Enforcing Corporate Governance Controls with Cloud-based Services

More and more organizations are today using the cloud for their business as a convenient alternative to in-house solutions for storing, processing, and managing data. Cloud-based solutions are then permeating almost all aspects of business organizations, resulting appealing also for sensitive or security critical applications, whose enforcement in the cloud requires however particular care. In this paper, we provide an approach for securely relying on cloud-based services for the enforcement of Internal Controls and Audit (ICA) functions for corporate governance. Our approach builds on a formalization of the ICA process and its requirements and on the consideration of the protection guarantees to be provided when outsourcing the process to external cloud services. The enforcement of the requirements leverages the use of selective encryption providing a self-protection layer on the data and on ICA reports, the hierarchical organization of keys based on the organizational structure, and compact tags for regulating write operations. Our solution enables the management of the ICA process with cloud-based services, while ensuring satisfaction of the protection requirements.