Paolina Centonze
Iona College, New Rochelle, NY, USA
The global cloud computing market is expected to exceed $1 trillion by 2024. This is based on the latest research report covering cloud computing products, technologies, and services for the global market by Market Research Media (https://www.marketresearchmedia.com/?p=839).
Companies, industries, and agencies, such as financial services organizations, health organizations, and government agencies, are looking into new cloud‐based auditing research and methodologies to alleviate security, privacy, trust, and forensics challenges.
The rest of this chapter is organized as follows. Section 8.2 discusses the major cloud security problems and explains how auditing can alleviate these issues. Section 8.3 presents the state of the art of cloud auditing and discusses modifications and extensions needed in order to minimize cloud security challenges. Section 8.4 focuses on cloud compliance challenges and describes how national and international organizations are extending and modifying these compliance regulations in order to make them standardized. Section 8.5 discusses future research directions for cloud audits and compliance. Finally, Section 8.6 summarizes the main points and concludes this chapter.
There is no doubt that cloud computing offerings are completely transforming ways of delivering and investing for IT services, which enable companies, industries, agencies, and academia to make deep changes in IT solutions and adapt their business solutions and processes. Figure 8.1 shows a survey, based on data reported by Gartner, Inc. (https://www.gartner.com/newsroom/id/2352816) (NYSE: IT), one of the world's leading IT research and advisory companies, on how the cloud global market's spending has changed over the past few years, with global spending of $222.5 billion by 2015. Figure 8.2 shows a global index survey based on data reported by Cisco Systems, Inc. (https://www.cisco.com/c/en/us/solutions/collateral/service‐provider/global‐cloud‐index‐gci/white‐paper‐c11‐738085.html), an American IT multinational corporation, with an overall data center Internet Protocol (IP) traffic compound annual growth rate (CAGR) of 25% from 2012 to 2017. While cloud services can bring many advantages to business solutions, such as cost reduction, on‐demand provisioning mechanisms, and enablement of a pay‐per‐use business model, today security and privacy are still among the top concerns that discourage cloud‐service consumers from adopting cloud solutions to the fullest, as shown in Figure 8.3. One dominant characteristic of cloud computing is that parts of an IT infrastructure's trust boundary move to third‐party providers. Therefore, lack of direct control over cloud consumers' data or computation requires new techniques for the service provider to guarantee transparency and accountability.
According to the Cloud Security Alliance (CSA), a cloud service model comprises seven layers: facility, network, hardware, operating system, middleware, application, and user (https://cloudsecurityalliance.org/topthreats.html). Table 8.1 shows whether the cloud provider or the cloud customer is in control of each layer for every specific deployment model: Software‐as‐a‐Service (SaaS), Platform‐as‐a‐Service (PaaS), and Infrastructure‐as‐a‐Service (IaaS). Choosing the proper cloud deployment model is crucial, since once a model is selected to deliver business solutions, responsibilities are agreed upon and accepted by the party hosting the cloud solution and the subscribers to the services.
Table 8.1 CSA: layers a cloud provider controls (2010).
Cloud service model | |||
Layer | SaaS | PaaS | IaaS |
Facility | Provider | Provider | Provider |
Network | Provider | Provider | Provider |
Hardware | Provider | Provider | Provider |
Operating system | Provider | Provider | Provider or customer |
Middleware | Provider | Provider or customer | Customer |
Application | Provider | Customer | Customer |
User | Customer | Customer | Customer |
When a cloud consumer subscribes to a particular service‐delivery model, that consumer agrees to a certain level of access control over the resources managed by the CSP. Therefore, when assessing a cloud system, cloud customers must recognize, and be concerned with, the limitations of each service‐delivery model. If a specific capability, such as security, trust, traceability, or accountability is needed but not yet completely provided within a given delivery model, a subscriber has to either negotiate with the service provider for that capability to be fully implemented and deployed, and specify this request clearly in the service‐level agreement (SLA), or request a different delivery model that has the desired functionality. Incomplete understanding of the separation of responsibilities may result in false expectations of what a CSP can offer. Security, trust, integrity, and forensics are challenges for classic IT environments, but they are even more complex in cloud environments due to the Cloud's inherent characteristics, such as seamless scalability, ability to share resources, multitenancy, ubiquitous access, on‐demand availability, and third‐party hosting. Another complication is the fact that the underlying infrastructure is not standard; every CSP implements the underlying infrastructure using different hardware and software systems. Therefore, security‐enforcement mechanisms must be adapted to each cloud system. SLA requirements are essential in order to meet the security expectations of cloud services and resources.
Cloud auditing and fast response processes are essential in order to properly and efficiently describe the levels of availability, performance, security, serviceability, and other characteristics of a cloud service. However, this requirement may be hard to meet because the amounts of cloud‐auditing data stored on the Cloud itself, consisting of client and server logs, network logs, database logs, etc. may be extremely large.
For example, Apprenda, a PaaS software‐layer cloud‐provider company based in the United States, defines cloud federation as “the unionization of software, infrastructure and platform services from disparate networks that can be accessed by a client via the Internet.” A federation of cloud resources uses network gateways that connect public or external clouds, private or internal clouds, and/or community clouds by creating a hybrid cloud‐computing environment. Since cloud computing may deploy services in federated cloud environments, audit data is collected and stored in distributed environments. It is necessary to properly capture, store, and analyze such data in order to identify and quantify threats, and prevents security attacks.
Capturing security‐relevant information and auditing results to determine the existence of security threats in the cloud are still challenging problems. Following are some examples that illustrate the need for cloud audits:
In 2010, the Cloud Security Alliance released a research document entitled Top Threats to Cloud Computing v1.0 (https://cloudsecurityalliance.org/topthreats.html) in order to assist organizations in making educated risk‐management decisions regarding their cloud adoption strategies. Here is the list of the top cloud computing threats according to that report:
The Cloud Security Alliance encourages organizations to also use—along with the research document just mentioned—Security Guidance for Critical Areas in Cloud Computing V3.0, which was last updated in 2011 (https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf). In this document, the CSA includes a collection of facts and ideas gathered from over 70 industry experts worldwide.
Understanding how to manage cloud opportunities and security challenges is crucial to business development. Security audits and penetration testing are used in classic IT infrastructures to document a data center's compliance to security best practices and laws. One of the most serious downsides of traditional security auditing is that it only provides a snapshot of an environment's security state at the time of the audit. This may be sufficient for classic IT infrastructures since they do not change very frequently. However, auditing a cloud environment is a much more complex task, for which traditional security auditing is not adequate. This is because a cloud system has inherent characteristics that make the auditing process more complicated. Such characteristics include on‐demand self service, broad network access, resource pooling, rapid elasticity, multitenancy, and lack of hardware governance.
When performing cloud auditing, it is necessary to consider the point in time when changes in the underlying infrastructure occur, and the ability to decide if any such changes give rise to a security gap or an infrastructure misuse. It is also important to have knowledge of the underlying business processes: for example, to automatically infer whether an immediate increase in a high‐pick cloud‐service request is being made for true business needs or is rather caused by a hacker misusing the system to perform a denial of service (DoS) attack. In 2012, to increase cloud transparency, the Cloud Research Lab at Furtwangen University, Germany, developed the Security Audit as a Service (SAaaS) architecture for IaaS cloud environments. The SAaaS architecture ensures that a desired security level is reached and maintained within any cloud infrastructure where changes occur very frequently. The work required of research institutions, government agencies, and academic organizations in order to provide secure cloud computing is still immense, and demands the collaboration and participation of a broad community of stakeholders on a global basis. However, this initiative is very encouraging and promising, since it is the right step in the right direction; new cloud‐security solutions are regularly appearing, enterprises are using CSA's guidance to engage with CSPs, and a vigorous public dialogue over compliance and trust issues has begun around the world. The most important outcome in the field of cloud computing that has been achieved is that security professionals are now eagerly engaged in securing the future, instead of only focusing on protecting the present. In fact, there is a growing demand for cloud‐computing standards. These standards may be very complex to integrate with existing infrastructures in order to provide reliable cloud services in cloud‐computing environments. However, the creation and adoption of standards is an important step forward since it minimizes the differences between cloud implementations and simplifies the enforcement of security and auditing. As shown in Table 8.2, standard organizations and working groups worldwide are producing documentation, guidelines and specifications to create the foundation of cloud‐computing standardizations. Details of these cloud‐security standardization and compliance efforts are covered in Section 8.4 of this chapter, which also discusses the Federal Risk and Authorization Management Program (FedRAMP), a US government‐wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services (Table 8.3).
Table 8.2 Standards organizations and their nationalities (2014).
Cloud‐related standards organizations | Nationality |
National Institute of Standards and Technology (NIST) | United States |
Distributed Management Task Force (DMTF) | International |
IEEE Standards Association (IEEE‐SA) | International |
International Telecommunications Union (ITC) | International |
European Telecommunications Standards Institute (ETSI) | European |
Organization for the Advancement of Structured Information Standards (OASIS) | International |
System Administration Networking and Security | United States |
International Organization for Standardization (ISO)/IEC | International |
Federal Risk and Authorization Management Program (FedRAMP) | United States |
Table 8.3 Cloud security and auditing publications (2014).
Cloud security and auditing publications (publication title) | Organization |
Challenging Security Requirements for US Government Cloud Computing Adoption | NIST |
Cloud Computing Security Reference Architecture | NIST |
Guide to Security for Full Virtualization Technologies | NIST |
Security Guidance for Critical Areas of Cloud Computing | CSA |
Trusted Cloud Initiative (TCI) Reference Guidelines | CSA |
Cloud Auditing Data Federation (CADF) Data Format and Interface Definition Spec | DMTF |
Quick Guide to the FedRAMP Readiness Process | FedRAMP |
Cloud Security and Compliance: A Primer | SANS |
A Guide to Virtualization Hardening Guides | SANS |
Focus Group on Cloud Computing Technical Report | CSC |
Saving Money Through Cloud Computing | OACIS |
This section describes the importance of auditing in solving specific cloud security issues. It highlights the most crucial security issues that need to be considered when deploying a service to a cloud infrastructure. In particular, it explains how auditing methodologies can help in alleviating identified security issues. Furthermore, it discusses how classic auditing need to change and be extended in order to include complex cloud‐computing environment characteristics. Different challenges complicating cloud auditing are discussed, and important questions that a cloud audit must answer are raised. Moreover, this section describes the importance of diagnosing vulnerability patterns in cloud audit logs, especially for web service compositions for cloud service architectures. In fact, in these systems auditable events are not always well defined and processed. This section also gives an overview of the latest state of the art of cloud auditing for addressing security‐ and privacy‐related issues.
Security‐related challenges are the main reason enterprises are hesitant to adopt cloud computing. Therefore, these challenges have become a significant area of research and the object of important economic studies. A precise understanding of the security implications behind a given cloud infrastructure has not always been completely achieved since cloud architectures are often based on proprietary hardware and software, which complicates the study and detection of security vulnerabilities. Furthermore, very often, essential and well‐defined security terms, such as threat, vulnerability, and risk, are not used and understood properly. These security terms are crucial when performing risk analysis for creating and deploying a service on a cloud environment. In cloud computing, contrary to classic IT outsourcing, a customer may also rent a certain infrastructure and end up sharing infrastructure resources with other customers. This architecture is known as the multitenant model. Between 2009 and 2010, researchers (Sotto et al. 2010; Chen et al. 2010) and the European Network and Information Security Agency (https://www.enisa.europa.eu/activities/risk‐management/files/deliverables/cloud‐computing‐risk‐assessment) identified numerous cloud security and privacy problems, which all have in common the following two categories of problems:
Amplified cloud security problems are those deriving from the underlying technologies upon which cloud computing is heavily built, such as virtualization, web application servers, and multitenant software architectures. This category of problems includes those originating from failing to adhere to well‐known and commonly established security best practices, which are hard or infeasible to implement in a cloud computing environment.
The most common amplified cloud security problems are the following:
Cloud‐specific security problems are those that are inherent to the Cloud itself and its characteristics, and not necessarily inherited from the technologies used in the underlying infrastructure. The most common cloud‐specific security problems are the following:
These issues may violate the availability and accountability core security principles.
In order to better emphasize the complexity and importance of auditing in cloud computing, this section correlates each of the cloud audit issues with the current state of the art in research. Since a cloud consumer is not exposed to the details of how a CSP governs the underlying cloud infrastructure, the only choice for the consumer is to give complete trust to the CSP and hope the CSP applies compliance regulations and data‐protection laws for protecting confidential and sensitive data. Furthermore, unknown or unclear geographic location of data in the Cloud may cause unexpected issues since different jurisdictions enforce different legislation and compliance requirements when it comes to data governance. Following is a list of some of the current research work to alleviate this problem:
Cloud auditing can also be used to help detect abuse and nefarious use of cloud resources, although this is still a complex task. (Hamza and Omar 2013) explored and investigated the scope and magnitude of this problem, which is one of the most serious security threats in cloud computing. The authors also presented some of the specific attacks related to this threat, since it constitutes a major restriction for moving business to the Cloud. Following are some of the most common attacks that relate to this problem and the related research work that has been done in order to resolve them:
To address the lack of transparent monitoring of a cloud infrastructure, the Cloud Research Lab at Furtwangen University, Germany, in 2012, started to develop SAaaS, a prototype for incident detection in the cloud. SAaaS is an audit solution where techniques of behavioral analysis and anomaly detection are used to distinguish between normal and nefarious use of cloud resources. SAaaS uses intelligent autonomous agents, which support cross‐customer event monitoring within a cloud infrastructure. This work also evaluated which cloud‐specific security problems are addressed by SAaaS. The results of this work shows that autonomous agents and behavioral analysis are sufficient to identify cloud‐specific security problems and can create an efficient cloud‐audit system.
(Meng et al. 2012) proposed state monitoring for detecting critical events and abnormalities of cloud‐distributed systems. When it comes to cloud computing, as the scale of the underlying infrastructure grows and the amount of workload consolidation increases in cloud data centers, node failures and performance interferences (in particular, transient ones) become quite common. Therefore, distributed state‐monitoring tasks are very often exposed to broken communication. This can bring about misleading results and cause problems for cloud consumers who heavily rely on state monitoring to perform automatic management tasks, such as autoscaling. This work introduced a new state‐monitoring approach that addresses this challenge by exposing and handling communication dynamics, such as message delay and loss in cloud‐monitoring environments. This methodology delivers two different characteristics. First, it quantitatively approximates the accuracy of monitoring results to capture uncertainties introduced by messaging dynamics. This feature helps users differentiate trustworthy monitoring results from ones that heavily deviate from the truth, yet significantly improves monitoring utilities compared to simple techniques that invalidate all monitoring results generated in the presence of messaging dynamics. Second, it adapts itself to nontransient messaging problems by reconfiguring distributed monitoring algorithms to minimize monitoring errors. This work demonstrates that, even under severe message loss and delay, this new approach consistently improves monitoring precision and, when applied to cloud application auto‐scaling, outperforms existing state‐monitoring techniques.
In distributed systems, the security of the host platform is critical. Platform administrators use security‐automation methodologies, such as those provided by the Security Content Automation Protocol (SCAP) standards, to check that the outsourced platforms are set up correctly and follow security recommendations, e.g. those provided by governmental or industrial organizations. Nevertheless, users of remote platforms must still have confidence in the platform administrators. (Aslam et al. 2013) proposed a remote platform‐evaluation mechanism that can be used by remote platform users or by auditors, to perform frequent platform‐security audits. The authors analyzed the existing SCAP and Trusted Computing Group (TCG) standards for this solution. They also identified shortcomings and suggested ways to integrate these standards. This platform‐security‐evaluation framework uses the combined effort of SCAP and TCG to address the limitations of each technology when used independently.
Auditing systems are extremely important to make sure that customer data is properly hosted in the cloud. (Yu et al. 2014) investigated the possibility for active adversary attacks in three auditing mechanisms for shared data in the Cloud, including two identity‐privacy‐preserving auditing mechanisms named Oruta and Knox, and a distributed‐storage integrity‐auditing mechanism. The authors showed that these schemes start to become insecure when active adversaries are involved in the cloud storage. In particular, they proved that there are ways for an active adversary to change cloud information without being detected by the auditor. The authors claimed to have found a solution to this downside without sacrificing the benefits of these mechanisms.
CSPs have control over enforcing cloud security in order to ensure the integrity and confidentiality of their customers' data. Cloud‐computing security infrastructure is an extremely important research area and the subject of a consistent body of work by both the academic and industrial research communities. In a cloud environment, resources are under the control of the CSP, and third‐party auditors must ensure data integrity and confidentiality, particularly when data storage is outsourced. (Sathiskumar and Retnaraj 2014) proposed data‐encryption and proxy‐encryption algorithms for CSPs to enable privacy and integrity of outsourced data in cloud‐computing infrastructures.
A service cloud infrastructure that offers web‐service composition improves the accessibility and flexibility of web services hosted on the cloud. Nevertheless, security challenges exist, which include both vulnerabilities due to classic web‐service communication and new, specific issues carried by intercloud communication. Cloud auditing is a complex task, due to the enormous scale of the system, the noncentralized architecture of the Cloud, and the wide range of security issues that need to be taken into account. Of course, there exist security standards, protocols, and auditing methodologies that provide audit logs, which can be subsequently analyzed, but these logs are not always suitable to reveal the type, location, and impact of the security threats that might have occurred. Assuming a cloud infrastructure that explicitly declares the scope of its audit logs, defines the expected auditable events in the cloud, and provides evidence of potential threats, in 2013, researchers introduced the concept of vulnerability diagnostic trees (VDTs) to formally demonstrate vulnerability patterns across many audit trails created within the cloud service. They accounted for attack scenarios based on the allocation of services to a web‐service composition that provides end‐to‐end client‐request round‐trip messaging.
In spite of the large body of research in the area of cloud security and auditing, performed by both the academic and industrial research communities, a collaborative cloud architecture for security and auditing that does not require a third‐party auditor (TPA) has not yet been fully explored. In their cloud‐security research survey, (Waqas et al. 2013) suggested a collaborative cloud architecture that can securely share resources when needed and audit itself without the involvement of a TPA.
Cloud compliance has been the subject of intense research among industry, academia, and government. Nowadays, cloud security compliance is more important than ever since defining and enforcing security standardization and compliance regulations in clouds with complex architectures—especially those that support cross‐domain services on federated multilevel servers—is not an easy task. In order to properly secure cloud services and resources, as we observed in Section 8.3, cloud auditing is a crucial component that must be in place to meet SLAs and guarantee CSP compliance. This section discusses cloud‐compliance requirements, regulations, acts, laws, and guidelines, and describes the joint effort by IT standards organizations and industries worldwide to meet security‐compliance requirements for cloud computing.
Industry demand for cloud technology and the promising revenues of new information communication technology (ICT) investments have created excellent market encouragement for cloud computing. Businesses and organizations are moving their solutions and data toward cloud computing for scalability and cost efficiency. Moreover, there is an enormous need for cloud compliance and standardization: research institutions, academic organizations, business industries, and government agencies are now aware of the underlying problems caused by lack of compliance and more knowledgeable about the security impacts and serious consequences deriving from CSPs not meeting the right security regulations and compliance requirements. As shown in Table 8.2, standards organizations and working groups are making guidelines and specifications publically available, with the goal of achieving cloud‐computing standardization. (Han et al. 2014), in the book High Performance Cloud Auditing and Applications, include a summary about organizations and documents for standardization. And the NIST, CSA, and DMTF CADF Working Group have released important cloud‐computing‐related publications:
Cloud federation, defined in Section 8.2, is just starting to be taken into consideration by the research community. Cloud federation may generate new security issues that need to be addressed. Cloud‐computing‐related specifications, standards, and implementation technologies are required to establish security, interoperability, and portability in order to support federated cloud computing. Standards organizations, as mentioned previously, have jointly worked together with many cloud‐security and auditing working groups to design and create cloud‐computing standards. Moreover, the United States Air Force Research Laboratory (AFRL) CyberBAT Cloud Security and Auditing Team, during the summer of 2011, started an effort to investigate the directions of future cloud auditing research (https://cps‐vo.org/node/6062). Also in 2011, NIST defined the key characteristics for cloud services: on‐demand self‐service, broad network access, resource pooling, rapid elasticity or expansion, and measured service. Furthermore, clouds allow for virtual back ends, which make them cloud‐computing dynamic. Data, applications, and users are moving between internal and external clouds for different uses. Therefore, dealing with all the security and compliance problems that can arise in a dynamic environment may be very challenging. In 2010, the SANS Institute released a white paper entitled “Cloud Security and Compliance: A Primer.” The author, Dave Shackleford, stated that since cloud‐security and compliance efforts are so complex to deal with, it is necessary to classify all the issues in three main problem areas that apply to all types of cloud‐computing systems:
The SANS Institute released this white paper to help organizations that are starting cloud‐computing programs and give them guidance to keep these problematic cloud‐security compliance areas under control.
Cloud consumers need assurance. They want to see evidence that CSPs have audit mechanisms in place. However, most auditors do not have complete knowledge or the appropriate skills in virtualization or cloud computing, which makes things even harder. CSPs are starting to deliver Statement on Auditing Standards (SAS) 70 type II audit reports, providing evidence of the control measures adopted within their cloud environments, but many security and compliance professionals still think this step is inadequate. Even though SAS 70 type II audit reports have been used for nearly 20 years, the problem with the SAS 70 standard—according to the American Institute of Certified Public Accountants (AICPA)—is that these reports were not designed to be used by service institutions that offer colocation, managed servers, or cloud‐hosting services in this way. In other words, the SAS 70 type II standard is not the right one for cloud computing because it was developed to take care of internal controls over financial reporting and not cloud systems. Specifically, a SAS 70 type II audit only checks that the controls and processes a data center operator has in place are followed. There are no specific minimum expectations that a data center operator must achieve, nor a benchmark to hold data center operators responsible to. A data center with excellent controls and processes can claim the same level of audit as a data‐center operator with no good controls and systems. A major misinterpretation about SAS 70 type II audits is that, after completing an audit, a data center becomes “SAS 70 type II certified”; but in reality there is no such official certification. Many service providers that have outlasted a SAS 70 type II audit have established their own logo, indicating the need for such certification by outside auditors.
The Internal Organization for Standardization (ISO) 27001 and 27002 standards, which provide a more specific and well‐structured framework of best practices, are much better models to adhere to. This is a good reason why, in 2010, the SANS Institute published a guide for virtualized infrastructures, entitled “A Guide to Virtualization Hardening Guides” (https://www.intralinks.com/sites/default/files/file_attach/wp‐sas70ii.pdf). The CSA, along with other virtualization and cloud‐computing security experts, has decided that CSPs should use the ISO 27001 and 27002 standards for auditing and reporting on the state of controls within their cloud infrastructure environments.
The CSA has founded Achieving Governance, Risk Management, and Compliance (GRC), an integrated suite comprising the following four Cloud Security Alliance initiatives (https://cloudsecurityalliance.org/media/news/csa‐releases‐new‐ccm‐caiq‐v3‐0‐1): CloudAudit, Cloud Controls Matrix (CCM), Consensus Assessments Initiative Questionnaire (CAIQ), and Cloud Trust Protocol (CTP), which are described next.
The GRC's goals require appropriate assessment criteria, relevant control objectives, and timely access to necessary supporting data. Whether implementing private, or hybrid clouds, the shift to compute as a service presents new challenges across the spectrum of GRC requirements. The CSA GRC stack provides a set of tools for enterprises, CSPs, security‐solution providers, IT auditors, and other key stakeholders to instrument and assess both private and public clouds against industry‐established best practices, standards, and critical compliance requirements.
CloudAudit (cloudaudit.org) is a volunteer cross‐industry cloud effort initiative gathering the best intellectuals and capacity in cloud, networking, security, audit, assurance, and architecture backgrounds. The CloudAudit Working Group officially started in January 2010 and has the participation of many of the largest CSPs, integrators, and professionals. In October 2010, CloudAudit officially came under the support of the Cloud Security Alliance (https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf). The goal of CloudAudit is to provide a standard interface and namespace that helps CSPs in the areas of automated audit, assertion, assessment, and assurance (A6) for their IaaS, PaaS, and SaaS environments, and to permit authorized consumers of their services to do the same via an open, extensible, secure interface and methodology. CloudAudit offers the technical baseline to enable transparency and trust in private and public cloud systems.
In July 2014, the CSA revealed the release of the extremely important updates to two de facto industry standards: CCM V3.0.1 and CAIQ V3.0.1 (https://cloudsecurityalliance.org/media/press‐releases/ccm‐caiq‐v3‐0‐1‐soft‐launch). Thanks to these two updates, the CSA accomplished a major milestone in the alignment between the Security Guidance for Critical Areas of Focus in Cloud Computing V3, CCM, and CAIQ. Jim Reavis, CEO of CSA, stated the following: “This will allow cloud providers to be more transparent in the baseline assessment process, helping accelerate the implementation process where cloud consumers will be able to make smart, efficient decisions.” This also maps CAIQ questions to the latest compliance requirements found in CCM V3.0.1. Daniele Catteddu, managing director of CSA EMEA, said, “With the release of the new CCM and CAIQ, we are creating an incredibly efficient and effective process for cloud providers to better demonstrate transparency and improve trust in the cloud, which is the ultimate mission of the CSA.” Specifically, the CSA CAIQ is the first empirical document between a cloud customer and a CSP. It provides a series of yes‐or‐no control assertion questions. The CSA CAIQ helps organizations build the necessary assessment processes when engaging with CSPs. It simplifies distillation of the issues, best practices, and control specifications from the CSA CCM, thereby allowing all the parties involved to quickly understand areas that require more specific discussion between consumer and CSP. The CSA CCM reinforces some of the well‐established information‐security control environments by reducing security threats and vulnerabilities in the Cloud. It also provides standardized security and operational risk management, and works to normalize security expectations, cloud taxonomy and terminology, and security procedures employed in the Cloud. The foundation of the CCM rests on its customized relationship to other industry standards, regulations, and control frameworks, such as ISO 27001:2013, COBIT 5.0, PCI DSS V3, and the AICPA 2014 Trust Service Principles and Criteria. Furthermore, it augments internal control directions for service‐organization control‐report attestations.
The CTP is the method by which cloud‐service consumers inquire for, and receive information about, the essential elements of transparency as applied by CSPs. The main intention of the CTP is to produce evidence‐based assurance that anything that is asserted as happening in the Cloud is guaranteed to happen as described. This is obtained as an application of digital trust, whose goal is to make cloud consumers more knowledgeable about the underlying infrastructure that constitutes the foundation of the cloud system. When consumers know more about the cloud infrastructure, they tend to feel more confident, which translates into more business and even larger payoffs for the CSP. With the CTP, a CSP gives an instrument to cloud consumers to understand important pieces of information related to the compliance, security, privacy, integrity, and operational‐security history of the services being performed in the Cloud. These extremely important pieces of evidence are known as the elements of transparency, and they convey proof about vital security settings and operational attributes for systems deployed in the Cloud. These transparent pieces of information give cloud consumers the knowledge necessary to make educated decisions about what service processes and data are appropriate to add to the Cloud, and to decide which cloud best lends itself to satisfy the consumers' needs.
Cloud‐compliance‐regulation issues become even more challenging and serious as soon as a cloud consumer uses cloud‐storage or backup infrastructures. For a CSP, it is essential not only to make sure customer data is well protected—especially sensitive and private data—but also to enforce the appropriate integrity and confidentiality mechanisms when customer data is saved or transferred to a third‐party CSP. A CSP must obey relevant laws and industry‐standards regulations. According to the CSA, “support for global data privacy standards and the consumer's bill of rights is definitely increasing.” This statement is based on the Cloud Security Alliance’s Data Protection Heat Index (DPHI) survey report (https://cloudsecurityalliance.org/download/data‐protection‐heat‐index‐survey‐report), which Cisco Systems Inc. funded. In September 2014, this survey examined some of the top complications around data protection and privacy in the Cloud, including data residency, sovereignty, and lawful interception. The survey participants included 40 among “the most influential cloud security leaders” (as defined by the CSA) in the world, from Chief Information Security Officers (CISOs) to professional privacy and legal specialists. Specifically, the survey showed that there is a solid consensus for more global standards to guide the use and protection of private data. For example, the survey showed broad support for the Organisation for Economic Co‐operation and Development (OECD) Privacy Principles, which establish rules for better data privacy standards and protection. For cloud computing, 62% of the participants said that industry implementation of the OECD's data‐collection‐limitation principle adds restrictions on the quantity of personal data that is collected but also on the content of the data itself. Moreover, the survey showed that 71% of the participating industrial organizations adhered to the OECD's security‐safeguards principle, which requests “reasonable security safeguards” to counter unauthorized access, disclosure, modification and damage of personal and private data. Additionally, 73% of respondents indicated that there should be a global consumer's bill of rights for data privacy, while 65% said that the United Nations (UN) should be more involved and take more responsibility in defining and developing such bill. Nevertheless, Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), warned that achieving this agreement could be very challenging. Specifically, Hughes said, “The concept of privacy varies greatly according to region, and there are cultural differences that manifest themselves into different international laws. I'm not confident that we'll be able to develop one universal framework that can take all of those concepts and cultural views, and distill that down into one simple framework.” However, Hughes remained optimistic since he stated that, as challenging as this may sound, government agencies and research organizations should still work toward an agreement on data‐privacy standards in cloud computing. Quoting his words, “When it comes to private data, I like to say that just because something is legal doesn't mean it's not stupid.” According to Hughes, it is necessary to have standards and frameworks in order to enforce data privacy since compliance and regulations are not enough.
One of the most pressing questions related to cloud computing is how data privacy is defined internationally. At the 2014 Privacy Academia conference, both the IAPP and CSA strongly emphasized that there is an even greater demand for privacy professionals in the enterprise and for a better cooperation with information‐security professionals in order to help organizations better identify and protect sensitive data. This issue is even more complicated for the Cloud because data on the Cloud is not limited to one region or location. The survey just described showed that there is a separation among participants about how data residency and sovereignty should be enforced. The majority of the respondents agreed that personal identifiable information (PII) must stay within the geographic boundaries of the subject's country. However, during this survey, participants were asked to define their own country's concept of data residency or sovereignty compared to other regions; 37% responded that they are more open, 35% that they are more restricted, and 28% that they do not know. Finally, Hughes emphasized the importance of identifying a common language to better define the concepts of data privacy and protection across all countries.
Customers' uncertainty about data security is the number‐one obstacle toward fully adopting cloud computing, followed by compliance, privacy, trust, and legal issues. Data security has always been a major issue in traditional IT infrastructure, but it becomes even more serious in the cloud‐computing environment: data is dispersed across different machines and storage devices, including servers and mobile devices, potentially in different countries with different legislations. The major concerns for data in the Cloud are integrity, confidentiality, availability, and privacy, which are discussed in Sections 8.4.1 through 8.4.4.
Data integrity is a security principle that establishes that users must not modify data unless they are authorized to do so. For all the cloud‐computing deployment models—IaaS, PaaS, and SaaS—data integrity is the foundation for providing service. Clouds offer a large number of entry and access points. Therefore, enforcing a good authorization mechanism is crucial to maintain data integrity. It is also important to provide third‐party supervision. In fact, analyzing data integrity is the prerequisite to deploying applications securely. (Bowers et al. 2009a) proposed a theoretical framework called Proofs of Retrievability (POR) for verifying remote data integrity by combining error‐correction code and spot‐checking. (Bowers et al. 2009b) also developed a high‐availability and integrity layer (HAIL) by using POR checking the storage of data across many different clouds servers. HAIL can also detect duplication of data copies and understand data availability and integrity. (Schiffman et al. 2010) presented a Trusted Platform Module (TPM) to check data integrity remotely.
When it comes to cloud computing, it is important not only to protect cloud consumers' sensitive data via use of cryptographic routines, but also to protect consumers from malicious behaviors by validating the operations performing computations on the data. (Venkatesa and Poornima 2012) proposed a novel data‐encoding scheme called layered interleaving, designed for time‐sensitive packet recovery in the presence of sudden data loss. This is a high‐speed data‐recovery scheme with minimal loss probability, which uses a forward‐error‐correction scheme to handle data loss. This methodology is highly efficient in recovering data right after sudden losses. In 2013, research started to design a cloud computing security development life‐cycle model to enforce data safety and minimize consumer data exposure risks. A data‐integrity‐verification algorithm eliminates the need for third‐party auditing by protecting static and dynamic data from unauthorized observation, modification, and interference. (Saxena and Dey 2014) proposed work to achieve better data‐integrity verification and help users utilize Data‐as‐a‐Service (DaaS) in cloud computing. This framework is partitioned into three platforms: platinum for storing sensitive data, gold for a medium level of security, and silver for nonsensitive data. The authors have also designed different algorithms for implementing these three platforms. Their results showed that this framework is easy to implement and provides strong security without affecting performance in any significant way.
Cloud computing, among many other offerings, provides high availability and elastic access to resources. Third‐party cloud infrastructures, such as Amazon Elastic Compute Cloud (EC2), are completely transforming the way today's businesses operate. While we all take advantage of the benefits of cloud computing, businesses must realize that there can be serious risks to data security, particularly to data confidentiality, a security principle that establishes that private data cannot be exposed to unauthorized users. Very important factors, such as software bugs, operator errors, and external attacks, can interfere with the confidentiality of sensitive data stored on external clouds, thereby making that data vulnerable to unauthorized access by malicious parties. (Puttaswamy et al. 2011) studied how to improve the confidentiality of application data stored on third‐party computing clouds. They identified all functionally encryptable data—sensitive data that can be encrypted without reducing the functionality of the application on the Cloud. This data will only be stored on the Cloud in encrypted form, accessible exclusively to users with the correct keys. This mechanism protects data confidentiality against unintentional errors and attacks. The authors also described Silverline, a set of tools that automatically (i) recognize all functionally encryptable data in a cloud application, (ii) assign encryption keys to specific data subsets to minimize key‐management complexity while ensuring robustness against key compromise, and (iii) provide transparent data access at the user device while preventing key compromise even from malicious clouds. Via a thorough evaluation, the authors were able to report that numerous web applications heavily use storage and sharing components that do not require raw‐data interpretation. Thus, Silverline can protect the vast majority of data manipulated by such applications, simplify key management, and protect against key compromise. These techniques provided an important first step toward simplifying the complex process of incorporating data confidentiality into cloud applications.
Cloud data storage mainly gives small and medium‐sized enterprises (SMEs) the capability to reduce investments and maintenance of storage servers while still providing high data availability. The majority of SMEs now outsource their data to cloud storage services. User data sent to the Cloud must be stored in the public cloud environment. Data stored in the Cloud might intersperse with other user data, which leads to data‐protection issues in cloud storage. Thus, if the confidentiality of cloud data is broken, serious losses may occur.
Data confidentiality is one of the most important requirements that a CSP must meet. The most used method for ensuring cloud‐storage data protection is encryption. However, encryption by itself does not completely guarantee data protection. (Arockiam and Monikandan 2014) proposed a new way for achieving efficient cloud‐storage confidentiality. The authors used encryption and obfuscation as two different techniques to protect the data stored in the Cloud. Depending on the type of data, encryption and obfuscation can be applied. Encryption can be applied to strings and symbols, while obfuscation can be more appropriate for numeric data types. Combining encryption and obfuscation provides stronger protection against unauthorized users. In addition, (Alomari and Monowar 2014) addressed the problem of portability and secure file sharing in cloud storage. Their work consists of four different components: (i) the encryption/decryption provider (EDP), which performs the cryptographic operations; (ii) a TPA, which traces the EDP operations and audits them; (iii) a key storage provider (KSP), for key management; and (iv) a data storage provider (DSP), which stores user files in an encrypted form. Based on the experimental results, the authors demonstrated that this new encryption ensures data confidentiality and maintains portability and secure sharing of files among users. (Djebaili et al. 2014) listed the latest trends in cloud data outsourcing and the many different threats that may undermine data integrity, availability, and confidentiality unless cloud data centers are properly secured. The authors observed that different schemes addressing data integrity, availability, and confidentiality, and complying with all the security requirements must be in place. These include high scheme efficiency, stateless verification, unbounded use of queries, and retrievability of data. However, very important questions remain, particularly how to use these schemes efficiently and how often data should be verified. Constantly checking data is a clear waste of resources, but checking only periodically increases risks. The authors attempt to resolve this tricky issue by defining the data‐check problem as a noncooperative game, and by performing an in‐depth analysis on the Nash Equilibrium and the underlying engineering implications. Based on the game’s theoretical analysis, the sequence of reactions is to anticipate the CSP's behavior; this leads to the identification of the minimum resource verification requirement and the optimal strategy for the verifier.
It is essential that an organization is ready to respond in case a disaster occurs. A provider hosting a cloud data center must be prepared for such events and make sure that cloud data becomes available within seconds. It is crucial that organizations define strategies for protecting and restoring access to data appropriately according to operational needs. It is not possible to transfer terabytes (TB) or petabytes (PB) of data information through the network in a few seconds right after a disaster has occurred, and it is necessary for data to be saved in different locations in order to facilitate data access in the event of a failure in a given primary location. Different strategies are used by system architects for backing up data. (Cabot and Pizette 2014) concluded that replicated databases in cloud environments are a cost‐effective alternative for ensuring the availability of data in cloud systems, although some other issues arise, such as data synchronization and privacy. Since the cloud‐computing paradigm is based on the concept of shared infrastructure by multitenants, DDoS attacks on a specific target can quickly affect many or even all tenants. By guaranteeing that availability is given the necessary importance, organizations can enable stakeholders to properly assess the risks associated with a specific cloud‐computing model and successfully mitigate those risks in order to obtain the advantages of cloud computing while ensuring continuity of functions. Intrusion protection systems (IPSs) and firewalls are a crucial defense from these attacks, but they miss an important capability: these solutions do not protect the availability of services. Moreover, these technologies can themselves become targets of DDoS attacks.
Based on an article published at the end of 2014 on searchcloudsecurity.techtarget.com (Wright 2014), the CSA said that cloud data privacy and the issue of defining authority over data would be the top problems for enterprises in both the United States and abroad for the year 2015. In fact, during that time, a legal battle between the United States government and Microsoft over e‐mails located in an offshore data center in Dublin, Ireland was going on. These issues were caused by different data‐privacy regulations among countries. These include the USA Patriot Act (http://www.justice.gov/archive/ll/highlights.htm), which is an act of the U.S. Congress that was signed into law by President George W. Bush on October 26, 2001, and a U.S. search warrant. Ireland's Minister for Data Protection has it made clear that “when governments seek to obtain customer information in other countries, they need to comply with the local laws in those countries.” The US Congress did not clearly express its intent to put a US business in the difficult position of violating the local laws of countries where customer data is saved in order to comply with a US search warrant. Instead of using a search warrant in the Microsoft case, the U.S. government should have followed the procedures of the Mutual Legal Assistance Treaty (MLAT) between the US and Ireland to ask to receive the necessary information from the Irish government in a way that is consistent with Ireland's laws. This episode may have negative impact on cloud investment and, ultimately, on the economy. This example is a perfect illustration of the types of conflicts that may arise in the near future.
Jim Reavis, co‐founder and CEO of the CSA, said that cloud data sovereignty is “probably the number‐one issue” for European enterprises using, or planning to use, cloud services. We must ensure that individuals and organizations can have confidence in the rules and processes that have been put in place to safeguard privacy.” On April 3, 2014 the Cloud Service Alliance announced the launch of the second version of its Privacy Level Agreement (PLA) Working Group (https://cloudsecurityalliance.org/media/news/csa‐announces‐pla‐v‐2). In an effort to help CSPs and future cloud customers objectively evaluate privacy standards, PLA V2, being sponsored by CSA corporate member EMC, aims to provide a clearer and more effective way to communicate to customers regarding the layer of data protection offered by a CSP. The PLA Working Group was originally founded in 2012 with the goal of defining compliance baselines for data‐protection legislation as well as establishing best practices for defining a standard for communicating the level of privacy measures (such as data protection and security) that a CSP agrees to follow while hosting third‐party data. Moreover, the PLA Working Group is composed of independent privacy and data‐protection subject matter experts, privacy officers, and representatives from data protection authorities (DPAs). The PLA Working Group released three core documents over the course of a year (April 2014–April 2015), as follows:
One of the most attractive, yet most dangerous characteristics of cloud computing is to promote flow and remote storage of data. Within the public cloud‐computing deployment, new applications for data sharing are encouraging internet users to store their data on the Cloud with no mention of any geographical boundaries. The relevant CSPs may have their service centers anywhere in the world. In some jurisdictions, there are laws governing the use of personal data, for example by prohibiting the exportation of personal data to countries that have no enforceable data‐protection law. Data transfers from all countries with national legislation are restricted. These include all the countries in the EU and the European Economic Area (EEA), Argentina, Australia, Canada, Hong Kong, and New Zealand. From EU and EEA countries, personal information can be transferred to countries that have “adequate protection,” namely all other EU and EEA member states plus Switzerland, Canada, Argentina, and Israel. Germany's Data Protection Act, §11, introduced in Section 8.3.2, states that “where other bodies are commissioned to collect, process or use personal data, the responsibility for compliance within the provisions of this Act and with other data protection provisions shall rest with the principal.” The implication of this Act is that users must know the exact location of their data and their cloud providers' court of jurisdiction, and export or movement of data is not possible without prior notification of the customer.
Transborder dataflow is the transfer of computerized data across national borders. Restricting it is a form of prevention necessary to protect the personal data of the citizens of a country, but this has indirectly limited cooperation between countries and affected economic development. (Manap and Rouhani 2014) reported the outcome of a study they conducted. They described the fundamental concepts of free dataflow and how it can help the growth of a country's economic power, and proved that unrestricted dataflow allows for more competition in business activities and, therefore, more growth. Internationally dealing with businesses such as research and development, design, protection, sales, and support services, companies gain profit from transborder dataflow because they can receive the best services from the best suppliers. Furthermore, transborder dataflow can promote not only the economic growth of a country, but also its political and social development.
Cyberspace technology, including cloud computing, has changed the way data flows. Through global communication, the distribution of information permits efficient management of businesses by allowing a better way of using resources and services. However, growing public concern about the misuse of personal data has led to the introduction of privacy laws in various countries, with the disadvantage that cross‐border restrictions can negatively impact the choice and quality of products and services offered to the consumers around the world. In addition to the ban of transborder dataflow, another factor that can adversely affect a country's economy is the presence of different and incompatible standards and regulations of privacy protection from one country to another. Unstandardized data protection has created challenges in dealing with transfer of data worldwide. Moreover, complicated regulations on cross‐border restrictions lead to lost business prospects, with dramatic effects particularly in developing countries. It is suggested that the protection of law is important to enforce the proper use of data and assure the rights and concern of individuals. In order to alleviate the challenges introduced by strict laws, the mixture of procedures and cross‐border privacy protections can be minimized through the development of standard privacy regulations. These standard regulations should be adopted by corporate sectors in delivering business transactions over the internet. Adopting consistent corporate privacy rules would resolve several difficulties caused by the various personal‐data laws enforced in different countries. In addition, such adoption would allow the administration of data in a more unified and consistent way throughout organizations, independent of where the data may be exported.
Because of the many cloud challenges mentioned so far, cloud customers must understand the terms and conditions of a CSP and which of these terms have to be spelled out in SLAs to maintain cloud compliance. Unfortunately, not all CSPs are in favor of providing detailed security assurances to customers. As Donna Scott, a Gartner Vice President (VP), said during an interview in 2013, “Gartner customers have logged many complaints about weak SLAs lacking the necessary guarantees when it comes to security, confidentiality and transparency.” It is essential, as John Morency, a Gartner Research VP, stated: “The devil is in the details,” meaning that these contracts should be written very clearly, with no ambiguity, and should explicitly indicate which party is responsible for which security operation. Jay Heiser, another Gartner Research VP, said that enterprises very often struggle to explain, when asked, what security controls a CSP can provide to its cloud customers. Many CSPs answer with very vague responses or unclear documentation. Heiser said that it is necessary for industries to have to define common certifications, so enterprises can offer their services more easily: for example, by using the US government's FedRAMP initiative, which is one of the closest to a global standard. On June 26, 2014 the EC published the Cloud Service Level Agreement Standardization (Cloud SLAS) Guideline. This document is a crucial component of the contractual relationship between a cloud service customer and a CSP. Based on the global nature of the Cloud, SLAs usually cover many jurisdictions, often with varying applicable legal requirements, in particular with respect to the protection of personal data hosted in the cloud service. In addition, different cloud services and deployment models require different approaches to SLAs, which add to the complexity of the SLAs. Moreover, SLA vocabulary, as of today, very often varies from one CSP to another, which makes it even more difficult for customers to compare cloud services. In fact, standardizing characteristics of SLAs improves clarity and increases the understanding of SLAs for cloud services in the market, in particular by highlighting and providing information on the concepts usually covered by SLAs. These are some of the reasons the Cloud Computing Strategy company is working on the development of standardization guidelines for cloud‐computing SLAs for contracts between cloud service providers and cloud service customers.
In February 2013, the EC Directorate General for Communications Networks, Content, and Technology (DG Connect) set up the Cloud Select Industry Group, Subgroup on Service Level Agreement (C‐SIG‐SLA) to work on these issues. The C‐SIG‐SLA, an industry consortium assisted by DG Connect, has created the Cloud SLA Standardization Guidelines document to provide a set of SLA standardization guidelines for CSPs and professional cloud service customers, while still ensuring that the specific necessities of the European cloud market and industry are taken into account. This initial standardization effort has will have the highest impact if standardization of SLAs is done at an international level, rather than at a national or regional level. Taking this into consideration, the C‐SIG‐SLA set up a connection with the ISO Cloud Computing Working Group to provide concrete input and present the European position at the international level.
In 2013, PCI DSS was updated to the next major revision, PCI DSS V3.0 (https://www.pcisecuritystandards.org/minisite/en/pci‐padss‐supporting‐docs‐v31.php). In January 2015, the first set of requirement changes rolled out for PCI‐DSS. While there are a number of areas where new requirements could affect the compliance plans of suppliers and service providers, both cloud‐based and traditional ones, the part that may potentially have the greatest impact related to the Cloud is in situations where the cardholder data environment (CDE) deals with cloud technologies. Suppliers are aware that PCI DSS compliance in the Cloud is a challenging topic, and for this reason the PCI Security Standards Council published a document intentionally for those providers using the Cloud in a PCI context. Three new requirements in PCI DSS V3.0 are particularly relevant to the use of cloud technologies in a PCI‐regulated infrastructure:
Today, enterprises have to deal with increasing challenges meeting the different compliance and regulatory requirements applicable to them. The challenge significantly increases if the enterprise offers services in various geographies or across different verticals. For instance, an e‐commerce supplier with international customers needs to comply with data‐privacy and ‐disclosure mandates such as the EU data‐protection directive, California privacy laws, and PCI‐DSS. In addition, as a response to the recent economic losses experienced by enterprises as a result of e‐commerce hacking, more regulatory and compliance orders are expected as governments and regulatory organizations design requirements in an attempt to prevent future incidents.
Instead of handling each compliance requirement as an independent effort, an organization can obtain significant reductions in effort and cost by adopting standards such as ISO 27001 and 27002 (introduced earlier in Section 8.4) as their base security guidance. In addition, a governance, risk management, and compliance (GRC) framework allows an organization to avoid conflict, reduce overlap and gaps, and obtain better executive visibility to the risks faced. It also enables the organization to be proactive in addressing risk and compliance issues. There is no doubt that meeting compliance requirements by moving to a cloud‐based solution offers significant benefits.
Cloud compliance, or rather the lack of it, is an obstacle to cloud adoption. A lack of compliance for services in the Cloud makes the elasticity of the Cloud difficult for operations that must meet compliance mandates. However, a cloud‐based solution that includes compliance services opens up the general benefits of the Cloud to many more applications. Based on the type of business process (for example, handling credit‐card transactions) or industry (such as healthcare), the majority of organizations are subject to different compliance and regulatory authorizations. For instance, openly traded financial services institutions situated in the US, running their own data centers where both customer and corporate data and applications are located, must comply with the following standards:
Companies depend heavily on reporting and auditing frameworks that include requests to detail controls and policies that have been implemented in order to ensure compliance. In general, a cloud solution must prove that it possesses identical types of safeguards and controls that are otherwise implemented privately. A CSP must also be able to provide evidence of compliance by showing regulation‐specific reports and audits, such as SAS 70 type II audit reports. In 2014, Citrix Systems Inc. published a document entitled Citrix Cloud Solution for Compliance describing the Citrix‐specific solutions and products that Citrix offers in helping cloud services comply with various regulations (https://www.citrix.com/content/dam/citrix/en_us/documents/products‐solutions/citrix‐cloud‐solution‐for‐compliance.pdf). The IEEE Cloud Computing group, which is part of the IEEE organization, is also working on standards for cloud computing (https://cloudcomputing.ieee.org/standards).
A large body of research and effort has been conducted by organizations worldwide, with the purpose of addressing cloud auditing and improve security, privacy, and trust for cloud consumers. However, a lot still needs to be done in order to make cloud infrastructures more secure and trusted, attract investments from industrial enterprise and government agencies, and give companies the confidence to move their businesses to the Cloud and also store their customers' sensitive and privacy data in cloud storage. Moreover, there is great demand from organizations to globally design and enforce cloud compliance regulations, which are necessary for cloud service providers to prove trust and reliability to their consumers. Following is a list of open problems that future research should address:
This chapter provided an overview of the latest cloud security problems and how cloud auditing can alleviate these issues. This chapter covered the state of the art in cloud auditing and discussed the modifications and extensions that need to be implement to enable effective cloud audits and minimize cloud security and privacy challenges. A significant body of research has been dedicated to improving cloud auditing, but many aspects of cloud auditing need more work, particularly in the area of standardization. In addition, this chapter described the complexity behind cloud compliance and explained how numerous organizations worldwide are eagerly collaborating to standardize compliance regulations. Once this goal is achieved, CSPs can finally prove compliance and gain the trust of cloud consumers, who are still hesitant to adopt cloud deployments for fear of compromising the integrity and confidentiality of their data—especially when CSPs transport and store data in other countries. The chapter also explained how data‐protection laws in different countries have complicated transborder dataflow, to the point of reducing cloud adoptions and affecting the economic growth of developing countries.