Auditing the cloud

Cloud computing enables organisations to streamline their complex internal IT structure, allowing them to focus on strategy rather than operations and respond quickly to changing marketplace conditions. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cloud computing is a strategic choice for many firms providing a   variety of choices; however, like most technology changes, the cloud presents its share of risks and challenges that are often overlooked or not fully understood.

Common cloud computing related risks are:

• Infrastructure and architectural risks - These risks arise if cloud service providers (CSPs) do not achieve performance requirements that organisations and the CSPs have defined and agreed to at the outset of the contract.
• Standards and interoperability risks - The level of risk in this space could increase if the organisation’s systems and those of the provider cannot communicate with one another.
• Regulatory and compliance risks - Organisations using cloud computing services, particularly software-as-a-service (SaaS), have lower transparency and ownership over security controls and processes that providers implement, which could potentially increase the risk of not being aware of regulatory or compliance breaches.
• Cloud vendor management and governance risks - Contractual risks stem primarily from the types of contracts that clients enter with CSPs, which may not be entirely reflective of the services being provided or the impact of any changes to the organisation’s existing environment.
• Business continuity risks - An organisation needs to consider the potential risks to its own business continuity given the dependency on their CSP’s business continuity programme and disaster recovery capabilities, which may not align to their own plans.
• Strategy alignment and governance risks - These can arise when an organisation has not adopted a governance model which includes an enterprise-wide cloud risk management approach.

How to overcome risks related to cloud?

Organisations should apply a holistic view and consider all opportunities and risks to understand their future security posture in the cloud. It’s important to consider legal and regulatory requirements and address them, considering all aspects of the business.

In addition, establishing a proper cloud security operations model will help organisations to ensure clarity over regulatory compliance, data classification and data governance, as well as operation risk management. Organisations need to respond to the challenge of rethinking and adjusting existing security operations processes due to the potential risk of outdated security controls during and after transforming to the cloud. Updating controls includes assessing the current controls catalogue to determine if these controls are still appropriate, if new controls are necessary and whether key risk indicators (KRIs) must be adjusted.

Internal audit (IA) considerations

IA is in a strong position to identify critical risks in the cloud environment they play a key role in the continuous assessment of risk due to the evolvement of cloud services and engages the business leadership of the organisation to assist the mitigate identified risks.

However, IA is facing challenges in defining the scope of the cloud-related audits due to the dependency on third parties such as CSPs, access to the data, and lack of skills and expertise within the audit teams. 

The following are the areas and questions that IA will need to consider at the planning stage of the cloud related audits when deciding the scope of the audits:

1. Cloud strategy and governance: IA should consider evaluating the alignment of cloud strategy with the overall business objective of the organisation.

• Is there an agreed exit plan to minimise issues should an organisation have to leave a CSP?
• Are cloud policies integrated with legal, procurement and IT policies?
• Are supporting policies including legal, governance and compliance in place?
• Are cloud services applications aligned to overall company objectives?
• Has the organisation considered a multi-cloud model to address potential concentration risks

2. Cloud security and privacy: Both the organisation and cloud service provider share the responsibility (albeit to differing levels, depending on the cloud service adopted) of maintaining the cloud environment's security and data privacy. Therefore, it is essential that IA assesses the CSPs information security practices and procedures as part of the audit.

• Are procedures for periodic security assessments of the CSPs in place to evaluate internal security measures taken to protect company information and data?
• Does the organisation apply secure authentication protocols for users working in the cloud?
• Are the CSPs Service Organisation Control (SOC) 1, 2 or 3 reports provided to the organisation?
• Does the organisation utilise security service level agreements (SLAs) or conduct on-site vendor audits?
• Have security safeguards been established in the contracts with the provider covering their implementation?

3.   Cloud provider services: It is important that IA assesses the ability of the CSP to meet or exceed the agreed-upon SLAs in the contract and the contingency plans in case of failure, liability agreements, extended support, and the inclusion of other terms and conditions as part of the service contracts, as well as availability, incident and capacity management, and scalability.

• Are SLAs in place for uptime, issue management and overall service?
• Does the organisation track and document compliance of the CSP with SLAs, deviations noted, root cause, and corrective and preventive actions taken by the cloud provider?
• Are the CSP’s contingency plans and readiness in the event of major incidents in line with the contractual agreements?
• Is there an inventory of uses of external CSPs, sponsored both within IT and directly by the business units?

IA should also explore the opportunity to utilise the data that is readily available in the cloud for purposes of continuous monitoring; as your IA data analytics journey gets up to full speed, the volume of data offered by CSPs makes this a prime candidate for analytics and potentially continuous control monitoring.

 Having a comprehensive cloud operating model in place and focusing on security aspects at any stage of any cloud journey will allow any organisation to protect its most valuable assets, data, and intellectual property. IA plays a crucial role in supporting the organisation's cloud journey by being a trusted advisor and assurance provider.

Disclaimer: The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.