An audit is a formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met. Auditors evaluate and test an organization’s systems, processes and operations to determine whether the systems safeguard the information assets, maintain information confidentiality, integrity, and availability and operate effectively to achieve the organization’s business goals or objectives. A traditional cyber security audit is a periodic examination of an IT function’s checks, balances, and controls. A cloud audit is a periodic examination an organization does to assess and document its cloud supplier’s performance.
An audit of a cloud environment is similar to a cyber security audit. Both examine a variety of operational, administrative, security and performance controls. Cloud audit controls are also similar to cyber security audit controls but with a focus on the nuances of cloud environments.
The purpose of such an audit is to see how well a cloud supplier is doing in meeting a set of established controls and best practices. The audit outcome and gaps provide organizations opportunities to address the risks and continually improve the cloud security environment.
This article focuses on the gaps in the realm of cloud auditing:
Gap 1: Absence of formal policies and procedures prior to acquisition of cloud services by business units.
Risk: This could lead to sub-standard supplier selection and performance as well as increased cloud security risks.
Recommendation: An information security policy for cloud computing and supplier relationships should be defined as topic-specific policies. These should be consistent with the organization’s risk appetite. Comprehensive policies, procedures and guidelines that help the business unit’s transition to cloud service applications in the acquisition need to be established. Use and management of cloud services, the need for pre-acquisition information security risk assessments, and supplier management—once a signed supplier agreement is agreed upon—must also be addressed.
Gap 2: Lack of monitoring and review of cloud supplier services and service level agreements (SLAs).
Risk: If cloud supplier services and SLAs are not monitored, it may lead to inadequate cloud services and support, resulting in cloud service business needs not being met. Also, it may lead to introduction of cloud security risks into the system network.
Recommendation: Service performance levels intended to verify compliance with the cloud supplier agreements need to be monitored to provide reasonable assurance that the SLAs are up to date, any changes in business process requirements are identified, and necessary adjustments are made to the SLAs when the opportunity to re-negotiate arises. Appropriate actions should be taken when deficiencies in the service delivery are observed. The service reports produced by the cloud supplier need to be reviewed, and regular progress meetings as required by the agreements need to be conducted.
Gap 3: Internal auditors are not sufficiently trained on cloud auditing.
Risk: If internal auditors are not sufficiently trained on cloud auditing, it may affect the quality of internal audits. Lack of training may contribute to the challenge in gaining expertise in the identification of risks specific to data protection and privacy requirements when using cloud services.
Recommendation: Effective cloud security auditors must be familiar with cloud computing terminology and have a working knowledge of a cloud system’s constitution and delivery method. This knowledge ensures auditors pay attention to security factors that might be more important in cloud security auditing processes, including transparency, encryption, colocation, scale, scope and complexity. Cloud Security Alliance and ISACA offer the Certificate of Cloud Auditing Knowledge (CCAK). This credential is the first-ever technical, vendor-neutral credential for cloud auditing, helping prepare IT professionals to help their organizations mitigate risks and realize the full benefits of the cloud. This certificate fills a gap in the industry for competent technical professionals who can help organizations mitigate risks and optimize ROI in the cloud. CCAK prepares IT professionals to address the unique challenges of auditing the cloud, ensuring the right controls for confidentiality, integrity and accessibility and mitigating risks and costs of audit management and non-compliance.
Organizations should include the cloud service provider as a type of supplier in its information security policy for supplier relationships. This will help to mitigate risks associated with the cloud service provider’s access to and management of the cloud service data. The responsibility for managing cloud supplier relationships should be assigned to a designated individual or team. Sufficient technical skills and resources should be made available to monitor that the requirements of the agreement, in particular the information security requirements, are being met. Organizations need to be aware that the legal or contractual responsibility for protecting information on the cloud remains with the organization. Organizations should establish a process to identify and implement required training, certification and ongoing professional development for auditing the cloud environment.
(The author Mr. Chetan Anand, Associate Vice President of Information Security and CISO at Profinch Solutions, and member of ISACA Emerging Trends Working Group and the views expressed in this article are his own)