EDITED BY STEVE MAR ÍTAUOIT

Security in a Cloud
ANY ORGANIZATIONS ARE INVESTING the software and lack of programming
in identity and access management (IAM) expertise lengthened the duration of
solutions to automate security adminis- IAM projects and increased implemen-
tration functions and help reduce the tation costs.
number of resources required to perform Outsourcing IAM was another option.
manual security administration func- In the past decade, IT leaders have looked
tions. A 2008 Forrester Research study to reduce overall IT costs by outsourc-
estimates that the IAM market will grow ing many functions, but they consid-
from nearly US $2.6 billion in 2006 to ered security too risky to be outsourced.
more than US $12.3 billion in 2014. Instead, they decided that the adminis-
Organizations also are turning to IAM to tration function should remain in-house,
Auditors must meet compliance and regulatory require- but the IAM "center" should be managed
ments that are putting a greater burden by external experts.
review risi<s across on the security administration function Once organizations started to trust
in the form of additional reports, better managed service providers, IT leaders
three distinct domains records of workflow and change requests, saw they could gain additional savings
and periodic self-assessments. Moreover, by using IAM services over the Internet,
when organizations as IT budgets have declined in recent years, where multiple clients share the provider's
IT leaders have realized that automating computing resources. IAM in the cloud
outsource IT security security administration saves costs. moves identity management to a third-
IAM solutions use relatively new tech- party service provider. Client requests and
administration. nologies with their own audit challenges. user approvals travel across the Internet
Part of the solution resides in a client's through a secure tunnel to the provider.
BY SAJAY RAI AND computing environment, part of it resides The resources to be managed, such as
PHILIP CHUKWUMA in a service provider's environment, and servers, applications, and the network,
another part depends on the Internet reside in the client's computing environ-
"cloud" that links them. Auditors must ment. The users of these IT resources are
address these separate computing envi- the client's employees and business part-
ronments as part of a single strategy. ners. The service provider maintains all
the IAM servers, LDAP, and workflows
IAM TO THE RESCUE required to provision users. The client's
IAM promised a way to automate the designated users submit requests on the
security administration function. IAM Web, and the IAM workflow engine
software enabled organizations to auto- obtains all required approvals. The
mate the front-end workflow for adding provider's IAM servers respond to these
new employees (on-boarding), removing requests by submitting the appropriate
separated employees (off-boarding), and instructions for the computing resource
adding, modifying, and deleting (provi- at the client. For example, when the cli-
sioning) access requests. It also provided ent wants to create a new finance user
standard back-end adapters to automate in Active Directory and SAP, it submits
updates of common technologies like the request to the provider through the
Active Directory, Lightweight Direc- Web. The provider's IAM servers send
tory Access Protocol (LDAP), servers, instructions to the client's Active Direc-
and mainframe and mid-range sys- tory server to create a new user and add
tems. However, problems customizing the user to the finance group. They also

A U G U S T 2009 INTERNAL AUDITOR

 instruct SAP to create the same user in the risk depending on the level of access and how quickly the risks are addressed,
finance group and notify the client that its information provided to clients. In most and determine whether the risks are
requests have been completed. cases, the client remains accountable increasing or decreasing over time.
and liable for safeguarding information. • Periodic reportsfi-omthe provider. The
AUDIT STRATEGY When auditing the provider, auditors service contract should require the
The IAM cloud approach provides chal- should address: provider to submit reports on IAM
lenges for internal auditors focused on • MM servers residing in the provider's operations and performance. These
assessing identifiable risks. The audit strat- environment. These include Linux reports should cover user provision-
egy is based on generally accepted audit and Windows servers that host the ing and de-provisioning, granting
principles but encompasses the broader IAM fiinctions and applications. and removal of access, and admin-
risks associated with the IAM cloud. This Web services, repositories, databases, istrative access usage and reviews.
strategy should address risks within the LDAP, and any other infrastructure Auditors should compare these pro-
client's environment, within the provider's that is needed to operate the out- visioning reports with approvals to
environment, and vvathin the doud. Some sourced model. Auditors should verify the authenticity of the approval
examples include risks associated with the review security baselines periodically. and the approver.
service provider's ability to safeguard the • Access control Auditors should The risks in the provider's environ-
organization's data and transactions over address access control in two areas: ment are elevated because the provider's
the Internet, as well as abuse of privileged the provider's infrastructure and the employees have administrative access to
accounts by the provider. client's data. Because the provider the IAM computing resources and the
has administrator access to the cli- client's computing resources. Imple-
CLIENT ENVIRONMENT The risks in the cli- ent's provisioned IT resources, such menting appropriate controls in the
ent's environment are the same as internal elevated access should be reviewed provider's environment can help reduce
IT risks. Some of the risks that the audit and reported frequently. these risks.
program should consider include unau- • Segregation of data and privacy. The
thorized access to systems and data, abuse client's data should be segregated THE CLOUD The third aspect of an IAM
of privileged accounts, lack of approval from other clients' data appropriately. cloud computing audit strategy is the
process, missing patches, missing and This may mean using separate servers cloud itself. The cloud's security should
ineffective log reviews, and inadequate for each client and separate network be based on providing and establishing a
monitoring. The scope of the IAM envi- subnets, where possible. Segregat- secure tunnel between the client and the
ronment should include: ing and protecting data is especially provider. Auditors should test this tun-
• Applications, including purchased important when the provider serves nel periodically. The tunnels to various
and homegrown products. competing organizations. clients also should be segregated in such
• Identity management process from • Security operation processes. Because a way that client data does not cross and
on-boarding to termination, includ- the provider's internal IT operations intruders have no access.
ing the approval process and work- have an impact on the client, auditors
flow management. should review such operation pro- THREE ELEMENTS TO AUDIT
• Servers that are used or managed in cesses as change, release, and patch "Divide and conquer" is the appropriate
the IAM process, including Windows, management; backup and restore; strategy for auditing IAM in the cloud.
Linux, and mainframes. disaster recovery for the client's IAM Auditors must address each of the three
• Provisioning adapters used to con- system and the ability to recover elements of this form of security admin-
nect the 1AM server to the managed the client's system and data at an istration — client, provider, and cloud —
resources (if applicable). alternate site; incident response and individually using generally accepted audit
• Network infrastructure used or problem management; and physical principles and methodologies.
managed during the identity man- security of the IAM provider's facili-
agement process. ties and data.
• Access control for all servers, applica- • IAM system availability. IAM serv- SAJAY RAI, CPA, CISSP, CISM, is CEO and
tions, network resources, and work- ers should be redundant to increase founder of Securely Yours LLC in Bloomfield
flows used or managed during the availability, but the client has to Hills, Mich.
IAM process. weigh the increased cost of redun-
In addition, the audit program should dancy against how quickly an IAM PHILIP CHUKWUMA, CISSP, is chief
address proxy repositories in the client's system can be restored. technology officer with Securely Yours LLC.
environment. These databases of user • Statement on Auditing Standards (S/lSj
accounts and assets are located in the JO Type II reports. Auditors should To comment on this article, e-mail the authors
client environment but owned and man- periodically request and review the at [email protected].
aged by the provider. Moreover, auditors provider's SAS yo report from an
should consider compliance with all rel- independent party to gain a fresh I Send story ideas about current IT issues and ;
¡ best practices for iTAudit to: |
evant regulations that may increase risk. perspective on the risks existing Steve Mar, [email protected]. j
within the provider's IT environ-
PROVIDER ENVIRONMENT The service pro- ment. This report can help auditors For more technology articles, visit the iTAudit
section of internalAuditorOnline.org.
vider's environment may contain more catalog identified risks, understand

AUGUST 2009 INTERNAL AUDITOR