As the popularity of cloud computing has increased over the last decade, so has the maturity of standards used to govern these resources. This article will provide a definition of cloud computing and cloud computing audits – the objectives of cloud computing, the scope of a cloud computing audit, understanding cloud compliance, and audit steps to expect.
Why is Cloud Compliance Important?
I think when companies consider the importance of cloud compliance, they know that these days, access to users requires some type of cloud audit certification (ISO) or attestation report with an opinion by a third party before many user organizations will entertain the use of a service. While this is true, oftentimes other benefits occur that help as a company grows. Going through a cloud compliance audit will require a consistent process to be put into place. These processes are meant to aid in the security posture of an organization. While some companies have staff or founders who layer security into their processes, other companies may be implementing cloud controls for the first time. These controls are how an auditor evaluates cloud service provider security.
What are Auditing & Compliance in Cloud Computing?
Cloud computing is best defined by the National Institute of Standards and Technology (NIST). NIST is a portion of the U.S. Department of Commerce with the mission of encouraging innovation through science, technology, and standards – including cloud computing. According to NIST, “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”
This definition was created to set a baseline for the discussion around cloud computing. As defined, cloud computing includes the following:
- Five Essential Characteristics – On-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.
- Three Service Models – Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and infrastructure-as-a-Service (Iaas).
- Four Deployment Models – Private cloud, community cloud, public cloud, and hybrid cloud.
The different characteristics, service models, and deployment models can be shaped and morphed into different resources depending on the needs of the organization.
Auditing in Cloud Computing
In general, an audit is when a third-party independent group is engaged to obtain evidence through inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance.
In a cloud computing audit, a variation of these steps is completed in order to form an opinion over the design and operational effectiveness of controls identified in the following areas:
- Security incidents
- Network security
- System development or change management
- Risk management
- Data management
- Vulnerability and remediation management
- Tone at the top or leaderships commitment to transparency and ethical behavior
What is Cloud Compliance?
Cloud compliance is meeting the requirements or criteria needed to meet a certain type of certification or framework. There are a variety of different types of compliance that may be required by the industry, including requests for proposals, clients, etc. The type of cloud security and compliance requirements will help determine the cloud compliance that is right for an organization.
For example, SOC 2 does not have any specific requirements around cloud compliance but does have criteria, such as CC6.1 “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” To provide users assurance that the criteria have been met, certain controls are enabled to show evidence of cloud compliance. Some of these include security groups to control access to sensitive information, encryption of information, and regular patching.
Some other cloud compliance programs include:
How Do You Achieve Cloud Compliance?
While a great question, the achievement of cloud compliance is not a simple answer. Why you may ask? Because it is possible to be compliant today and out of compliance tomorrow. However, the best way to provide users that cloud compliance has been achieved is to one set a goal of what that means and two, obtain the use of a third party to validate that at the time of testing, controls were designed and implemented and if looking back over a period of time, that those controls operated consistently. Goals in this instance are generally whether or not a company is in compliance with certain criteria or frameworks. Once the scope of the cloud computing audit has been established, execution can commence.
During the planning and execution stages of a cloud security and compliance audit, it is important to have a clear understanding of what the objectives of the audit include, as noted above. Companies should strive to align their business objectives with the objectives of the audit. This will ensure that time and resources spent will help achieve a strong internal control environment and lower the risk of a qualified opinion.
Cloud Audit Objectives
Auditors use objectives as a way of concluding the evidence they obtain. Below is a sample list of cloud computing objectives that can be used by auditors and businesses alike.
- Define a Strategic IT Plan: The use of IT resources should align with company business strategies. When defining this objective, some key considerations should include whether IT investments are supported by a strong business case and what education will be required during the rollout of new IT investments.
- Define the Information Architecture: The information architecture includes the network, systems, and security requirements needed to safeguard the integrity and security of information. Whether the information is at rest, in transit, or being processed.
- Define the IT Processes, Organization, and Relationships: Creating processes that are documented, standardized, and repeatable creates a more stable IT environment. Businesses should focus on creating policies and procedures that include organization structure, roles and responsibilities, system ownership, risk management, information security, segregation of duties, change management, incident management, and disaster recovery.
- Communicate Management Aims and Direction: Management should make sure its policies, mission, and objectives are communicated across the organization.
- Assess and Manage IT Risks: Management should document those risks that could affect the objectives of the company. These could include security vulnerabilities, laws and regulations, access to customers or other sensitive information, etc.
- Identify Vendor Management Security Controls: As companies are relying on other vendors such as AWS to host their infrastructure or ADP for payroll processing, companies need to identify those risks that could affect the reliability, accuracy, and safety of sensitive information.
What is the Scope of a Cloud Computing Audit?
The scope of a cloud computing audit will include the procedures specific to the subject of the audit. Additionally, it will include the IT general controls related to the following:
- Organization and Administration
- Risk Assessment
- Monitoring Activities
- Logical and Physical Access
- Systems Operations
- Change Management
An auditor is free to review and require evidence for any of the controls identified within these areas to gain the required assurance that controls are designed and operate effectively. It is also important to note that the controls that are maintained by a vendor are not included in the scope of a cloud computing audit.
What is the Responsibility of a Cloud Auditor?
The role of an auditor is to provide an objective opinion based on facts and evidence that a company has controls in place to meet a certain objective, criteria, or requirement. Additionally, in many cases, the auditor will also provide an opinion on whether or not those controls operated over a period of time. Auditing the cloud for compliance is no different. In instances where the audit requires cloud compliance to satisfy the criteria, the auditor will ask for evidence that controls are enabled (i.e. security groups, encryption, etc). This will allow the cloud auditor to provide an opinion of whether controls were in place and as applicable if they operated over a period of time.
What Factors Should be Included as Part of Your Cloud Audit Checklist?
As mentioned before, auditors rely on different types of procedures such as inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance to collect evidence. These test procedures will be used in combination to obtain evidence to provide an opinion on the service being audited. While a checklist for an audit doesn’t really exist as every environment is a little different, below are example tests performed for each of the IT general control areas identified above. Note that this is not an all-inclusive list.
|Organization and Administration|
|Logical and Physical Access|
What is the Role of Internal Audit in Cloud Computing?
The section above is meant to give companies an idea of what is included in an audit checklist. Having a “checklist” or program to track controls and monitor them to validate that they are in place and operating, as applicable, is the basis for an internal audit role. Depending on the maturity of an internal audit team, a cloud auditor can choose to place some reliance on evidence provided by the internal auditor. At a minimum, many compliance frameworks require that evidence is available to support an internal audit role within the organization or show that monitoring of controls is occurring. Any work done by the internal auditor should be documented so that the cloud auditor can see that monitoring that has occurred.
What is AWS Cloud Compliance? Or any Cloud Provider Really!
While there is no specific AWS cloud compliance, there are a number of different cloud security and compliance requirements that require the implementation of specific controls at the cloud service provider level such as AWS, Microsoft Azure, Google, etc. That is because this is where important information is maintained. This is also true at several different platforms in use that also utilize infrastructure at these cloud providers. While these providers are required to have their own security controls in place, there are a number of controls that are the responsibility of the user to implement or enable.
Fortunately, cloud service providers such as AWS, Microsoft Azure, Google, etc have helped their users meet security frameworks, criteria, and certifications by making it easy to enable controls that auditors will be looking for. Additionally, there is a lot of information provided by these companies within white papers so that users can gauge whether their products will meet the need of the security requirement. Check out this related article for more specific information on AWS SOC 2 cloud compliance.
Cloud computing audits have become a standard as users are realizing that risks exist since their data is being hosted by other organizations. To combat that, they are requesting different forms of cloud computing audits to gain assurance and lower the risk of their information being lost or hacked.
For more information related to the Cloud, check out the following Linford & Co articles:
- Cloud Services Agreements – Protecting Your Hosted Environment
- Leveraging the Google Cloud SOC 2: How to Build a SOC 2 Compliant SaaS
- CSA CCM: Cloud Security Alliance Cloud Controls Matrix – Overview & CSA Offerings
This article was originally published on 2/5/2020 and was updated on 11/9/2022.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.