Cloud Environment Controls Assessment Framework

Introduction

The new wave of innovation has grown in Internet-based cloud computing in recent years. The usages of infrastructure, platforms, and software applications at large data centers through a pay-per-use leasing model have increased. Because of its ease and speed of deployment, geographic distribution capability, and financial advantages, cloud computing has emerged as one of the fastest-growing segments of the Information Technology (IT) industry. Organizations throughout the world are considering providing or consuming cloud-based application delivery models for their business growth Robinson, 2009). According to Gartner (Petty, 2010), the worldwide cloud services revenue has increased by 21.3 percent from $46.4 billion in 2008 to $58.6 billion in 2009, and the market is expected to reach $148.8 billion in 2014. cloud application services evolving from Software-as-a-Service (SaaS) offerings are poised to jump from $13.1 billion in 2008 to $40.5 billion by 2014 as business models mature.

The interconnectivity between cloud services makes seamless exchange of information and availability of user services any time at any place possible. This often presents unique challenges and new risks because of a lack of basic security mechanisms, especially when interconnected via a heterogeneous environment. Experience has shown that as new technologies are developed, they become a major source of new vulnerabilities and increased exposure to potential attackers. With easy-to-use and low-cost hacking tools downloadable from the Internet, attackers are capable of launching organized, disciplined, and sophisticated attacks on the cloud computing environments. The successful attacks can result in severe or catastrophic damage to the organization and nation’s critical information infrastructure and ultimately threaten the nation’s economy and security. In short, all information created, modified, transmitted, or received via cloud service communications must adhere to the required security goals of confidentiality, integrity, availability, sensitivity, and criticality. Organizations require a methodical approach to safeguard the cloud computing environment. Without proper safeguards, a cloud computing environment is vulnerable enabling the individuals and groups with malicious intentions to intrude and use their access to obtain and manipulate sensitive information, commit fraud, disrupt operations, or launch attacks. The objectives of this chapter are to:

• •

  Provide an understanding of the cloud environment related services and delivery models.

• •

  Outline benefits and challenges for deploying cloud-based service models.

• •

  Provide the framework for assessment of cloud environment controls.

Background

The advent of World Wide Web in the 1990s has contributed to an exponential growth in Internet-based tools and technologies. In recent years, the availability of open-source and low-cost hardware and software, and the telecommunications infrastructure has given recognition to cloud computing. The cloud concept is not new. In 1961, John McCarthy, an American computer scientist from Massachusetts Institute of Technology (Wordpress.com, 2008) had proposed a time-sharing computing model that organizations can use to sell and centrally manage computing power, hardware, software and applications like a utility (water and electricity) business models. A half a century later, cloud computing is emerging as utility-based computing that relies on Internet-based computing resources to provide services to all sizes of organizations, their business partners, and customers, while freeing them from the burden and costs of maintaining the underlying infrastructure.