This reading material has similarity with the CISA Chapter 3.6 since they both discuss the virtualization. After understanding the reasons led to the virtualization and its implication, this reading extends the discussion and provides some methods in order to face the risks of virtualization which I found the most interesting. According to the reading, the response to the risk ought to be consistent throughout the whole developing process. In the beginning, the designer needs to forecast the possible risks that might happen and try to ameliorate the system. Then, during the process when the risk is happening, the operator needs to take an in-time action in response to the risking and striving for the recovery of the system. Then, after the specific risk has been tackled, the operator needs to develop a control system in order to make their that the system would be able to immune the same risk the next time. Thus, it could be concluded that the risk prevention is actually an active process but not a statistic method which ought to be conducted throughout the entire running process.
As the cloud computing is becoming more and more popular in the general public, the audits system in the information technology becomes increasingly necessary to perform well the cloud computer. In this article, the one thing which is interesting for me is the introduction of how the IaaS could be broken down into five main fields. In the article, the author indicates that the assessment of the IaaS ought to be focused on the connectivity first in order to ensure the functionality. Then, the network and computer services and management ought to be focused which means that the system ought also to be customer-oriented and aim at satisfying the users’ demand. In addition, given the data is increasingly critical in the big data era, the data storage is also considered important in the IaaS system in order to that data would be used properly and with the only aim to promote the users’ benefit. In addition, the storage of the users’ data ought to be allowed by the users themselves which impresses me a lot in that I originally think the storage of data is a process which could not controlled by the users.
Virtualization is a software technology that divides a physical resource, such as a server, into virtual resources. I found the idea of virtualization adds a layer of abstraction between two layers in the computer system. Virtualisation helps to consolidate physical resources, simplify deployment and administration, and reduce power and cooling requirements.
A web server, database sever, logic server, backup server could all be virtualized into virtual server, which creates convenience and save money by reducing acquisition, maintenance and electricity costs. This explains the reason why cloud computing is becoming a growing trend in our daily lives.
I agree with your comment. Virtualization is such an interesting concept and the possibilities are vast. Being able to create virtual backups and having more CPU’s and storage without physically having it is a huge advantage in business.
Server virtualization is increasingly becoming the norm in data centers. With server virtualization, each physical server supports multiple virtual machines (VMs), each running its own operating system, middleware and applications. Virtualization is a key enabler of workload agility, i.e., allowing any server to host any application and providing the flexibility of adding, shrinking, or moving services within the physical infrastructure. Server virtualization provides numerous benefits, including higher utilization, increased data security, reduced user downtime, reduced power usage
While reading through the ISACA article on “Audits of Cloud and SaaS” and how the author places a large emphasis on the importance of a proper risk framework, I took an incredible interest in the elements that the author deems important for an organization to consider when purchasing SaaS. SaaS, an acronym for Software as a Service, is described in a basic fashion in the article as a form of outsourced cloud computing. The article goes on to explain how the most important things organizations tend to consider prior to implementing SaaS include the compatibility with on-site systems and infrastructure, costs of implementation and upkeep, scalability, and complexity. However, the author does go on to explain that auditors trying to use a framework to assess the SaaS should primarily focus on: Business Process Modeling, Evaluation and Analysis, and Process Execution. The article even provides examples of risks associated with ignoring these categories when assessing using a risk framework, such as “inadequate connectivity between applications and data, improper integration with existing systems, and inadequate monitoring of SaaS business processes and events” (Singleton, 2010).
Virtualization is different from working with IT systems that use physical servers. The IT auditor needs to know every aspect of VM technology and the risks associated with VMs. The IT auditor should assess the business need for moving from physical to virtual and whether doing so would provide any real benefit to the organization. While auditing a virtual IT system, the information security auditor should evaluate the precautionary measures that have been put in place based on situational awareness and the validity of these measures. The policies and procedures should be backed by proper authentication, authorization and accounting procedures to mitigate any risk associated with the virtual IT system. Both physical and logical access controls should be enforced by the organization, and the auditor should check the validity of all the controls.
An organization relying on a virtual IT system should have a proper support system in times of production server failure or disaster. The auditor should check the DR plan for the virtual IT system and should evaluate the test results. The auditor needs to evaluate the sufficiency of existing controls, such as firewalls, intrusion detection systems, intrusion prevention systems, and network port security, so that the virtual system does not fall prey to external malicious attacks. The information security auditor should be aware of the best practices in VMs, specifically the benchmarks proposed by CIS and DISA. Based on the unique aspects of VM technology, the information security auditor should gather evidence and assurance of the controls in a virtual IT system.
In ISACA “Auditing Risks in Virtual IT Systems,” Virtualization is defined as a software technology that divides a physical resource (e.g. server) into virtual resources called virtual machines (VMs). People usually use Virtualization to consolidate physical resources, simplify deployment and administration, and reduce power and cooling requirements.
Although server virtualization technology is the most popular technology, virtualization is not limited to servers. In order to have a clearer understanding of virtualization, people categorized virtualization into storage virtualization, network virtualization, and server virtualization.
Virtualization has a lot of benefits from a security perspective. It has better forensic capabilities, faster recovery after an attack, safer and more effective patching, better control over desktop resources, and more cost-effective security devices
Hi, Penghui:
With the experience of Azure, we would understand why server virtualization technology is the most popular technology. When work station, web server, file server, SQL server, and domain control could all run in any one computer in the company, it saves a large space and equipment to perform other activities, and the company could hire fewer people.
The interesting thing that I found is the audit of virtual IT systems. IT auditors should have an adequate understanding of the VM, understanding of the business need, and evaluate the process of creation, development and change management of the VM. Therefore, IT auditors should understand the development and maintenance process, VM itself, as well as the business needs to see whether moving servers to VM could bring real benefit to the business. IT is interesting to know because other than another auditing, audit VM requires far more technical knowledge in order to effectively audit, which means IT auditors would spend more time to interview IT team in order to have good enough understanding. At the same time, understanding the business needs are always the key to a successful audit.
Hi Shuyue,
You are absolutely right that understanding the business needs are always the key to a successful audit. As an IT Auditor, one should always know the policy of the company is first and then process a series of interview to enhance his or her knowledge.
When Salesforce implemented a cloud, a large part of the market was very skeptical. Any little slip-up could’ve been not only detrimental to Salesforce but could’ve setback cloud technology for years. Thankfully, Salesforce was able to prove its security and many other companies have followed suit. The risks associated with Cloud Computing are pretty obvious. If a client’s information is stored in the cloud, there is a risk of it being breached from the outside. On the other hand, one of the largest threats to an employee is a poorly trained employee who might fall for a phishing scam. When assessing risks of the cloud, or any IT system, it is always the top priority to make sure that your employees are properly educated.
Hello,
As I read through your response on what intrigued you the most in regards to the ISACA article on “It Audits of Cloud and SaaS”, I was particularly interested in your choice to use Salesforce as an example of how cloud computing, in general, can be a risky but fruitful business endeavor. While not the first example that comes to my mind, it paints a good picture of what cloud computing done right can accomplish. I also appreciated your example of one of the most common risks of any significant change to an organization’s information system, and that is employees lacking appropriate training to accommodate the changes made.
Cloud computing has become an important platform as it offers organizations a less expensive approach to handle their computing needs and accomplish business objectives. Since it is still evolving, auditing such a platform remains complicated for auditors. As a result, the article mentions how it is important to choose an appropriate framework and develop a proper risk assessment. In doing so, will help identify the risks, evaluate mitigating controls and audit the risky objects. The article goes on to discuss two cloud frameworks— Infrastructure as a Service (IaaS) and Software as a Service (SaaS). Infrastructure as a Service (IaaS) provides online processing or data storage capacity. Software as a Service (SaaS) provides a business application used by many individuals/organizations simultaneously. Each of these services are unique in its own way and require different focus points. For example, when considering Infrastructure as a Service (IaaS), one must focus attention on connectivity, network services and management, compute services and management, data storage, and security. Whereas for Software as a Service (SaaS), one must consider business process modeling, evaluation and analysis, and process execution. The article identifies several risks associated with Infrastructure as a Service (IaaS) and Software as a Service (SaaS).
Great comments and thank you for sharing your understanding of the two different cloud frameworks. After reading your comments, especially the example you take, I have a deeper understanding of the IaaS and SaaS.
I think Auditing Security Risks in Virtual IT Systems is an interesting article. I learned about virtualization and how to audit virtual IT systems. There are many advantages for virtualization, for example, better forensic capabilities, faster recovery after an attack and safer and more effective patching. I think it will provide better security for the organization’s IT systems. Moreover, it is important for IT auditors to understand how to audit the virtual IT systems. In this article, the authors mentioned more than a hundred points from different aspects. There is a point about evaluating business continuity and capacity management strategies for the virtual IT systems. I think it is very useful for IT auditors and let them know the basic idea of auditing virtual IT systems.
Hi Ryu, I like your ideas of the advantages of virtualization. I think the flexibility is also a key advantage which can be dynamically deployed and reconfigured to meet changing business needs by virtual resources. Also, depending on the product, resource partitioning and aggregation can support implementing virtual resources that are much smaller or much larger than individual physical resources, meaning you can scale without changing the physical resource allocation.
While these virtual systems may seem to offer better security, I think that we need to have a certain level of skepticism in regards to how secure they truly are. My concern primarily comes from this list auditing check list, as you mentioned, that contains over 100 different points. To me, this means that there are over 100 potential points that can be missed by an organization and over 100 chances of risk (and this is another example of my doomsday mentality). While any type of audit can be complex, I think that virtual systems one-up physical systems in terms of complexity being that they are much more intricate.
One point is the advantages of virtualization. In the assigned reading, the advantages include Better forensic capabilities, Faster recovery after an attack, Safer and more effective patching, Better control over desktop resources, More cost-effective security devices. Virtualization indeed allows for greater flexibility, control and isolation by removing the dependency on a given hardware platform. For organization, it increases productivity through efficient and economic use of energy and increased staff productivity. For individual, it makes the communication to people more clear by network virtualization, storage virtualization, server virtualization, application virtualization and data virtualization.
Good point, The advantages of virtualization saves your money and time while providing much greater business continuity and ability to recover from disaster. However, there are a couple disadvantages should be brought up. first of all. the software licensing considerations is becoming less of a problem as more software vendors adapt to the increased adoption of virtualization, but it is important to check with your vendors to clearly understand how they view software use in a virtualized environment. Also, Implementing and managing a virtualized environment will require IT staff with expertise in virtualization. most people may unable to expand it potential into large extent.
Virtualization does have it’s many advantages such as monetary savings and the ability to recover from disaster. However, each business has it’s different needs and to switch over, there will be a big amount of costs involved, every business should weigh its costs and benefits before deciding to convert to virtualization,
Virtualization has been around a long time, and its benefits from flexibility and scalability to quality assurance and cost savings are well known. Following are the primary security risks associated with virtualization:
– First, virtualization adds additional layers of infrastructure complexity. This means monitoring for unusual events and anomalies also becomes more complex, which in turn makes it more difficult than it already is to identify security issues.
– Next, virtualized environments are dynamic by design, rapidly changing on a regular basis. Unlike physical environments, virtual machines can be spun up in a matter of minutes. It can be easy to lose track of what’s online, offline and what potential security holes are exposed.
– Finally, in addition to the dynamic nature of a virtual machines themselves, workloads can be moved quickly. This also poses a security risk.
Great point. Many organizations use a cloud provider for both SaaS and IaaS, along with their own managed virtual environment. APIs used to communicate between the environments can be a significant risk. Many virtual environments are over-allocated, particularly if the devices running all utilize their max configured compute or memory configurations. These configurations can lead to significant performance degradation. This often happens when the hypervisor is compromised and the server configuration is changed.
Much has been written about cloud computing, SaaS and data centers, but often those technologies are melded as a composite service referred to as cloud computing. Actually, there is a simple framework for thinking about cloud computing that should help IT auditors in performing a risk assessment. The components are Infrastructure as a Service (IaaS) and Software as a Service (SaaS)—almost identical to the way we think of the body of technologies internal to an entity
Good point, Yuan. By understanding the Infrastructure as a Service (IaaS) and Software as a Service (SaaS) platforms, will definitely help auditors to locate possible security risks associated with each service. Infrastructure as a Service (IaaS) and Software as a Service (SaaS) each have their own pros and cons. A benefit to Infrastructure as a Service (IaaS) is that it allows the ability to scale up and down quickly in response to an enterprise’s requirements. An example of Infrastructure as a Service (IaaS) is Amazon Web Services. A benefit to Software as a Service (SaaS) is that it is flexible in a sense that it allows subscribers to access the software easily from any location with internet capabilities. An examples of Software as a Service (SaaS) is Cisco WebEx.
In recent years (really since the 1980s) companies have been moving more towards virtual information systems for many reasons. Using virtual systems allows for greater cost savings and the reduction of inefficiencies within a business. With the virtualization comes added risks involving the network, the host, and other 3rd party risks. One thing that I took particular interest away from the ISACA article “Auditing Security Risks in a Virtual Environment” was that there are three different types of virtualization: 1) Storage, 2) Network, and 3) Server. I understand that there were certainly levels to virtualization, however it was interesting seeing them broken out. Overall, the benefit to virtualization can be seen across the business. Using a virtual environment allows for more agile development, scalability, and creating a network that (through the right ports) can be accessed from almost anywhere.
Alex, I strongly agree with your point that “with the virtualization, comes the added risk”. While virtualization provides numerous benefits through the use of VMs, moving to a virtualized environment does not exempt IT systems from the security risks applicable to such setup in a physical environment, the use of VMs may introduce new and unique security risks or lead to more significant impacts.
Following are some of the high risks that should be considered as part of assessing the risks of virtualization: VM sprawl, security of offline and dormant VM’s, service hijacking through the self service portal, risks due to cloud service provider and many more.
Hi Alex, I think you are right. I also read about the article related to IT system virtualization. According to what I found, the storage virtualization is a concept in System Administration, referring to the abstraction of logical storage from physical storage. I think that virtualization could also improve the organization’s IT security.
A good example of SaaS over virtualization is Amazon Web Services (AWS). AWS offers a host of software and platforms. The software is installed on virtual hosts and can be scaled up or down as and when required.
If we focus beyond the infrastructure and start-up cost, once deployed, an SaaS application platform should only be concerned with reproducibility. Each and every instance of the SaaS-based application should be identical to each other.
In today’s society, we are moving towards using virtualization compared to traditional data management. Virtualization itself is a software technology that doesn’t rely on one physical resource. There are certain implications that come with this new type of data store but the benefits of it outweigh the risks. Using virtual servers, any server or host can access the data and allows more flexibility in the workload. When converting from traditional to physical servers, the organization should evaluate if there is a business need for it because it does come with its costs and negatives.
Virtualization is the process of creating a software-based, or virtual, representation of something, such as virtual applications, servers, storage, and networks. It is the single most effective way to reduce IT expenses while boosting efficiency and agility for all size businesses.
Virtualization can increase IT agility, flexibility, and scalability while creating significant cost saving. Greater workload mobility increased performance and availability of resources, automated operations. Also, it makes simpler to manage and less costly to own and operate.
Hi, I agree with you that any server or host can access the data and allows more flexibility in the workload using virtual servers. It increases productivity for organizations and individuals.
While the author mentions that virtualization security has its benefits- such as faster recovery time, safer and effective patching, and cost-effective security- I found it interesting that it was immediately followed by about 6 pages of text explaining the various risks, vulnerabilities, and audit points for these virtual systems. If a business were to consider switching to a virtual environment, they should also consider who exactly will be maintaining the software, so to ensure that those employees are well versed in understanding the nature of virtualization. As of now, auditing these systems seems to be a grueling task due to their complexity, and it appears that more companies are deciding to switch to a virtual environment for the positive reasons mentioned above. The author makes note of a press release from 2010 which stated that roughly 60% of virtual servers will be less secure than their original, physical servers. I was curious as to why this would be the case, so I googled it and found that the press release also mentions that information security is typically an afterthought in these virtualization projects, and that the information security team is often excluded from project planning and architecture stages. So, as we have mentioned in class before, the reason why these systems aren’t secure is mainly due to lack of security planning during SDLC.
Hi Sarah, I certainly agree that the movement towards virtualization brings in a new level of security risk to the organizations. In many situations, accepting the possible risk is the best option for an organization because assuming the risk on their end and hosting their servers in house would be too time and capital consuming. Again, this 60% figure does not surprise me at all given that the virtual systems are less secure.
IT Audits of Cloud and SaaS introduce the components of cloud computing, As the author mentions, some of the key factors for management when choosing the IaaS provider are flexible performance (including scalability) and availability while achieving physical and virtual security needs. Third-party service providers provide customers with hardware, operating systems and other software, servers, storage systems and various other IT components in a highly automated delivery model. In some cases, they can also handle tasks such as continuous system maintenance, data backup, and business continuity. Therefore, the flexibility makes IaaS is used in the cloud computing service.
There are many considerations for choosing SaaS. Applications are installed by vendors or service providers and can be accessed over a network, usually the Internet. This pattern is often referred to as on demand software, which is the most mature cloud computing model because of its high degree of flexibility, proven support services, and strong scalability, which can reduce customer maintenance costs and investment.
Feng Gao says
This reading material has similarity with the CISA Chapter 3.6 since they both discuss the virtualization. After understanding the reasons led to the virtualization and its implication, this reading extends the discussion and provides some methods in order to face the risks of virtualization which I found the most interesting. According to the reading, the response to the risk ought to be consistent throughout the whole developing process. In the beginning, the designer needs to forecast the possible risks that might happen and try to ameliorate the system. Then, during the process when the risk is happening, the operator needs to take an in-time action in response to the risking and striving for the recovery of the system. Then, after the specific risk has been tackled, the operator needs to develop a control system in order to make their that the system would be able to immune the same risk the next time. Thus, it could be concluded that the risk prevention is actually an active process but not a statistic method which ought to be conducted throughout the entire running process.
As the cloud computing is becoming more and more popular in the general public, the audits system in the information technology becomes increasingly necessary to perform well the cloud computer. In this article, the one thing which is interesting for me is the introduction of how the IaaS could be broken down into five main fields. In the article, the author indicates that the assessment of the IaaS ought to be focused on the connectivity first in order to ensure the functionality. Then, the network and computer services and management ought to be focused which means that the system ought also to be customer-oriented and aim at satisfying the users’ demand. In addition, given the data is increasingly critical in the big data era, the data storage is also considered important in the IaaS system in order to that data would be used properly and with the only aim to promote the users’ benefit. In addition, the storage of the users’ data ought to be allowed by the users themselves which impresses me a lot in that I originally think the storage of data is a process which could not controlled by the users.
Yuchong Wang says
Virtualization is a software technology that divides a physical resource, such as a server, into virtual resources. I found the idea of virtualization adds a layer of abstraction between two layers in the computer system. Virtualisation helps to consolidate physical resources, simplify deployment and administration, and reduce power and cooling requirements.
A web server, database sever, logic server, backup server could all be virtualized into virtual server, which creates convenience and save money by reducing acquisition, maintenance and electricity costs. This explains the reason why cloud computing is becoming a growing trend in our daily lives.
Panayiotis Laskaridis says
I agree with your comment. Virtualization is such an interesting concept and the possibilities are vast. Being able to create virtual backups and having more CPU’s and storage without physically having it is a huge advantage in business.
Yuan Liu says
Server virtualization is increasingly becoming the norm in data centers. With server virtualization, each physical server supports multiple virtual machines (VMs), each running its own operating system, middleware and applications. Virtualization is a key enabler of workload agility, i.e., allowing any server to host any application and providing the flexibility of adding, shrinking, or moving services within the physical infrastructure. Server virtualization provides numerous benefits, including higher utilization, increased data security, reduced user downtime, reduced power usage
Imran Jordan Kharabsheh says
While reading through the ISACA article on “Audits of Cloud and SaaS” and how the author places a large emphasis on the importance of a proper risk framework, I took an incredible interest in the elements that the author deems important for an organization to consider when purchasing SaaS. SaaS, an acronym for Software as a Service, is described in a basic fashion in the article as a form of outsourced cloud computing. The article goes on to explain how the most important things organizations tend to consider prior to implementing SaaS include the compatibility with on-site systems and infrastructure, costs of implementation and upkeep, scalability, and complexity. However, the author does go on to explain that auditors trying to use a framework to assess the SaaS should primarily focus on: Business Process Modeling, Evaluation and Analysis, and Process Execution. The article even provides examples of risks associated with ignoring these categories when assessing using a risk framework, such as “inadequate connectivity between applications and data, improper integration with existing systems, and inadequate monitoring of SaaS business processes and events” (Singleton, 2010).
Zhu Li says
Virtualization is different from working with IT systems that use physical servers. The IT auditor needs to know every aspect of VM technology and the risks associated with VMs. The IT auditor should assess the business need for moving from physical to virtual and whether doing so would provide any real benefit to the organization. While auditing a virtual IT system, the information security auditor should evaluate the precautionary measures that have been put in place based on situational awareness and the validity of these measures. The policies and procedures should be backed by proper authentication, authorization and accounting procedures to mitigate any risk associated with the virtual IT system. Both physical and logical access controls should be enforced by the organization, and the auditor should check the validity of all the controls.
An organization relying on a virtual IT system should have a proper support system in times of production server failure or disaster. The auditor should check the DR plan for the virtual IT system and should evaluate the test results. The auditor needs to evaluate the sufficiency of existing controls, such as firewalls, intrusion detection systems, intrusion prevention systems, and network port security, so that the virtual system does not fall prey to external malicious attacks. The information security auditor should be aware of the best practices in VMs, specifically the benchmarks proposed by CIS and DISA. Based on the unique aspects of VM technology, the information security auditor should gather evidence and assurance of the controls in a virtual IT system.
Penghui Ai says
In ISACA “Auditing Risks in Virtual IT Systems,” Virtualization is defined as a software technology that divides a physical resource (e.g. server) into virtual resources called virtual machines (VMs). People usually use Virtualization to consolidate physical resources, simplify deployment and administration, and reduce power and cooling requirements.
Although server virtualization technology is the most popular technology, virtualization is not limited to servers. In order to have a clearer understanding of virtualization, people categorized virtualization into storage virtualization, network virtualization, and server virtualization.
Virtualization has a lot of benefits from a security perspective. It has better forensic capabilities, faster recovery after an attack, safer and more effective patching, better control over desktop resources, and more cost-effective security devices
Shuyue Ding says
Hi, Penghui:
With the experience of Azure, we would understand why server virtualization technology is the most popular technology. When work station, web server, file server, SQL server, and domain control could all run in any one computer in the company, it saves a large space and equipment to perform other activities, and the company could hire fewer people.
Shuyue Ding says
The interesting thing that I found is the audit of virtual IT systems. IT auditors should have an adequate understanding of the VM, understanding of the business need, and evaluate the process of creation, development and change management of the VM. Therefore, IT auditors should understand the development and maintenance process, VM itself, as well as the business needs to see whether moving servers to VM could bring real benefit to the business. IT is interesting to know because other than another auditing, audit VM requires far more technical knowledge in order to effectively audit, which means IT auditors would spend more time to interview IT team in order to have good enough understanding. At the same time, understanding the business needs are always the key to a successful audit.
Yuchong Wang says
Hi Shuyue,
You are absolutely right that understanding the business needs are always the key to a successful audit. As an IT Auditor, one should always know the policy of the company is first and then process a series of interview to enhance his or her knowledge.
Panayiotis Laskaridis says
“IT Audits of Cloud and Saas”
When Salesforce implemented a cloud, a large part of the market was very skeptical. Any little slip-up could’ve been not only detrimental to Salesforce but could’ve setback cloud technology for years. Thankfully, Salesforce was able to prove its security and many other companies have followed suit. The risks associated with Cloud Computing are pretty obvious. If a client’s information is stored in the cloud, there is a risk of it being breached from the outside. On the other hand, one of the largest threats to an employee is a poorly trained employee who might fall for a phishing scam. When assessing risks of the cloud, or any IT system, it is always the top priority to make sure that your employees are properly educated.
Imran Jordan Kharabsheh says
Hello,
As I read through your response on what intrigued you the most in regards to the ISACA article on “It Audits of Cloud and SaaS”, I was particularly interested in your choice to use Salesforce as an example of how cloud computing, in general, can be a risky but fruitful business endeavor. While not the first example that comes to my mind, it paints a good picture of what cloud computing done right can accomplish. I also appreciated your example of one of the most common risks of any significant change to an organization’s information system, and that is employees lacking appropriate training to accommodate the changes made.
Raisa Ahmed says
ISACA “IT Audits of Cloud and SaaS”
Cloud computing has become an important platform as it offers organizations a less expensive approach to handle their computing needs and accomplish business objectives. Since it is still evolving, auditing such a platform remains complicated for auditors. As a result, the article mentions how it is important to choose an appropriate framework and develop a proper risk assessment. In doing so, will help identify the risks, evaluate mitigating controls and audit the risky objects. The article goes on to discuss two cloud frameworks— Infrastructure as a Service (IaaS) and Software as a Service (SaaS). Infrastructure as a Service (IaaS) provides online processing or data storage capacity. Software as a Service (SaaS) provides a business application used by many individuals/organizations simultaneously. Each of these services are unique in its own way and require different focus points. For example, when considering Infrastructure as a Service (IaaS), one must focus attention on connectivity, network services and management, compute services and management, data storage, and security. Whereas for Software as a Service (SaaS), one must consider business process modeling, evaluation and analysis, and process execution. The article identifies several risks associated with Infrastructure as a Service (IaaS) and Software as a Service (SaaS).
Penghui Ai says
Hi Raisa,
Great comments and thank you for sharing your understanding of the two different cloud frameworks. After reading your comments, especially the example you take, I have a deeper understanding of the IaaS and SaaS.
Ryu Takatsuki says
I think Auditing Security Risks in Virtual IT Systems is an interesting article. I learned about virtualization and how to audit virtual IT systems. There are many advantages for virtualization, for example, better forensic capabilities, faster recovery after an attack and safer and more effective patching. I think it will provide better security for the organization’s IT systems. Moreover, it is important for IT auditors to understand how to audit the virtual IT systems. In this article, the authors mentioned more than a hundred points from different aspects. There is a point about evaluating business continuity and capacity management strategies for the virtual IT systems. I think it is very useful for IT auditors and let them know the basic idea of auditing virtual IT systems.
Yuqing Tang says
Hi Ryu, I like your ideas of the advantages of virtualization. I think the flexibility is also a key advantage which can be dynamically deployed and reconfigured to meet changing business needs by virtual resources. Also, depending on the product, resource partitioning and aggregation can support implementing virtual resources that are much smaller or much larger than individual physical resources, meaning you can scale without changing the physical resource allocation.
Sarah Puffen says
While these virtual systems may seem to offer better security, I think that we need to have a certain level of skepticism in regards to how secure they truly are. My concern primarily comes from this list auditing check list, as you mentioned, that contains over 100 different points. To me, this means that there are over 100 potential points that can be missed by an organization and over 100 chances of risk (and this is another example of my doomsday mentality). While any type of audit can be complex, I think that virtual systems one-up physical systems in terms of complexity being that they are much more intricate.
Haixin Sun says
One point is the advantages of virtualization. In the assigned reading, the advantages include Better forensic capabilities, Faster recovery after an attack, Safer and more effective patching, Better control over desktop resources, More cost-effective security devices. Virtualization indeed allows for greater flexibility, control and isolation by removing the dependency on a given hardware platform. For organization, it increases productivity through efficient and economic use of energy and increased staff productivity. For individual, it makes the communication to people more clear by network virtualization, storage virtualization, server virtualization, application virtualization and data virtualization.
Xinye Yang says
Good point, The advantages of virtualization saves your money and time while providing much greater business continuity and ability to recover from disaster. However, there are a couple disadvantages should be brought up. first of all. the software licensing considerations is becoming less of a problem as more software vendors adapt to the increased adoption of virtualization, but it is important to check with your vendors to clearly understand how they view software use in a virtualized environment. Also, Implementing and managing a virtualized environment will require IT staff with expertise in virtualization. most people may unable to expand it potential into large extent.
Mei X Wang says
Virtualization does have it’s many advantages such as monetary savings and the ability to recover from disaster. However, each business has it’s different needs and to switch over, there will be a big amount of costs involved, every business should weigh its costs and benefits before deciding to convert to virtualization,
Deepa Kuppuswamy says
Virtualization has been around a long time, and its benefits from flexibility and scalability to quality assurance and cost savings are well known. Following are the primary security risks associated with virtualization:
– First, virtualization adds additional layers of infrastructure complexity. This means monitoring for unusual events and anomalies also becomes more complex, which in turn makes it more difficult than it already is to identify security issues.
– Next, virtualized environments are dynamic by design, rapidly changing on a regular basis. Unlike physical environments, virtual machines can be spun up in a matter of minutes. It can be easy to lose track of what’s online, offline and what potential security holes are exposed.
– Finally, in addition to the dynamic nature of a virtual machines themselves, workloads can be moved quickly. This also poses a security risk.
Feng Gao says
Great point. Many organizations use a cloud provider for both SaaS and IaaS, along with their own managed virtual environment. APIs used to communicate between the environments can be a significant risk. Many virtual environments are over-allocated, particularly if the devices running all utilize their max configured compute or memory configurations. These configurations can lead to significant performance degradation. This often happens when the hypervisor is compromised and the server configuration is changed.
Yuan Liu says
Much has been written about cloud computing, SaaS and data centers, but often those technologies are melded as a composite service referred to as cloud computing. Actually, there is a simple framework for thinking about cloud computing that should help IT auditors in performing a risk assessment. The components are Infrastructure as a Service (IaaS) and Software as a Service (SaaS)—almost identical to the way we think of the body of technologies internal to an entity
Raisa Ahmed says
Good point, Yuan. By understanding the Infrastructure as a Service (IaaS) and Software as a Service (SaaS) platforms, will definitely help auditors to locate possible security risks associated with each service. Infrastructure as a Service (IaaS) and Software as a Service (SaaS) each have their own pros and cons. A benefit to Infrastructure as a Service (IaaS) is that it allows the ability to scale up and down quickly in response to an enterprise’s requirements. An example of Infrastructure as a Service (IaaS) is Amazon Web Services. A benefit to Software as a Service (SaaS) is that it is flexible in a sense that it allows subscribers to access the software easily from any location with internet capabilities. An examples of Software as a Service (SaaS) is Cisco WebEx.
Alexander Reichart-Anderson says
In recent years (really since the 1980s) companies have been moving more towards virtual information systems for many reasons. Using virtual systems allows for greater cost savings and the reduction of inefficiencies within a business. With the virtualization comes added risks involving the network, the host, and other 3rd party risks. One thing that I took particular interest away from the ISACA article “Auditing Security Risks in a Virtual Environment” was that there are three different types of virtualization: 1) Storage, 2) Network, and 3) Server. I understand that there were certainly levels to virtualization, however it was interesting seeing them broken out. Overall, the benefit to virtualization can be seen across the business. Using a virtual environment allows for more agile development, scalability, and creating a network that (through the right ports) can be accessed from almost anywhere.
Deepa Kuppuswamy says
Alex, I strongly agree with your point that “with the virtualization, comes the added risk”. While virtualization provides numerous benefits through the use of VMs, moving to a virtualized environment does not exempt IT systems from the security risks applicable to such setup in a physical environment, the use of VMs may introduce new and unique security risks or lead to more significant impacts.
Following are some of the high risks that should be considered as part of assessing the risks of virtualization: VM sprawl, security of offline and dormant VM’s, service hijacking through the self service portal, risks due to cloud service provider and many more.
Ryu Takatsuki says
Hi Alex, I think you are right. I also read about the article related to IT system virtualization. According to what I found, the storage virtualization is a concept in System Administration, referring to the abstraction of logical storage from physical storage. I think that virtualization could also improve the organization’s IT security.
Xinye Yang says
A good example of SaaS over virtualization is Amazon Web Services (AWS). AWS offers a host of software and platforms. The software is installed on virtual hosts and can be scaled up or down as and when required.
If we focus beyond the infrastructure and start-up cost, once deployed, an SaaS application platform should only be concerned with reproducibility. Each and every instance of the SaaS-based application should be identical to each other.
Mei X Wang says
In today’s society, we are moving towards using virtualization compared to traditional data management. Virtualization itself is a software technology that doesn’t rely on one physical resource. There are certain implications that come with this new type of data store but the benefits of it outweigh the risks. Using virtual servers, any server or host can access the data and allows more flexibility in the workload. When converting from traditional to physical servers, the organization should evaluate if there is a business need for it because it does come with its costs and negatives.
Zhu Li says
Virtualization is the process of creating a software-based, or virtual, representation of something, such as virtual applications, servers, storage, and networks. It is the single most effective way to reduce IT expenses while boosting efficiency and agility for all size businesses.
Virtualization can increase IT agility, flexibility, and scalability while creating significant cost saving. Greater workload mobility increased performance and availability of resources, automated operations. Also, it makes simpler to manage and less costly to own and operate.
Haixin Sun says
Hi, I agree with you that any server or host can access the data and allows more flexibility in the workload using virtual servers. It increases productivity for organizations and individuals.
Sarah Puffen says
While the author mentions that virtualization security has its benefits- such as faster recovery time, safer and effective patching, and cost-effective security- I found it interesting that it was immediately followed by about 6 pages of text explaining the various risks, vulnerabilities, and audit points for these virtual systems. If a business were to consider switching to a virtual environment, they should also consider who exactly will be maintaining the software, so to ensure that those employees are well versed in understanding the nature of virtualization. As of now, auditing these systems seems to be a grueling task due to their complexity, and it appears that more companies are deciding to switch to a virtual environment for the positive reasons mentioned above. The author makes note of a press release from 2010 which stated that roughly 60% of virtual servers will be less secure than their original, physical servers. I was curious as to why this would be the case, so I googled it and found that the press release also mentions that information security is typically an afterthought in these virtualization projects, and that the information security team is often excluded from project planning and architecture stages. So, as we have mentioned in class before, the reason why these systems aren’t secure is mainly due to lack of security planning during SDLC.
https://searchservervirtualization.techtarget.com/tutorial/Server-virtualization-security-best-practices-guide
Alexander Reichart-Anderson says
Hi Sarah, I certainly agree that the movement towards virtualization brings in a new level of security risk to the organizations. In many situations, accepting the possible risk is the best option for an organization because assuming the risk on their end and hosting their servers in house would be too time and capital consuming. Again, this 60% figure does not surprise me at all given that the virtual systems are less secure.
Yuqing Tang says
IT Audits of Cloud and SaaS introduce the components of cloud computing, As the author mentions, some of the key factors for management when choosing the IaaS provider are flexible performance (including scalability) and availability while achieving physical and virtual security needs. Third-party service providers provide customers with hardware, operating systems and other software, servers, storage systems and various other IT components in a highly automated delivery model. In some cases, they can also handle tasks such as continuous system maintenance, data backup, and business continuity. Therefore, the flexibility makes IaaS is used in the cloud computing service.
There are many considerations for choosing SaaS. Applications are installed by vendors or service providers and can be accessed over a network, usually the Internet. This pattern is often referred to as on demand software, which is the most mature cloud computing model because of its high degree of flexibility, proven support services, and strong scalability, which can reduce customer maintenance costs and investment.