Cloud accounting systems, the audit trail, forensics and the EU GDPR: how hard can it be?

George Weir, Andreas Aßmuth, Mark Whittington, Bob Duncan

Research output: Contribution to conferencePaper

Abstract

Ahead of the introduction of the EU General Data Privacy Regulation (GDPR), we consider some important unresolved issues with cloud computing, namely, the insecure cloud audit trail problem and the challenge of retaining cloud forensic evidence. Developing and enforcing good cloud security controls is an essential requirement for this is to succeed. The nature of cloud computing architecture can add additional problem layers for achieving cloud security to an already complex problem area. Historically, many corporates have struggled to identify when their systems have been breached, let alone understand which records have been accessed, modified, deleted or ex-filtrated from their systems. Often, there is no understanding as to who has perpetrated the breach, meaning it is difficult to quantify the risk to which they have been exposed. The GDPR seeks to improve this situation by requiring all breaches to be reported within 72 hours of an occurrence, including full identification of all records compromised, failing which the organisation could be subject to punitive levels of fines. We consider why this is such an important issue, identifying what desirable characteristics should be aimed for and propose a novel means of effectively and efficiently achieving these goals. We have identified a range of issues which need to be addressed to ensure a robust level of security and privacy can be achieved. We have addressed these issues in both the context of conventional cloud based systems, as well as in regard to addressing some of the many weaknesses inherent in the internet of things. We discuss how our proposed approach may help better address the identified key security issues.

Conference

ConferenceBritish Accounting & Finance Association (BAFA) Annual Conference 2017
CountryUnited Kingdom
CityEdinburgh
Period10/04/1712/04/17
Internet address

Fingerprint

Data privacy
Cloud computing
Internet of things

Keywords

  • cloud security
  • privacy
  • cloud audit
  • cloud forensics
  • Internet of Things

Cite this

Weir, G., Aßmuth, A., Whittington, M., & Duncan, B. (2017). Cloud accounting systems, the audit trail, forensics and the EU GDPR: how hard can it be?. Paper presented at British Accounting & Finance Association (BAFA) Annual Conference 2017, Edinburgh, United Kingdom.
Weir, George ; Aßmuth, Andreas ; Whittington, Mark ; Duncan, Bob. / Cloud accounting systems, the audit trail, forensics and the EU GDPR : how hard can it be?. Paper presented at British Accounting & Finance Association (BAFA) Annual Conference 2017, Edinburgh, United Kingdom.6 p.
@conference{b128e9346f5a4a88885155b23d216e09,
title = "Cloud accounting systems, the audit trail, forensics and the EU GDPR: how hard can it be?",
abstract = "Ahead of the introduction of the EU General Data Privacy Regulation (GDPR), we consider some important unresolved issues with cloud computing, namely, the insecure cloud audit trail problem and the challenge of retaining cloud forensic evidence. Developing and enforcing good cloud security controls is an essential requirement for this is to succeed. The nature of cloud computing architecture can add additional problem layers for achieving cloud security to an already complex problem area. Historically, many corporates have struggled to identify when their systems have been breached, let alone understand which records have been accessed, modified, deleted or ex-filtrated from their systems. Often, there is no understanding as to who has perpetrated the breach, meaning it is difficult to quantify the risk to which they have been exposed. The GDPR seeks to improve this situation by requiring all breaches to be reported within 72 hours of an occurrence, including full identification of all records compromised, failing which the organisation could be subject to punitive levels of fines. We consider why this is such an important issue, identifying what desirable characteristics should be aimed for and propose a novel means of effectively and efficiently achieving these goals. We have identified a range of issues which need to be addressed to ensure a robust level of security and privacy can be achieved. We have addressed these issues in both the context of conventional cloud based systems, as well as in regard to addressing some of the many weaknesses inherent in the internet of things. We discuss how our proposed approach may help better address the identified key security issues.",
keywords = "cloud security, privacy, cloud audit, cloud forensics, Internet of Things",
author = "George Weir and Andreas A{\ss}muth and Mark Whittington and Bob Duncan",
year = "2017",
month = "8",
day = "10",
language = "English",
note = "British Accounting & Finance Association (BAFA) Annual Conference 2017 ; Conference date: 10-04-2017 Through 12-04-2017",
url = "http://bafa.ac.uk/events/upcoming-events/annual-conference-2017.html",

}

Weir, G, Aßmuth, A, Whittington, M & Duncan, B 2017, 'Cloud accounting systems, the audit trail, forensics and the EU GDPR: how hard can it be?' Paper presented at British Accounting & Finance Association (BAFA) Annual Conference 2017, Edinburgh, United Kingdom, 10/04/17 - 12/04/17, .

Cloud accounting systems, the audit trail, forensics and the EU GDPR : how hard can it be? / Weir, George; Aßmuth, Andreas; Whittington, Mark; Duncan, Bob.

2017. Paper presented at British Accounting & Finance Association (BAFA) Annual Conference 2017, Edinburgh, United Kingdom.

Research output: Contribution to conferencePaper

TY - CONF

T1 - Cloud accounting systems, the audit trail, forensics and the EU GDPR

T2 - how hard can it be?

AU - Weir, George

AU - Aßmuth, Andreas

AU - Whittington, Mark

AU - Duncan, Bob

PY - 2017/8/10

Y1 - 2017/8/10

N2 - Ahead of the introduction of the EU General Data Privacy Regulation (GDPR), we consider some important unresolved issues with cloud computing, namely, the insecure cloud audit trail problem and the challenge of retaining cloud forensic evidence. Developing and enforcing good cloud security controls is an essential requirement for this is to succeed. The nature of cloud computing architecture can add additional problem layers for achieving cloud security to an already complex problem area. Historically, many corporates have struggled to identify when their systems have been breached, let alone understand which records have been accessed, modified, deleted or ex-filtrated from their systems. Often, there is no understanding as to who has perpetrated the breach, meaning it is difficult to quantify the risk to which they have been exposed. The GDPR seeks to improve this situation by requiring all breaches to be reported within 72 hours of an occurrence, including full identification of all records compromised, failing which the organisation could be subject to punitive levels of fines. We consider why this is such an important issue, identifying what desirable characteristics should be aimed for and propose a novel means of effectively and efficiently achieving these goals. We have identified a range of issues which need to be addressed to ensure a robust level of security and privacy can be achieved. We have addressed these issues in both the context of conventional cloud based systems, as well as in regard to addressing some of the many weaknesses inherent in the internet of things. We discuss how our proposed approach may help better address the identified key security issues.

AB - Ahead of the introduction of the EU General Data Privacy Regulation (GDPR), we consider some important unresolved issues with cloud computing, namely, the insecure cloud audit trail problem and the challenge of retaining cloud forensic evidence. Developing and enforcing good cloud security controls is an essential requirement for this is to succeed. The nature of cloud computing architecture can add additional problem layers for achieving cloud security to an already complex problem area. Historically, many corporates have struggled to identify when their systems have been breached, let alone understand which records have been accessed, modified, deleted or ex-filtrated from their systems. Often, there is no understanding as to who has perpetrated the breach, meaning it is difficult to quantify the risk to which they have been exposed. The GDPR seeks to improve this situation by requiring all breaches to be reported within 72 hours of an occurrence, including full identification of all records compromised, failing which the organisation could be subject to punitive levels of fines. We consider why this is such an important issue, identifying what desirable characteristics should be aimed for and propose a novel means of effectively and efficiently achieving these goals. We have identified a range of issues which need to be addressed to ensure a robust level of security and privacy can be achieved. We have addressed these issues in both the context of conventional cloud based systems, as well as in regard to addressing some of the many weaknesses inherent in the internet of things. We discuss how our proposed approach may help better address the identified key security issues.

KW - cloud security

KW - privacy

KW - cloud audit

KW - cloud forensics

KW - Internet of Things

UR - http://bafa.ac.uk/events/events-past/annual-conference-2017.html

M3 - Paper

ER -

Weir G, Aßmuth A, Whittington M, Duncan B. Cloud accounting systems, the audit trail, forensics and the EU GDPR: how hard can it be?. 2017. Paper presented at British Accounting & Finance Association (BAFA) Annual Conference 2017, Edinburgh, United Kingdom.