Help with a question - Cloud

An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data?

A. Data retention, backup and recovery

B. Return or destruction of information

C. Network and intrusion detection

D. A patch management process

Can you tell which is the correct answer and why? The option that I thought to be correct - A is wrong but I would like to hear from you. Data retention - data must be in encrypted format while at rest, backup and recovery also should be performed in a secured way with proper controls in place. Not quite getting why is this wrong.

Find more posts tagged with

CISA

Comments

kaiju

B. Return or destruction of information

This is one of the hottest topics pertaining to cloud computing. In a normal, non-cloud, environment the destruction of information is easily handled by following the proper procedures for removing/destroying the information. This normally done by destroying the physical hard drives that contained critical or proprietary information after the information has been removed and/or over-written so that information can not be retrieved. In a cloud environment, hardware is used by multiple clients so there is a chance that trace amounts of information can be leaked unknowingly to unauthorized parties if there is a not a clear procedure pertaining to the return or destruction of customer data.

Answer "A." will deal more with the customer's DRP/BCP.

sumeetgandhi

kaiju said:

B. Return or destruction of information

This is one of the hottest topics pertaining to cloud computing. In a normal, non-cloud, environment the destruction of information is easily handled by following the proper procedures for removing/destroying the information. This normally done by destroying the physical hard drives that contained critical or proprietary information after the information has been removed and/or over-written so that information can not be retrieved. In a cloud environment, hardware is used by multiple clients so there is a chance that trace amounts of information can be leaked unknowingly to unauthorized parties if there is a not a clear procedure pertaining to the return or destruction of customer data.

Answer "A." will deal more with the customer's DRP/BCP.

@kaiju

Thanks for the inputs, I am not very much convinced though, lets me give one example here. I create a new account on AWS or Azure and spin up VMs with 3 tier architecture. I then publish my own financial app on it and users are using. One day, I decide to move to something else. Now at this point I will go and terminate the instance. I loose all the VM's and database too. How will I guarantee that my data has been scrubbed off properly as I cannot ask them to send me the drive which has my data since its a shared environment nor I can visit them nor I can see with some proof that yes my data is gone for good.

Just trying to put the pieces together. Option B you mentioned is the correct one though.

kaiju

Actually, your example fits perfectly into what I wrote. What guarantee is there that your information has been completely removed from the cloud? That is why "B. Return or destruction of information" is the most important element pertaining to cloud computing and privacy.

The method and procedures pertaining to data destruction needs to be thoroughly discussed prior to signing contract with cloud computing service/entity.

Edit:

Questions to be asked:

1) How is space allocated?

a) By block size > requested drive space can be allocated from a much larger pool that is made up of hundreds or thousands of HDD that are being used by multiple customers. In this scenario, people fear data leakage.

b) By hdd. The more secure but not so common choice but is possible to rent a blade(s) in a rack that contains the required amount of space.

2) How is information destroyed?

a) Allocated space is wiped clean after data is removed. What procedure?

b) Allocated space is over-written so no data can be retrieved. What procedure?

c) HDD are wiped, overwritten and reformatted for re-use.

d) HDD are wiped and overwritten prior to destruction (most cloud facilities are not going to do this because it is not cost effective unless the customer is paying for or providing the HDD).

sumeetgandhi

kaiju said:

Actually, your example fits perfectly into what I wrote. What guarantee is there that your information has been completely removed from the cloud? That is why "B. Return or destruction of information" is the most important element pertaining to cloud computing and privacy.

The method and procedures pertaining to data destruction needs to be thoroughly discussed prior to signing contract with cloud computing service/entity.

Edit:
Questions to be asked:
1) How is space allocated?
a) By block size > requested drive space can be allocated from a much larger pool that is made up of hundreds or thousands of HDD that are being used by multiple customers. In this scenario, people fear data leakage.
b) By hdd. The more secure but not so common choice but is possible to rent a blade(s) in a rack that contains the required amount of space.
2) How is information destroyed?
a) Allocated space is wiped clean after data is removed. What procedure?
b) Allocated space is over-written so no data can be retrieved. What procedure?
c) HDD are wiped, overwritten and reformatted for re-use.
d) HDD are wiped and overwritten prior to destruction (most cloud facilities are not going to do this because it is not cost effective unless the customer is paying for or providing the HDD).

@kaiju thank you very much for the insight. I have few more question, which will need your expert opinion.

paul78

@sumeetgandhi - btw - I see that you are in Singapore. The PDPC in Singapore has a very good site (https://www.pdpc.gov.sg) that goes into quite a bit of detail about privacy centric protection. There's a lot of guidelines and advisories on privacy concepts. The privacy law in Singapore is very closely aligned with established privacy best practices and frameworks.

sumeetgandhi

paul78 said:

@sumeetgandhi - btw - I see that you are in Singapore. The PDPC in Singapore has a very good site (https: // www. pdpc. gov. sg ) that goes into quite a bit of detail about privacy centric protection. There's a lot of guidelines and advisories on privacy concepts. The privacy law in Singapore is very closely aligned with established privacy best practices and frameworks.

@paul78 thank you for the resource, I will surely check it out.