Cloud security is the biggest concern for companies to adopt cloud computing, which is a consensus in the industry. Concerns about cloud security include the security of storage, transmission and access to data stored on the cloud, the reliability of the cloud infrastructure, the fact that data on the enterprise is not seen by unrelated people, or the visualization and controllability of cloud computing. Cloud audits, which are auditable and visualized for cloud computing, are the best way to reassure companies about cloud security concerns.
2009, the capital Societe Generale first proposed the concept of cloud audit. According to the reporter understand, the capital Societe Generale general manager Xu Yafei has worked in the Military research department for nearly 20 years, and in 2002 led the small team of 7 people and 500,000 yuan into the network security field, for the development of security technology, Xu Asia has its own unique views and the vision of the Times. So what are the security issues with cloud computing? What problems can it audits solve? How does cloud auditing address the concerns of the enterprise about cloud security? To this end, the reporter on cloud security and cloud Audit This topic, an interview with the general manager of Xu Yafei.
Traditional IT audit: the balance between "spear" and "shield"
According to Xu Yafei introduced the concept of cloud audit in 2009. At that time, the US Cisco company also set up a cloud audit working group, Xu Smile said, "it seems that everyone at that time began to pay attention to this problem." "Prior to this, the Societe Generale has been focused on the development of network security software, network integration Monitoring System, by 2004, the advent of database security audit system marks the official march of the enterprise of the IT system audit field."
In Xu Yafei's view, the traditional it audit for domestic enterprises is both "spear" and "shield". He thinks, "outside the enterprise will put it audit this ' spear ' to the enterprise internal, at the same time it audit theory and practice also to enterprise information construction, control it risk provides a very good ' shield '. "It auditing is a process of acquiring and evaluating evidence, the main objective is to identify and evaluate the risk management environment and the assurance measures of environment control, and to judge whether the management's statement on control is reliable, so the audit must maintain its independence, and examine and evaluate the objective position of the third party.
It audits are designed to better control it risk, effectively help the enterprise to evade the risk, is from the information system security, the validity, the compliance, the efficiency four aspects to the IT risk monitoring, the appraisal and the control process, is to the enterprise daily It operation Monitoring, is also from the strategic level to appraises it.
It audit on the one hand with the computer in the financial field of application, a lot of it technology applied in the financial field, in such an environment to do a good job of financial audit must rely on it means, it control effectiveness is the authenticity of financial reporting is an important guarantee. On the other hand, enterprise information system is not only an isolated financial system, information system has been all over the enterprise life, is a financial, personnel, supply and marketing, production as one integrated system. Through it audit, the overall goal of the enterprise will be more secure. From the security, compliance, effectiveness and efficiency of it audit attention, the level protection and grading protection of security are increasing.
In Xu Yafei's view, enterprises should not only pay attention to the usability of information system, solve the problem of usage, but also pay attention to the traditional IT security problem, and make a unified strategic plan from the strategic level, from the governance level to the enterprise informatization, from the organizational structure, Function of the unified management of it, unified operation, better promote the realization of enterprise goals, reduce enterprise risk.
Cloud spanning of traditional it audits: addressing the risks of cloud vendors and cloud users
"The cloud audit proposed in 2009 is viewed from the perspective of the whole information system, not only from a security perspective." "The rise of cloud computing poses new opportunities and challenges for traditional it audits," says Xu.
Mr. Xu and his team first studied the risks of cloud computing. They think these risks can be divided into two levels, one is the risk that the cloud provider faces, and one is the risk that the cloud users should consider. For providers, they need to consider how to provide users with a secure, controllable and trusted cloud computing solution, and for users, consider how to ensure that their information resources and data resources are trustworthy and controllable.
"We have introduced the concept of it auditing in cloud computing to address the risks facing cloud computing." "In the 2009, the capital of the enterprise proposed the concept of cloud audit," said Xu, "We are all concerned about this problem-the user's resources and data information in the cloud how to achieve auditable, visualization." Cloud computing provides a virtual environment in which users can access resources and services on demand, and it is also said to be ' foggy ', which also reflects doubts about the security and reliability of cloud computing. From the user's point of view, users want to use a secure and reliable cloud services, so the enterprise's cloud audit is from the perspective of the entire information system. ”
As for the security risks posed by cloud computing, Xu believes that cloud security has become a larger area, different from the previous usage patterns. The original solution allows users to set boundaries for their own network, like building a wall. With cloud computing, it is difficult to determine the scope of the fence.
The larger problem is the user's identity authentication problem, followed by the issue of permissions, data storage, transmission and other issues, "we think that in the era of cloud security, for users to focus on the safe use of cloud computing." When the infrastructure no longer requires user consideration, users need to start thinking about whether their own data, resources on the provider's platform can be assured. What people are using my data, how my data transmission, how to store security, become more concerned about the user. ”
Cloud computing platform needs to be deployed in sync with cloud Audit: visualization, auditable cloud computing
From the risk of cloud computing itself, the current user mainly consider two levels, one is the security of the cloud infrastructure, one is the security of data. "Now the market is still in a more wonton state", Xu Ya pointed out, "who should be responsible for what, who should not consider what, at present has not formed a very clear level." The business of the Societe Generale is to do several facets from one face to the final expansion to a new system audit. Domains are also extended from security to reliability, compliance, and efficiency. At the level, it extends from the bottom to the application level. According to his introduction, the current national Societe Generale customers in the telecommunications, banking, taxation, defense systems and other industries are distributed.
For the security of cloud computing, users generally consider the broad sense. Putting data resources in the cloud, users worry about the security of data storage and use. The security here is broad, in addition to considering how data is backed up, the efficiency of the cloud platform itself is a user's concern. From a narrow point of view, users worry about whether anyone can see his data. This requires cloud service providers to provide a proof that the cloud audit just solves the problem.
In Xu Yafei's view, cloud audits permeate all aspects of resources, including data and information systems. This provides the user with a "visualization" service. At present in our country, the cloud audit is still in the beginning stage, "Many users think cloud computing itself is still relatively misty, but in fact cloud audit very close to very realistic, it needs and enterprise cloud construction synchronous consideration." When the enterprise is ready to build a variety of clouds, before this will be the first thought can not be put into the cloud audit. "It has been predicted that the public cloud will develop faster than the private cloud, but that is the opposite in China," he explains. Cloud Audit in the country is accompanied by the development of cloud infrastructure, if the cloud audit did not keep up with the construction of cloud platform, first of all, will bring security problems. ”
On the one hand, building cloud computing platform requires the synchronous deployment of cloud audit, on the other hand, cloud audit also has promoted the development of cloud computing. "Users will start with the business when deploying cloud audits," explains Xu. From the security of infrastructure, users can change from traditional security to cloud security faster, but in the cloud environment, it is more close to application level to consider cloud audit. Users need to go through the process from primary to intermediate to advanced. Consider the deployment of cloud audits from a cloud security perspective, which we think is a support for data information about the cloud infrastructure, close to the application level, and then the data level, cloud infrastructure and core users. ”
Referring to the practical significance of cloud auditing, Xu said that the cloud audit itself can well promote the development of cloud computing services-with a cloud of service platform, attracting a large number of SME users. Cloud audits focus on enterprise users who cannot see the cloud. These small and medium-sized enterprise users themselves business volume, but under the existing conditions can not vigorously develop their own cloud computing platform. If all the resources are made by a cloud computing service provider, can extend it audit tentacles to those who do not have the ability to do cloud computing but there is a strong demand for enterprises, objectively, cloud audit for them to introduce a similar third-party services, for the overall development of cloud computing has played a role in promoting.