As the popularity of cloud computing has increased over the last decade, so has the maturity of standards used to govern these resources. This article will provide a definition of cloud computing and cloud computing audit, the objectives of cloud computing, the scope of a cloud computing audit and understanding cloud compliance, and audit steps to expect.
Cloud Computing and Compliance Definitions
The definition of cloud computing is best defined by the National Institute of Standard and Technology (NIST). NIST is a portion of the U.S. Department of Commerce with the mission of encouraging innovation through science, technology, and standards, including cloud computing. According to NIST, “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”
This definition was created to set a baseline for the discussion around cloud computing. As defined in the definition, cloud computing includes five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (software-as-a-service, platform-as-a-service, and infrastructure-as-a-service), and finally four deployment models (private cloud, community cloud, public cloud, and hybrid cloud). The different characteristics, service models, and deployment models can be shaped and morphed into different resources depending on the needs of the organization. For a more detailed breakdown of the different cloud characteristics, service models, and deployment models, check out my blog Climbing to the Top: Understanding Major Cloud Service Providers.
What is a Cloud Computing Audit?
In general, an audit is when a third-party, independent group is engaged to obtain evidence through inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance.
In a cloud computing audit, a variation of these steps is completed in order to form an opinion over the design and operational effectiveness of controls identified in the following areas:
- Security incidents
- Network security
- System development or change management
- Risk management
- Data management
- Vulnerability and remediation management
- Tone at the top or leaderships commitment to transparency and ethical behavior
What is Cloud Compliance?
Cloud compliance is meeting the requirements or criteria needed to meet a certain type of certification or framework. There are a variety of different types of compliance that may be required by industry, request for proposal, client, etc. The type of cloud security and compliance requirements will help determine the cloud compliance that is right for an organization.
For example, SOC 2 does not have any specific requirements around cloud compliance but does have criteria, such as “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” To provide users assurance that the criteria have been met, certain controls are enabled to show evidence of cloud compliance. Some of these include security groups to control access to sensitive information, encryption of information, and regular patching. Some other cloud compliance programs include FedRAMP, Cloud Security Alliance (CSA), HITRUST, ISO 27017, and PCI.
What is Auditing in Cloud Computing and What Are Some Audit Objectives?
During the planning and execution stages of a cloud security and compliance audit, it’s important to have a clear understanding of what the objectives of the audit include. Companies should strive to align their business objectives with the objectives of the audit. This will ensure that time and resources spent will help achieve a strong internal control environment and lower the risk of a qualified opinion.
Auditors use objectives as a way of concluding the evidence they obtain. Below is a sample list of cloud computing objectives that can be used by auditors and businesses alike.
- Define a Strategic IT Plan: The use of IT resources should align with company business strategies. When defining this objective, some key considerations should include whether IT investments are supported by a strong business case and what education will be required during the rollout of new IT investments.
- Define the Information Architecture: The information architecture includes the network, systems, and security requirements needed to safeguard the integrity and security of information. Whether the information is at rest, in-transit or being processed.
- Define the IT Processes, Organization, and Relationships: Creating processes that are documented, standardized, and repeatable creates for a more stable IT environment. Businesses should focus on creating policies and procedures that include organization structure, roles and responsibilities, system ownership, risk management, information security, segregation of duties, change management, incident management, and disaster recovery.
- Communicate Management Aims and Direction: Management should make sure its policies, mission, and objectives are communicated across the organization.
- Assess and Manage IT Risks: Management should document those risks that could affect the objectives of the company. These could include security vulnerabilities, laws and regulations, access to customers or other sensitive information, etc.
- Identify Vendor Management Security Controls: As companies are relying on other vendors such as AWS to host their infrastructure or ADP for payroll processing, companies need to identify those risks that could affect the reliability, accuracy, and safety of sensitive information.
The list above is just a small sample of objectives that should be considered. The Information Systems Audit and Control Association, now known as ISACA is an independent, nonprofit which “engages in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems.” For a more comprehensive list of objectives, reference ISACA’s IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud.
What is the Scope of a Cloud Computing Audit?
The scope of a cloud computing audit will include the procedures specific to the subject of the audit. Additionally, it will include the IT general controls related to organization and administrative, communication, risk assessment, monitoring activities, logical and physical access, systems operations, and change management.
An auditor is free to review and require evidence for any of the controls identified within these areas to gain the required assurance that controls are designed and operate effectively. It is also important to note that the controls that are maintained by a vendor are not included in the scope of a cloud computing audit.
What is the Role of a Cloud Auditor?
The role of an auditor is to provide an objective opinion based on facts and evidence that a company has controls in place to meet a certain objective, criteria, or requirement. Additionally, in many cases, the auditor will also provide an opinion on whether or not those controls operated over a period of time. Auditing the cloud for compliance is no different. In instances where the audit requires cloud compliance to satisfy the criteria, the auditor will ask for evidence that controls are enabled (i.e. security groups, encryption, etc), This will allow the cloud auditor to provide an opinion of whether controls were in place and as applicable if they operated over a period of time.
What Type of Tests Will Auditors Perform?
As mentioned before, auditors rely on different types of procedures such as inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance to collect evidence. These test procedures will be used in combination to obtain evidence to provide an opinion on the service being audited. Below are example tests performed for each of the IT general control areas identified above. Note that this is not an all-inclusive list.
|Organization and Administration|
|Logical and Physical Access|
What is AWS Cloud Compliance? Or any Cloud Provider Really!
While there is no specific AWS cloud compliance, there are a number of different cloud security and compliance requirements that require the implementation of specific controls at the cloud service provider level such as AWS, Microsoft Azure, Google, etc.. That is because this is where important information is maintained. This is also true at a number of different platforms in use which also utilize infrastructure at these cloud providers. While these providers are required to have their own security controls in place, there are a number of controls that are the responsibility of the user to implement or enable.
Fortunately, cloud service providers such as AWS, Microsoft Azure, Google, etc have helped its users meet security frameworks, criteria, and certifications by making it easy to enable controls that auditors will be looking for. Additionally, there is a ton of information provided by these companies within white papers so that users can gauge whether their product will meet the need of the security requirement. For more specific information about SOC 2 cloud compliance at AWS check out another Linford & CO blog.
Cloud computing audits have become a standard as users are realizing that risks exist since their data is being hosted by other organizations. To combat that, they are requesting different forms of cloud computing audits to gain assurance and lower the risk of their information being lost or hacked.
For more information on cloud computing audits check out the following Linford & Co articles:
- How Long Does a SOC Examination Take?
- What is a SOC 2 Report? Expert Advice You Need to Know
- SOC 2 Reporting: New 2017 Trust Services Criteria (TSP Section 100)
- What is HITRUST Certification & What is Required for Compliance?
- FedRAMP Continuous Monitoring – What Are the Responsibilities of CSPs and 3PAOs?
- What is a SOC 1 Report? Expert Advice You Need to Know
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.