risk 156

In Summary 156

Chapter 9: Cloud Morphing: Shaping the Future of CloudComputing Security and Audit 161

Where Is the Data? 162

A Shift in Thinking 164

Cloud Security Alliance 165

CloudAudit 1.0 166

Cloud Morphing Strategies 166

Virtual Security 167

Data in the Cloud 168

Cloud Storage 169

Database Classes in the Cloud 171

Perimeter Security 171

Cryptographic Protection of the Data 172

In Summary 173

Appendix: Cloud Computing Audit Checklist 175

About the Editor 181

About the Contributors 183

Index 191

Read More Show Less

Customer Reviews

Average Rating 5
( 2 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 2 Customer Reviews
  • Posted June 12, 2012

    Tremendous resource for audit, business and IT

    “Auditing Cloud Computing: A Security and Privacy Guide”, edited by Ben Halpert, CISSP, is a tremendous resource for auditors, security professionals, privacy officers and IT executives who need to understand the risks and mitigation strategies for an effective cloud computing solution. The chapters are written by leading professionals in IT, audit, security and management and cover progressively more detail and complexity so the reader builds on knowledge and the basics are not repeated. The editing provides a consistent style and tone throughout the book, making for smooth transitions from chapter to chapter.

    While the title focuses on auditing, the information provided in each chapter addresses topics that are pertinent to non-auditors, particularly security managers and business executives who are interested in an objective, vendor-independent overview of cloud computing risks and benefits. The information can also benefit cloud providers, particularly from the information on customer and auditor expectations.

    The book includes an appendix with an audit checklist for cloud computing, and includes a reference to the key review aspects covered in the various chapters of the book. While this is not itself a risk-based audit program, it does provide sufficient guidance for a risk assessment to be generated and the applicable audit checklist steps could then be performed.

    Overall, this book is quite readable and provides significant coverage of audit and security concerns for cloud computing. More and more companies are considering cloud computing, and whether or not they actually move their data, applications and/or processing to the cloud, it is beneficial for auditors and security professionals to be aware of the risks in advance of that move. With the number of cloud providers increasing, particularly those having FedRAMP or NIST 500-291 compliance, the concerns with third-party and vendor data being cloud based will be a concern even if the auditor’s company data is retained onsite.

    Was this review helpful? Yes  No   Report this review
  • Posted August 24, 2011

    The must-have book for any professional-interested in Cloud Computing Auditing, Regulation, and Governance.

    I've had the pleasure of being one of the first few people to read this book. Companies are exponentially increasing their reliance on Cloud Computing, for reasons such as cost savings and increased efficiency. But are they ready for the cloud? If you are a person responsible for migrating your company to the cloud, there are many concerns that you need to think about and address prior to that migration if you want to avoid possible privacy incidents, loss of data, lack of compliance with regulations, and potential disasters that will cost you and your customers in loss revenue and productivity. This is where Auditing Cloud Computing shines, and provides you with a holistic approach to get the necessary information you need before the actual implementation. In 9 chapters, Mr. Halpert collected the thoughts of 12 industry leaders in areas of Cloud computing, reflecting on the following topics: 1. Introduction to Cloud computing 2. Cloud-Based IT Audit Process 3. Cloud-Based IT Governance 4. System and Infrastructure Lifecycle Management for the Cloud 5. Cloud-Based IT Service Delivery and Support 6. Protection and Privacy of Information Assets in the cloud 7. Business Continuity and Disaster Recovery 8. Global Regulation and Cloud Computing 9. Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit The book provides ample information for anyone interested in Cloud computing, whether to implement new cloud infrastructure, migrate to a cloud provider, or simply get an understanding of this amazing technology. This book is a must-have for anyone dealing with Cloud Computing.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing all of 2 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)