Cloud accounting systems, the audit trail, forensics and the EU GDPR : how hard can it be?

Weir, George and Aßmuth, Andreas and Whittington, Mark and Duncan, Bob (2017) Cloud accounting systems, the audit trail, forensics and the EU GDPR : how hard can it be? In: British Accounting & Finance Association (BAFA) Annual Conference 2017, 2017-04-10 - 2017-04-12, Heriot Watt University.

[img]
Preview
Text (Weir-etal-BAFA2017-Cloud-accounting-systems-the-audit-trail-forensics-and-the-EU)
Weir_etal_BAFA2017_Cloud_accounting_systems_the_audit_trail_forensics_and_the_EU.pdf
Accepted Author Manuscript

Download (126kB)| Preview

    Abstract

    Ahead of the introduction of the EU General Data Privacy Regulation (GDPR), we consider some important unresolved issues with cloud computing, namely, the insecure cloud audit trail problem and the challenge of retaining cloud forensic evidence. Developing and enforcing good cloud security controls is an essential requirement for this is to succeed. The nature of cloud computing architecture can add additional problem layers for achieving cloud security to an already complex problem area. Historically, many corporates have struggled to identify when their systems have been breached, let alone understand which records have been accessed, modified, deleted or ex-filtrated from their systems. Often, there is no understanding as to who has perpetrated the breach, meaning it is difficult to quantify the risk to which they have been exposed. The GDPR seeks to improve this situation by requiring all breaches to be reported within 72 hours of an occurrence, including full identification of all records compromised, failing which the organisation could be subject to punitive levels of fines. We consider why this is such an important issue, identifying what desirable characteristics should be aimed for and propose a novel means of effectively and efficiently achieving these goals. We have identified a range of issues which need to be addressed to ensure a robust level of security and privacy can be achieved. We have addressed these issues in both the context of conventional cloud based systems, as well as in regard to addressing some of the many weaknesses inherent in the internet of things. We discuss how our proposed approach may help better address the identified key security issues.