In “IT Audits of Cloud and SaaS”, it divides cloud computing into two parts, IaaS and SaaS. In my point of view, IaaS is hardware and SaaS is software. Different from traditional method of outsource, all the data need to be transferred through Internet. When auditors make risk assessments, they need to consider both the service and the Internet’s influence to the service, like connectivity or security of data transmission.
Benefits of Virtualisation:
Apart from improving IT service agility, virtualisation reduces the infrastructure cost of ownership by decreasing the total number of physical servers; therefore, operating expenses go down dramatically.
Virtualisation expedites the server provisioning procedure and also improves capacity management. IT efficiency is increased due to shared CPU processing capacity and effective storage utilisation. VMs are capable of running different OSs and have several benefits such as encapsulation, isolation and partitioning.
VMs are encapsulated into files, which make it possible to rapidly save, copy and provision the VM. Fully configured systems, applications, OSs and virtual hardware may be moved within seconds from one physical server to another, for zero-downtime maintenance and continuous workload consolidation.
Virtualisation allows for partitioning multiple applications and supporting multiple OSs within a single physical system. Servers can be consolidated into VMs on either a scale-up or scale-out architecture, and computing resources can be treated as a uniform pool that is allocated to VMs in a controlled manner.
From a security point of view, the advantages of virtualisation are:
Better forensic capabilities
Faster recovery after an attack
Safer and more effective patching
Better control over desktop resources
More cost-effective security devices
Hello professor, here is my answer.
Virtualisation is a software technology that divides a physical resource, such as a server, into virtual resources called virtual machines.
Virtualization is not only a foundational technology for cloud computing, but it also enables organizations of all sizes to experience improvements in flexibility and cost control. In addition to this, virtualized data centers allow for simplified management and efficient use of resources. Virtualization is divided into storage virtualization, network virtualization, and server virtualization.
Virtualization is popular because it offers significant cost savings by sharing storage space and central processing unit (CPU) capacity. Virtualization is good for consolidating physical resources, simplifying deployment and management, and reducing power and cooling requirements.
Hello Professor,
Reading 1. ISACA “Auditing Risks in Virtual IT Systems”
Security risks in virtual IT systems:
(1) Architectural vulnerability:
-Vulnerability analysis
-Regular updates of security features on VMs
-Proper patch management on VMs
-Implementation of network best practices
(2) Software vulnerability:
-Prevention of single point of failure
-Hypervisor updates
-Controlled access to VMs
-Security of the host OS
-Organizational policy for VM security
(3) Configuration risks:
-Configuration assessment
-Hypervisor configuration checks
-Authorization and proper documentation of change
-Configuration audit and control
-Approved templates for VM deployments
-Event monitoring
-Configuration management database
Reading 2. ISACA “IT Audits of Cloud and SaaS”
Cloud computing: SaaS:
Key points in deciding to use Saas:
-The complexity of the environment
-The need to buy smaller pieces/modules
-Compatibility with existing systems and IT
-Case of purchase
-Ease of integration
-Project management
-Scalable infrastructure
-Billing/costs
Framework of breaking down SaaS:
1. Business process modeling involves the need to fit together workflow process structure, applications and data, organizational structure, and the integration of existing systems.
2. Evaluation and analysis includes process cost accounting, balanced scorecards, service level agreements, process warehouse and optimization.
3. Process execution includes workflow control, application integration, service orchestration, populating databases and business activity monitoring.
Thank you
Dear professor, the following is my answer, please check,thanks
• ISACA “Auditing Risks in Virtual IT Systems”
Benefits of Virtualisation
Virtualisation of IT systems has many advantages, which is why it has become so popular. Apart from improving IT service agility, virtualisation reduces the infrastructure cost of ownership by decreasing the total number of physical servers; therefore, operating expenses go down dramatically.
Virtualisation expedites the server provisioning procedure and also improves capacity management. IT efficiency is increased due to shared CPU processing capacity and effective storage utilisation. VMs are capable of running different OSs and have several benefits such as encapsulation, isolation and partitioning.
VMs are encapsulated into files, which make it possible to rapidly save, copy and provision the VM. Fully configured systems, applications, OSs and virtual hardware may be moved within seconds from one physical server to another, for zero-downtime maintenance and continuous workload consolidation.
VMs are completely isolated from the host machine and other VMs. If a VM crashes, all others are unaffected. Data do not leak across VMs, and applications can communicate over configured network connections only.
Virtualisation allows for partitioning multiple applications and supporting multiple OSs within a single physical system. Servers can be consolidated into VMs on either a scale-up or scale-out architecture, and computing resources can be treated as a uniform pool that is allocated to VMs in a controlled manner.
Other significant benefits of virtualisation include effective segregation of duties, simulation support with multiple versions of the same or different OSs, more continuity options and expansion of the test environment. Some big organisations have embraced virtualisation to increase business resiliency to support disaster recovery (DR) and business continuity
• ISACA “IT Audits of Cloud and SaaS”
Cloud Computing: SaaS
Some of the key points in deciding to use SaaS, or a particular vendor, are the complexity of the environment, the need to buy smaller pieces/modules, compatibility with existing systems and IT (including programming platform), ease of purchase, ease of integration, project management, scalable infrastructure, and billing/costs (metering).
There are various ways to break down SaaS, but here is one framework:
Business process modeling
Evaluation and analysis
Process execution
Business process modeling involves the need to fit together workflow/business process structure, applications and data, organizational structure, and the integration of existing systems. Evaluation and analysis includes process cost accounting, balanced scorecards, service level agreements (SLA), process warehouse and optimization. Process execution includes workflow control, applications integration (enterprise application integration [EAI]), service orchestration (service-oriented architecture [SOA]), populating databases/conversion and business activity monitoring. Other issues include document and content management, collaboration, systems management and administration, and various aspects of management of SaaS.
Examples of risks would be related to these areas. Some examples include an improper fit of the business process to the application, inadequate connectivity between applications and data, improper integration with existing systems, and inadequate monitoring of SaaS business processes and events. Obviously, the SLA is a key audit objective. There is also a risk of cost control and estimates; that is, it is possible that the move could end up costing the entity more rather than less. One example of cost control is the metering/billing aspect of SaaS, which presents an area of potential risk.
In ISACA “Auditing Risks in Virtual IT Systems,” Virtualization is defined as a software technology that divides a physical resource into virtual resources called virtual machines. The IT auditor needs to know every aspect of VM technology and the risks associated with VMs.Virtual machine is to use fewer resources to achieve multiple users co-exist on a system, it only needs to connect to the LAN can be realized. For example, the administrator uses a host while other employees in the same department use VMS. Administrators can configure user rights for VM users. This creates control risks associated with user permissions. One of the primary audit objectives of IT auditors is user rights control risk.
As for cloud technology, my understanding is that cloud is not only an open source sharing platform technology, but also a technical service. Many Internet companies have developed their own cloud technologies and provide cloud IT services, such as cloud databases, to other small companies. With cloud technology, IT auditors focus on data security, such as data flow tracing.
Virtualization of IT systems has many advantages, which is why it has become so popular. Apart from improving IT service agility, virtualization reduces the infrastructure cost of ownership by decreasing the total number of physical servers; therefore, operating expenses go down dramatically. It has better forensic capabilities, faster recovery after an attack, safer and more effective patching better control over desktop resources, more cost-effective security devices and so on.
However, there are three main types of risks of virtual IT systems:
(1) architectural vulnerability; (2) software vulnerability; (3) configuration risks.
Fortunately, IT Auditor already has a number of rules and metrics to examine and predict risk. The scope of the audit is very wide and the standards are very strict, which puts very high demands on IT auditors, but also keeps the risk within acceptable limits.
Auditing cloud computing in one sense is like auditing any new IT—understand the IT, identify the risks, evaluate mitigating controls and audit the risky objects. The understanding and risk assessment can be enhanced with a good framework to think about the IT and risks and, thus, assist the IT auditor in conducting an effectual risk assessment. Like virtualization, the risks of cloud computing should also be monitored and controlled.
Hello, professor
Here is my answer:
The thing of interest I took away is that I know the way to break down SaaS. Its framework includes Business process modeling, Evaluation and analysis, and Process execution. Business process modeling includes the need to fit together workflow/business process structure, applications and data, organizational structure, and the integration of existing systems. Evaluation and analysis includes process cost accounting, balanced scorecards, service level agreements, process warehouse and optimization. Process execution includes workflow control, applications integration, service orchestration, populating databases/conversion and business activity monitoring. By learning this way, I could audit Cloud and SaaS better.
Auditing Risks in Virtual IT Systems and IT Audits of Cloud and SaaS both focus on new technology that IT audits should raise attention to.
What interests me most is auditing Virtual IT Systems or cloud computing just like auditing any new IT—understand the IT, identify the risks, evaluate mitigating controls and audit the risky objects.
Take Virtual system for an example:
Virtualization is a software technology that divides a physical resource into virtual resources called virtual machines (VMs)
There are three kinds of it: Storage virtualization, Network virtualization and Server virtualization.
Main advantages of virtualization are:
(1)Better forensic capabilities
(2)Faster recovery after an attack
(3)Safer and more effective patching
(4)Better control over desktop resources
(5)More cost-effective security devices
The security risks in virtual IT systems can be broadly classified into three types: Architectural vulnerability, Software vulnerability, Configuration risks.
And the audit guideline provided can assist in identifying and fixing the weaknesses of virtual IT systems and can help improve the operational efficiency of VMs so that organizations benefit from virtualization technology.
Hi, professor,
here is my answer:
For the article “IT Audits of Cloud and SaaS”, my point of interest is Cloud Computing: IaaS. The main factors in the company’s management’s decision on whether to use IaaS and replace or supplement the internal infrastructure with the services it has assembled are supplier efficiency and cost. Assuming IaaS has a well-established infrastructure and mature enough technology, management is likely to use Cloud Computing: IaaS. And IssA has flexible performance, availability, and a high level of security protection. When something goes wrong, There are various ways to break down IaaS. And IaaS has great advantages in the following areas.
• Connectivity
• Network services and management
• Compute services and management
• Data storage
• Security
Virtualisation is different from working with IT systems that use physical servers. The IT auditor needs to know every aspect of VM technology and the risks associated with VMs.
The IT auditor should assess the business need for moving from physical to virtual and whether doing so would provide any real benefit to the organisation. The principles, best practices and audit approach that are used for auditing a physical IT system should be used during the audit of virtual systems, along with the technology-specific audit points for virtualisation.
New technologies will bring new challenges to IT auditors. In recent months, cloud computing and Software as a Service (SaaS) have led the bleeding edge of IT. Therefore, IT auditors need to understand these technologies, establish an approach for identifying the key risks and develop effectual audits of the technologies for those risks.
Iaas can support Cloud computing, and there are various ways to break down IaaS, such as Connectivity; Network services and management; Compute services and management; Data storage; and Security.
Hello professor, here is my answer.
From reading I learned that Virtualisation provides significant cost savings by sharing storage space and central processing unit (CPU) capacity. As with any technology, though, virtual IT systems are not risk-proof. A proper risk mitigation strategy needs to be developed and followed if organisations are to harness the benefits of virtualisation technology. Information security auditors have an important role to play in auditing the risks of virtual IT systems. This article discusses virtual IT systems and the inherent risks that need to be audited for proper risk mitigation and provides guidelines for security audits of virtual IT systems that can be referenced during information security audits and the application of security to virtual IT systems.
Even though they have many advantages, virtual IT systems are not risk-free or completely secure. Organisations need to take care of the security risks when using virtual IT systems. ‘Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement.
Establishing policies and procedures for virtual IT systems is the responsibility of the organisation. When a process is being defined for VM deployment, IT managers need to work with business managers to identify the steps and time frame. By comparing system configurations with a well-defined security policy based on the benchmarks proposed by the Center for Internet Security (CIS) and the US Defense Information Systems Agency (DISA), the IT team can be assured that new deployments adhere to the organisation’s best practices. Ensuring that only approved configuration changes are implemented as part of a well-engineered process can minimise risks related to changes in a virtual environment.
Hello professor
Here is my answer
Virtualisation is a software technology that divides a physical resource, such as a server, into virtual resources called virtual machines (VMs). Virtualisation helps to consolidate physical resources, simplify deployment and administration, and reduce power and cooling requirements.
TYPES OF VIRTUALISATION
1. Storage virtualisation
2. Network virtualisation
3. Server virtualisation
BENEFITS OF VIRTUALISATION
1.Better forensic capabilities
2.Faster recovery after an attack
3.Safer and more effective patching
4.Better control over desktop resources
5.More cost-effective security devices
SECURITY RISKS IN VIRTUAL IT SYSTEMS
1. Architectural vulnerability
2. Software vulnerability
3. Configuration risks
AUDIT POINTS FOR THE SECURITY OF VIRTUAL IT SYSTEMS
Purpose of Moving From Physical to Virtual; Risk Assessment; Understanding the Infrastructure and the Controls; Network Map of the VM Environment; Evaluation of Policies, Procedures and Documentation ; Evaluation of Controls; Network Security; Encryption for Communication
Logical Access Controls ; Services and Configuration; File Sharing Between Host and Guests; Time Synchronisation; Disconnecting Unused Devices; Remote Management Approaches; Patching and Vulnerabilities; Logs; Backups; Denial of Service (DoS); Miscellaneous
Dealing with virtualization differs from working with real servers in IT systems. The IT auditor must be familiar with all aspects of virtual machine technology as well as the hazards that come with them. The IT auditor should evaluate the business case for migrating from physical to virtual, as well as whether or not doing so would be beneficial to the company. The information security auditor should examine the preventive measures that have been put in place based on situational awareness and the validity of these measures while auditing a virtual IT system. To limit any risk connected with the virtual IT system, the policies and processes should be backed up by suitable authentication, authorisation, and accounting methods.
Risks in Virtual IT Systems
Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement. Compromise of the virtualization foundation is a worst-case scenario.
The security risks in virtual IT systems can be broadly classified into three types: Architectural
1. vulnerability
2. Software vulnerability
3.Configuration risks
IAAS:
Connectivity obviously refers to reliable access to the Internet and connectivity to associated systems and technologies.
Network services and management includes not only providing network capabilities, but managing the network, monitoring the network and providing for efficient access through aspects such as load balancing.
Data storage
Security issues include security from unauthorized access by malicious intruders and rogue employees of the IaaS provider.
SAAS:
Business process modeling involves the need to fit together workflow/business process structure, applications and data, organizational structure, and the integration of existing systems.
Evaluation and analysis includes process cost accounting, balanced scorecards, service level agreements (SLA), process warehouse and optimization.
Process execution includes workflow control, applications integration (enterprise application integration [EAI]), service orchestration (service-oriented architecture [SOA]), populating databases/conversion and business activity monitoring.
Compute services and management include appropriate resources such as core, processors, memory and managing the operating system (OS).
Auditing Security Risks in Virtual IT system.docx
Virtualization is a software technology that divides a physical resource.
To helps to consolidate physical resources, simplify deployment and administration, and reduce power and cooling requirements.
Virtualization in a computing system adds a layer of abstraction between two layers in that computer system. The layer of abstraction is a software layer between the hardware and the guest operating systems. The layer acts as a resource manager to enable the sharing of processing power and memory.
Types of virtualizations: Storage virtualization, Network virtualization, Server virtualization.
The IT auditor needs to know every aspect of VM technology and the risks associated with VMs. To perform a successful audit of a virtual IT system, the information security auditor should have an adequate understanding of the VM infrastructure, access points, used and unused ports, embedded or overlaid controls, and server partitions.
The IT auditor should assess the business need for moving from physical to virtual and whether doing so would provide any real benefit to the organization.
The auditor should check the DR plan for the virtual IT system and should evaluate the test results. The auditor needs to evaluate the sufficiency of existing controls, such as firewalls, intrusion detection systems, intrusion prevention systems and network port security, so that the virtual system does not fall prey to external malicious attacks. The information security auditor should be aware of the best practices in VMs, specifically the benchmarks proposed by CIS and DISA.
In “IT Audits of Cloud and SaaS”, it divides cloud computing into two parts, IaaS and SaaS. In my point of view, IaaS is hardware and SaaS is software. Different from traditional method of outsource, all the data need to be transferred through Internet. When auditors make risk assessments, they need to consider both the service and the Internet’s influence to the service, like connectivity or security of data transmission.
Dear professor,
Here is my answer:
Benefits of Virtualisation:
Apart from improving IT service agility, virtualisation reduces the infrastructure cost of ownership by decreasing the total number of physical servers; therefore, operating expenses go down dramatically.
Virtualisation expedites the server provisioning procedure and also improves capacity management. IT efficiency is increased due to shared CPU processing capacity and effective storage utilisation. VMs are capable of running different OSs and have several benefits such as encapsulation, isolation and partitioning.
VMs are encapsulated into files, which make it possible to rapidly save, copy and provision the VM. Fully configured systems, applications, OSs and virtual hardware may be moved within seconds from one physical server to another, for zero-downtime maintenance and continuous workload consolidation.
Virtualisation allows for partitioning multiple applications and supporting multiple OSs within a single physical system. Servers can be consolidated into VMs on either a scale-up or scale-out architecture, and computing resources can be treated as a uniform pool that is allocated to VMs in a controlled manner.
From a security point of view, the advantages of virtualisation are:
Better forensic capabilities
Faster recovery after an attack
Safer and more effective patching
Better control over desktop resources
More cost-effective security devices
Hello professor, here is my answer.
Virtualisation is a software technology that divides a physical resource, such as a server, into virtual resources called virtual machines.
Virtualization is not only a foundational technology for cloud computing, but it also enables organizations of all sizes to experience improvements in flexibility and cost control. In addition to this, virtualized data centers allow for simplified management and efficient use of resources. Virtualization is divided into storage virtualization, network virtualization, and server virtualization.
Virtualization is popular because it offers significant cost savings by sharing storage space and central processing unit (CPU) capacity. Virtualization is good for consolidating physical resources, simplifying deployment and management, and reducing power and cooling requirements.
Hello Professor,
Reading 1. ISACA “Auditing Risks in Virtual IT Systems”
Security risks in virtual IT systems:
(1) Architectural vulnerability:
-Vulnerability analysis
-Regular updates of security features on VMs
-Proper patch management on VMs
-Implementation of network best practices
(2) Software vulnerability:
-Prevention of single point of failure
-Hypervisor updates
-Controlled access to VMs
-Security of the host OS
-Organizational policy for VM security
(3) Configuration risks:
-Configuration assessment
-Hypervisor configuration checks
-Authorization and proper documentation of change
-Configuration audit and control
-Approved templates for VM deployments
-Event monitoring
-Configuration management database
Reading 2. ISACA “IT Audits of Cloud and SaaS”
Cloud computing: SaaS:
Key points in deciding to use Saas:
-The complexity of the environment
-The need to buy smaller pieces/modules
-Compatibility with existing systems and IT
-Case of purchase
-Ease of integration
-Project management
-Scalable infrastructure
-Billing/costs
Framework of breaking down SaaS:
1. Business process modeling involves the need to fit together workflow process structure, applications and data, organizational structure, and the integration of existing systems.
2. Evaluation and analysis includes process cost accounting, balanced scorecards, service level agreements, process warehouse and optimization.
3. Process execution includes workflow control, application integration, service orchestration, populating databases and business activity monitoring.
Thank you
Dear professor, the following is my answer, please check,thanks
• ISACA “Auditing Risks in Virtual IT Systems”
Benefits of Virtualisation
Virtualisation of IT systems has many advantages, which is why it has become so popular. Apart from improving IT service agility, virtualisation reduces the infrastructure cost of ownership by decreasing the total number of physical servers; therefore, operating expenses go down dramatically.
Virtualisation expedites the server provisioning procedure and also improves capacity management. IT efficiency is increased due to shared CPU processing capacity and effective storage utilisation. VMs are capable of running different OSs and have several benefits such as encapsulation, isolation and partitioning.
VMs are encapsulated into files, which make it possible to rapidly save, copy and provision the VM. Fully configured systems, applications, OSs and virtual hardware may be moved within seconds from one physical server to another, for zero-downtime maintenance and continuous workload consolidation.
VMs are completely isolated from the host machine and other VMs. If a VM crashes, all others are unaffected. Data do not leak across VMs, and applications can communicate over configured network connections only.
Virtualisation allows for partitioning multiple applications and supporting multiple OSs within a single physical system. Servers can be consolidated into VMs on either a scale-up or scale-out architecture, and computing resources can be treated as a uniform pool that is allocated to VMs in a controlled manner.
Other significant benefits of virtualisation include effective segregation of duties, simulation support with multiple versions of the same or different OSs, more continuity options and expansion of the test environment. Some big organisations have embraced virtualisation to increase business resiliency to support disaster recovery (DR) and business continuity
• ISACA “IT Audits of Cloud and SaaS”
Cloud Computing: SaaS
Some of the key points in deciding to use SaaS, or a particular vendor, are the complexity of the environment, the need to buy smaller pieces/modules, compatibility with existing systems and IT (including programming platform), ease of purchase, ease of integration, project management, scalable infrastructure, and billing/costs (metering).
There are various ways to break down SaaS, but here is one framework:
Business process modeling
Evaluation and analysis
Process execution
Business process modeling involves the need to fit together workflow/business process structure, applications and data, organizational structure, and the integration of existing systems. Evaluation and analysis includes process cost accounting, balanced scorecards, service level agreements (SLA), process warehouse and optimization. Process execution includes workflow control, applications integration (enterprise application integration [EAI]), service orchestration (service-oriented architecture [SOA]), populating databases/conversion and business activity monitoring. Other issues include document and content management, collaboration, systems management and administration, and various aspects of management of SaaS.
Examples of risks would be related to these areas. Some examples include an improper fit of the business process to the application, inadequate connectivity between applications and data, improper integration with existing systems, and inadequate monitoring of SaaS business processes and events. Obviously, the SLA is a key audit objective. There is also a risk of cost control and estimates; that is, it is possible that the move could end up costing the entity more rather than less. One example of cost control is the metering/billing aspect of SaaS, which presents an area of potential risk.
In ISACA “Auditing Risks in Virtual IT Systems,” Virtualization is defined as a software technology that divides a physical resource into virtual resources called virtual machines. The IT auditor needs to know every aspect of VM technology and the risks associated with VMs.Virtual machine is to use fewer resources to achieve multiple users co-exist on a system, it only needs to connect to the LAN can be realized. For example, the administrator uses a host while other employees in the same department use VMS. Administrators can configure user rights for VM users. This creates control risks associated with user permissions. One of the primary audit objectives of IT auditors is user rights control risk.
As for cloud technology, my understanding is that cloud is not only an open source sharing platform technology, but also a technical service. Many Internet companies have developed their own cloud technologies and provide cloud IT services, such as cloud databases, to other small companies. With cloud technology, IT auditors focus on data security, such as data flow tracing.
Virtualization of IT systems has many advantages, which is why it has become so popular. Apart from improving IT service agility, virtualization reduces the infrastructure cost of ownership by decreasing the total number of physical servers; therefore, operating expenses go down dramatically. It has better forensic capabilities, faster recovery after an attack, safer and more effective patching better control over desktop resources, more cost-effective security devices and so on.
However, there are three main types of risks of virtual IT systems:
(1) architectural vulnerability; (2) software vulnerability; (3) configuration risks.
Fortunately, IT Auditor already has a number of rules and metrics to examine and predict risk. The scope of the audit is very wide and the standards are very strict, which puts very high demands on IT auditors, but also keeps the risk within acceptable limits.
Auditing cloud computing in one sense is like auditing any new IT—understand the IT, identify the risks, evaluate mitigating controls and audit the risky objects. The understanding and risk assessment can be enhanced with a good framework to think about the IT and risks and, thus, assist the IT auditor in conducting an effectual risk assessment. Like virtualization, the risks of cloud computing should also be monitored and controlled.
Cloud computing is definitely a significant part in the new era information system. IT Auditing could utilize the new framework to break down Iaas.
There are various ways to break down IaaS, but here is one way:
Connectivity
Network services and management
Compute services and management
Data storage
Security
There are various ways to break down SaaS, but here is one framework:
Business process modeling
Evaluation and analysis
Process execution
Hello, professor
Here is my answer:
The thing of interest I took away is that I know the way to break down SaaS. Its framework includes Business process modeling, Evaluation and analysis, and Process execution. Business process modeling includes the need to fit together workflow/business process structure, applications and data, organizational structure, and the integration of existing systems. Evaluation and analysis includes process cost accounting, balanced scorecards, service level agreements, process warehouse and optimization. Process execution includes workflow control, applications integration, service orchestration, populating databases/conversion and business activity monitoring. By learning this way, I could audit Cloud and SaaS better.
Auditing Risks in Virtual IT Systems and IT Audits of Cloud and SaaS both focus on new technology that IT audits should raise attention to.
What interests me most is auditing Virtual IT Systems or cloud computing just like auditing any new IT—understand the IT, identify the risks, evaluate mitigating controls and audit the risky objects.
Take Virtual system for an example:
Virtualization is a software technology that divides a physical resource into virtual resources called virtual machines (VMs)
There are three kinds of it: Storage virtualization, Network virtualization and Server virtualization.
Main advantages of virtualization are:
(1)Better forensic capabilities
(2)Faster recovery after an attack
(3)Safer and more effective patching
(4)Better control over desktop resources
(5)More cost-effective security devices
The security risks in virtual IT systems can be broadly classified into three types: Architectural vulnerability, Software vulnerability, Configuration risks.
And the audit guideline provided can assist in identifying and fixing the weaknesses of virtual IT systems and can help improve the operational efficiency of VMs so that organizations benefit from virtualization technology.
Hi, professor,
here is my answer:
For the article “IT Audits of Cloud and SaaS”, my point of interest is Cloud Computing: IaaS. The main factors in the company’s management’s decision on whether to use IaaS and replace or supplement the internal infrastructure with the services it has assembled are supplier efficiency and cost. Assuming IaaS has a well-established infrastructure and mature enough technology, management is likely to use Cloud Computing: IaaS. And IssA has flexible performance, availability, and a high level of security protection. When something goes wrong, There are various ways to break down IaaS. And IaaS has great advantages in the following areas.
• Connectivity
• Network services and management
• Compute services and management
• Data storage
• Security
Virtualisation is different from working with IT systems that use physical servers. The IT auditor needs to know every aspect of VM technology and the risks associated with VMs.
The IT auditor should assess the business need for moving from physical to virtual and whether doing so would provide any real benefit to the organisation. The principles, best practices and audit approach that are used for auditing a physical IT system should be used during the audit of virtual systems, along with the technology-specific audit points for virtualisation.
New technologies will bring new challenges to IT auditors. In recent months, cloud computing and Software as a Service (SaaS) have led the bleeding edge of IT. Therefore, IT auditors need to understand these technologies, establish an approach for identifying the key risks and develop effectual audits of the technologies for those risks.
Iaas can support Cloud computing, and there are various ways to break down IaaS, such as Connectivity; Network services and management; Compute services and management; Data storage; and Security.
Hello professor, here is my answer.
From reading I learned that Virtualisation provides significant cost savings by sharing storage space and central processing unit (CPU) capacity. As with any technology, though, virtual IT systems are not risk-proof. A proper risk mitigation strategy needs to be developed and followed if organisations are to harness the benefits of virtualisation technology. Information security auditors have an important role to play in auditing the risks of virtual IT systems. This article discusses virtual IT systems and the inherent risks that need to be audited for proper risk mitigation and provides guidelines for security audits of virtual IT systems that can be referenced during information security audits and the application of security to virtual IT systems.
Even though they have many advantages, virtual IT systems are not risk-free or completely secure. Organisations need to take care of the security risks when using virtual IT systems. ‘Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement.
Establishing policies and procedures for virtual IT systems is the responsibility of the organisation. When a process is being defined for VM deployment, IT managers need to work with business managers to identify the steps and time frame. By comparing system configurations with a well-defined security policy based on the benchmarks proposed by the Center for Internet Security (CIS) and the US Defense Information Systems Agency (DISA), the IT team can be assured that new deployments adhere to the organisation’s best practices. Ensuring that only approved configuration changes are implemented as part of a well-engineered process can minimise risks related to changes in a virtual environment.
BR
Yidi Xu
Hello professor
Here is my answer
Virtualisation is a software technology that divides a physical resource, such as a server, into virtual resources called virtual machines (VMs). Virtualisation helps to consolidate physical resources, simplify deployment and administration, and reduce power and cooling requirements.
TYPES OF VIRTUALISATION
1. Storage virtualisation
2. Network virtualisation
3. Server virtualisation
BENEFITS OF VIRTUALISATION
1.Better forensic capabilities
2.Faster recovery after an attack
3.Safer and more effective patching
4.Better control over desktop resources
5.More cost-effective security devices
SECURITY RISKS IN VIRTUAL IT SYSTEMS
1. Architectural vulnerability
2. Software vulnerability
3. Configuration risks
AUDIT POINTS FOR THE SECURITY OF VIRTUAL IT SYSTEMS
Purpose of Moving From Physical to Virtual; Risk Assessment; Understanding the Infrastructure and the Controls; Network Map of the VM Environment; Evaluation of Policies, Procedures and Documentation ; Evaluation of Controls; Network Security; Encryption for Communication
Logical Access Controls ; Services and Configuration; File Sharing Between Host and Guests; Time Synchronisation; Disconnecting Unused Devices; Remote Management Approaches; Patching and Vulnerabilities; Logs; Backups; Denial of Service (DoS); Miscellaneous
Dealing with virtualization differs from working with real servers in IT systems. The IT auditor must be familiar with all aspects of virtual machine technology as well as the hazards that come with them. The IT auditor should evaluate the business case for migrating from physical to virtual, as well as whether or not doing so would be beneficial to the company. The information security auditor should examine the preventive measures that have been put in place based on situational awareness and the validity of these measures while auditing a virtual IT system. To limit any risk connected with the virtual IT system, the policies and processes should be backed up by suitable authentication, authorisation, and accounting methods.
Risks in Virtual IT Systems
Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement. Compromise of the virtualization foundation is a worst-case scenario.
The security risks in virtual IT systems can be broadly classified into three types: Architectural
1. vulnerability
2. Software vulnerability
3.Configuration risks
IT Audits of Cloud and SaaS
IAAS:
Connectivity obviously refers to reliable access to the Internet and connectivity to associated systems and technologies.
Network services and management includes not only providing network capabilities, but managing the network, monitoring the network and providing for efficient access through aspects such as load balancing.
Data storage
Security issues include security from unauthorized access by malicious intruders and rogue employees of the IaaS provider.
SAAS:
Business process modeling involves the need to fit together workflow/business process structure, applications and data, organizational structure, and the integration of existing systems.
Evaluation and analysis includes process cost accounting, balanced scorecards, service level agreements (SLA), process warehouse and optimization.
Process execution includes workflow control, applications integration (enterprise application integration [EAI]), service orchestration (service-oriented architecture [SOA]), populating databases/conversion and business activity monitoring.
Compute services and management include appropriate resources such as core, processors, memory and managing the operating system (OS).
Auditing Security Risks in Virtual IT system.docx
Virtualization is a software technology that divides a physical resource.
To helps to consolidate physical resources, simplify deployment and administration, and reduce power and cooling requirements.
Virtualization in a computing system adds a layer of abstraction between two layers in that computer system. The layer of abstraction is a software layer between the hardware and the guest operating systems. The layer acts as a resource manager to enable the sharing of processing power and memory.
Types of virtualizations: Storage virtualization, Network virtualization, Server virtualization.
The IT auditor needs to know every aspect of VM technology and the risks associated with VMs. To perform a successful audit of a virtual IT system, the information security auditor should have an adequate understanding of the VM infrastructure, access points, used and unused ports, embedded or overlaid controls, and server partitions.
The IT auditor should assess the business need for moving from physical to virtual and whether doing so would provide any real benefit to the organization.
The auditor should check the DR plan for the virtual IT system and should evaluate the test results. The auditor needs to evaluate the sufficiency of existing controls, such as firewalls, intrusion detection systems, intrusion prevention systems and network port security, so that the virtual system does not fall prey to external malicious attacks. The information security auditor should be aware of the best practices in VMs, specifically the benchmarks proposed by CIS and DISA.