Impact of external auditor–cloud specialist engagement on cloud auditing challenges

Purpose This study aims to investigate the impact of external auditor–cloud specialist engagement on cloud auditing challenges from the perspective of auditors from the Association of Certified Public Accountants in a developing country as an example of Middle East emerging economies. Design/methodology/approach A quantitative research design was used to assess the influence of external auditor–cloud specialist engagement on three main cloud auditing challenges (i.e. technology security, regulatory standards and strategy). Data collection was conducted through field and online surveys. A total of 201 (181 male and 20 female) auditors made up a sample of a developing country’s economy. In addition, structural equation modelling was performed to test the proposed hypotheses of the study’s conceptual model. Findings The study found a significant effect of external auditor–cloud specialist engagement on overcoming the challenges of cloud auditing. Results showed that using IT specialists helps overcome strategic challenges more than other kinds of challenges, such as technology security and organisational standards. Practical implications The findings suggest that efforts to promote cloud auditing in organisations may succeed if the focus is on overcoming cloud auditing challenges and highlighting the external auditor–cloud specialist engagement to enhance job performance. Originality/value This study is one of the few studies that analyse the impact of external auditor–cloud specialist engagement on cloud auditing challenges by adopting a quantitative approach from the perspective of auditors from the Iraqi Association of Certified Public Accountants.

Improved Lightweight Cloud Storage Auditing Protocol for Shared Medical Data

Now, it is common for patients and medical institutions to outsource their data to cloud storage. This can greatly reduce the burden of medical information management and storage and improve the efficiency of the entire medical industry. In some cases, the group-based cloud storage system is also very common to be used. For example, in an medical enterprise, the employees outsource the working documents to the cloud storage and share them to the colleagues. However, when the working documents are outsourced to the cloud servers, how to ensure their security is a challenge problem for they are not controlled physically by the data owners. In particular, the integrity of the outsourced data should be guaranteed. And the secure cloud auditing protocol is designed to solve this issue. Recently, a lightweight secure auditing scheme for shared data in cloud storage is proposed. Unfortunately, we find this proposal not secure in this paper. It’s easy for the cloud server to forge the authentication label, and thus they can delete all the outsourced data when the cloud server still provide a correct data possession proof, which invalidates the security of the cloud audit protocol. On the basis of the original security auditing protocol, we provide an improved one for the shared data, roughly analysis its security, and the results show our new protocol is secure.

Security of Auditing Protocols Against Subversion Attacks

In 2013, the revelation of Edward Snowden rekindled cryptographic researchers’ interest in subversion attacks. Since then, many works have been carried out to explore the power of subversion attacks and feasible effective countermeasures as well. In this work, we investigate the study of subversion attacks against cloud auditing protocol, which has been well-known as useful primitive for secure cloud storage. We demonstrate that subverted auditing protocol enables the cloud server to recover secret information stored on the data owner side. Particularly, we first define an asymmetric subversion attack model for auditing protocol. This model serves as the principle for analyzing the undetectability and key recovery of subversion attacks against auditing protocols. We then show a general framework of asymmetric subversion attacks against auditing protocols with index-coefficient challenge. To illustrate the feasibility of our paradigm, several concrete auditing protocols are provided. As a feasible countermeasure, we propose a subversion-resilient auditing protocol with index-coefficient challenge.

Identity-Based Public Auditing Scheme for Cloud Storage with Strong Key-Exposure Resilience

Secured storage system is a critical component in cloud computing. Cloud clients use cloud auditing schemes to verify the integrity of data stored in the cloud. But with the exposure of the auditing secret key to the Cloud Service Provider, cloud auditing becomes unsuccessful, however strong the auditing schemes may be. Therefore, it is essential to prevent the exposure of auditing secret keys, and even if it happens, it is necessary to minimize the damage caused. The existing cloud auditing schemes that are strongly resilient to key exposure are based on Public Key Infrastructure and so have challenges of certificate management/verification. These schemes also incur high computation time during integrity verification of the data blocks. The Identity-based schemes eliminate the usage of certificates but limit the damage due to key exposure, only in time periods earlier to the time period of the exposed key. Some of the key exposure resilient schemes do not provide support for batch auditing. In this paper, an Identity-based Provable Data Possession scheme is proposed. It protects the security of Identity-based cloud storage auditing in time periods both earlier and later to the time period of the exposed key. It also provides support for batch auditing. Analysis shows that the proposed scheme is resistant to the replace attack of the Cloud Service Provider, preserves the data privacy against the Third Party Auditor, and can efficiently verify the correctness of data.