Reading this article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units
Steven Connors

Introduction

In the ever-evolving landscape of technology, businesses are increasingly leveraging cloud services.

Moving IT infrastructure to the cloud comes with several benefits that have led many organisations to embrace the approach. The predominant driver tends to be cost savings from not having to maintain and support in-house IT installations, its benefits, if realised can also lead to enhanced flexibility and scalability. 

To ensure an organisation realises these benefits we need to ensure that there is an effective and robust control environment, the need for robust security and compliance measures becomes paramount. Conducting regular IT audits in the cloud is crucial to ensure the integrity, confidentiality, and availability of sensitive data. Auditing a cloud IT environment involves evaluating the security, compliance, and performance of various components within the cloud infrastructure. 

How many of us have had conversations where one party has said that they have moved their IT to the cloud as it is safe, secure and saves money and resources, but is this a true statement or a presumption? Ultimately the cloud is what is known as a ‘shared responsibility model’ where there is a division of responsibilities between the cloud service provider and the customer.

Like all other areas in business use of the third line of defence gives confidence that risks with any activities are being managed within appetite. However, unlike many other areas of a business’s operations where we are in the main dealing with tangibles, with the cloud it feels far from tangible. 

Understanding Cloud Service Models

By far the most used cloud model is a public cloud that uses what is known as a multi-tenancy model where a single instance of the software and its infrastructure serves multiple customers, referred to as 'tenants'. Each tenant operates as if they are using their own dedicated instance of the software, even though they are sharing the underlying resources with other tenants.

It's important to note that while multi-tenancy offers advantages in terms of resource efficiency and cost savings, to ensure unauthorised access to sensitive data does not occur requires careful design and implementation of the instance to ensure security, data privacy, and compliance with regulatory requirements for each tenant. 

There is also ‘Private Cloud’ which are dedicated to a single organisation and ‘Hybrid Clouds’. Private clouds are more costly but suitable where greater control over resources and security are key considerations. Typical sectors that may use a private cloud are finance, health and government.

Understanding Cloud Service Offerings

  • SaaS - "Software as a Service." A cloud computing model that delivers software applications over the internet on a subscription basis. Instead of users downloading or installing software on their individual devices or servers, they can access the software and its features through a web browser. (ERM & CRM systems).
  • PaaS - "Platform as a Service." A cloud computing service model that provides a platform allowing customers to develop, run, and manage applications without dealing with the complexity of building and maintaining the underlying infrastructure. (Google App Engine, Microsoft Azure App Service)
  • IaaS - "Infrastructure as a Service." A cloud computing service model that provides virtualized computing resources over the internet. In an IaaS model, instead of investing in and maintaining physical hardware and data centre infrastructure, users can rent or lease virtualized computing resources on a pay-as-you-go basis. (AWS, Google Cloud Platform, Microsoft Azure).

For each of the above service models and offerings there are varying levels of responsibility for security and compliance. It is important for auditors to understand the model to determine which aspects are managed by the cloud provider and which are the responsibility of your organisation. This knowledge is crucial for identifying potential risks and developing audit strategies to test the level to which the first two lines of defence are mitigating these.

Many organisations fall into the trap of assuming that the cloud is more secure and the cloud service provider (AWS, Google or Microsoft) take over security responsibilities, this is not the case. To give a couple of examples, going back to 2019 but still relevant:

Capital One: July 2019

The root cause:  The client had a poorly configured firewall at AWS that allowed the attacker to gain access to sensitive data.

Loss: 30 GB of card application data.

Suprema: August 2019

The root cause: unprotected database containing mostly unencrypted user data.

Loss: Over 27.8m records of ‘actual fingerprint” (not hashed) and facial recognition data plus unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

The impact of not clearly understanding the division of responsibilities, especially for a smaller company could seriously impact on their ability to continue to trade.

Developing Your Audit Approach

When we have established which one or combination is in play there is the consideration of the actual audit approach. 

The approach can be split into the various control areas that will be familiar but may require a differing focus.

 1. Regulatory Compliance

It is important to establish whether we need to ensure relevant regulatory requirements (e.g., GDPR, SOC 2) are in place and maintained and if so, we need to take steps to verify that the cloud environment complies with applicable regulations.

2. Data Residency and Jurisdiction

GDPR has made us accept that where geographically our data, particularly personal data is stored is something we need to consider ensuring compliance with data protection and privacy regulations specific to the regions where your organisation operates.

3. Access Controls

This area is not dissimilar in requirements to dealing with an on-site provision where the key consideration in auditing access controls is to ensure that the organisation has in place a robust approach to identity and access management, within which we can then drill deeper into:

  • Validating user access rights and permissions using the principle of least privilege.
  • Check for the use of multi-factor authentication.
  • Review access logs and check to ensure that privileged user activities are subject to robust monitoring and challenge.

4. Data Security

This is an area that some will fall down as the division of responsibilities can become a little vague between the cloud service provider and the customer. From a customer’s perspective they will want to ensure that data is protected at rest, during processing and in transit. The level of protection afforded to individual data sets will draw on the organisation approach to information governance and in particular its risk appetite as addressed in its approach to data classification where the auditors should begin by validating compliance with this policy. As an auditor we want to ensure that the organisation adopts a robust approach to data encryption to protect data in storage, transit and at rest. There are differing approaches: Data in transit uses SSL/TLS and SHA 256 or AES 128 can be applied to data at rest. With encryption there is consideration of protecting the integrity of the encryption key so it is necessary to validate an organisations key management practice, before looking at how data loss prevention mechanisms may be employed.

5. Infrastructure Security

Review the network architecture and security controls within the cloud environment.  We start at the usual place by assessing whether the security group policies and rules are well designed and effectively managed. Whether the organisation has a suitably configured firewall and check for the implementation of intrusion detection and prevention systems.

Often organisations and their auditors will rely on a penetration test to ensure that any vulnerabilities in the system are identified and addressed.

6. Incident Response and Logging

Test to what level the organisation has developed and tested its incident response plans specific to the cloud environment. These plans should include a comprehensive test program with key focus on lessons learnt. In addition, many organisations are employing Security Information and Event Management (SIEM) systems to monitor and log and analyse security events. The auditor should consider how these systems are configured and whether the data generated is being used appropriately to improve security and resilience. 

7. Backup and Disaster Recovery

Just as with an on-site IT provision the existence and effectiveness of backup processes is critical, it is no different in the cloud. Our audits should still include an assessment of the approach to back up and recovery with a specific focus on testing and what actions are taken where restores fail in total or in part.

8. Vendor Management

Consider third-party assessments or certifications to validate the security posture of your cloud environment. Many cloud providers undergo independent audits, and obtaining relevant certifications can provide assurance to customers. If we can review a cloud service providers security documentation that can add a level of confidence, but not really feasible when dealing with global providers.

9. Performance and Availability

Cloud environments generate a vast number of logs and events. We should check whether the organisation has configured these logs and then more importantly is using them to detect and respond to security incidents promptly. Moving on from security other key reasons many organisations give to justify moving to the cloud is resilience so we should assess the cloud service providers commitment to maintaining availability by assessing the redundancy and failover mechanisms.

One other area of benefit is cost saving related to scalability, the ability to increase or decrease the cloud footprint as requirements change, this requires an organisation to have a mature approach to capacity planning and resource usage which is not always straight forward. 

10. Documentation and Training

Assess the adequacy of training programmes ensuring they provide training on best practices, security policies, and the potential risks associated with cloud computing and validate attendance to ensure that employees are educated on the unique security considerations of cloud environments. 

11. Continuous Monitoring and Improvement

Cloud environments are dynamic, with changes occurring regularly. Assess to what level and extent the organisation has implemented continuous monitoring practices to regularly reassess and update security measures to adapt to evolving threats and technology changes.

Conclusion

Auditing a cloud IT environment requires a thoughtful approach to understand the unique challenges posed by cloud computing, the audit principles change very little, but the way they are applied does. Migrating to the cloud is a shared responsibility between the customer and the cloud service provider (CSP). CSPs like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft’s Azure Cloud are all ISO 27001-certified on the aspects they’re responsible for such as the data centre and network infrastructure. Hence a good starting point and benchmark for a compliance audit programme may as well also be ISO27001.

The audit program should be tailored to the specific cloud service provider and the organisation's unique requirements.

validera-100x24

Steven Connors is a director of Validera. Validera provide internal audit and related governance, risk and compliance services to the private and not for profit sectors.