What an Auditor Should Know about Cloud Computing Part 1

An Introduction to Cloud Terminology and General Governance

Written by Moshe Ferber, CCSK and CCAK Instructor

This is the first in a series of three blogs dealing with the essentials an auditor needs to know about cloud computing. In recent years, there has been a strong focus on building cloud platforms correctly, mastering the internal workings of those platforms and how to use them properly, finding ways to correct misconfigurations, and building better applications. Now that those types of issues are under control, we have transitioned to the next phase:

• Mastering how to audit those deployments
• Maintaining assurance levels
• And governing cloud deployments into the future.

With the launch of the Certificate of Cloud Auditing Knowledge (CCAK) credential by ISACA and the Cloud Security Alliance (CSA), I have put together some of the insights gained during the creation of CCAK, and summarize here the key points that auditors need to know about the cloud.

Understanding cloud terminology

There is a growing need for security professionals and auditors to understand specific cloud terminology. A good place to start is the NIST definition of cloud computing, which enables us to make broad comparisons of cloud services and deployment strategies, and provides a baseline for discussion on a range of topics. It answers questions from ‘what is cloud computing’ to ‘how cloud computing can be best used’. While we are not going to explain each term in great detail, it is recommended to get a broad understanding, because they heavily affect governance and the auditor’s role when carrying out assessments.

Characteristics of Cloud Computing

Certain regulations require us to adopt specific controls and processes when migrating to the cloud. But it is not always clear whether a certain service is actually cloud based, or another form of compute, such as hosting, or is simply an outsourced service. To help us identify instances of cloud computing, NIST identifies five characteristics: rapid elasticity, broad network access, measured service, self-service and resource pooling.

Cloud Service Levels

There are three levels of cloud service: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). These are arguably the most important cloud terms to understand. Each service level has its own characteristics and requires different governance, risk management and security considerations to be taken into account. Responsibility increasingly shifts from consumer to provider as we go up from IaaS to PaaS, to SaaS, as illustrated in the infographic below.

The shared responsibility model:

Cloud Deployment Models

The type of cloud deployment used falls into one of four categories: private, hybrid, community and public. The choice will depend on factors such as business needs and relevant regulatory requirements. Each deployment model requires different governance frameworks; while traditional IT governance may be sufficient for private clouds, public cloud governance requires us to adopt new governance frameworks, such as third-party audits, vendor risk management and compliance reports.

Cloud governance

All this leads us to cloud governance. ISACA defines ‘governance’ as the method by which an enterprise ensures that stakeholder needs, conditions and options are evaluated, to determine balanced, agreed-upon enterprise objectives and ensure that they are achieved.

One aspect of corporate governance is IT governance. IT governance ensures that information-related technologies support and enable enterprise strategy and objectives. IT governance standards include examples such as ISO 38500, ISO 28014 and ISACA COBIT.

Why is it important? IT governance plays an important role in information security by enabling organizations to shape their attitude toward risk, define their risk appetite, measure risk and ensure that their overall security posture matches the anticipated risk.

Within the IT governance framework sits the cloud governance framework. While an organizational governance policy defines an organization’s tolerance for risk, and an IT governance policy deals with identifying the right stakeholders and setting the control framework, a cloud governance policy uses these criteria as a baseline for actual policy.

As part of cloud governance, organizations will also define the principles of cloud governance, including ways to evaluate providers, minimum security requirements, regulations and standards to adhere to, and controls checklists.

In our next post, we shall discuss the foundations of cloud governance, in particular cloud security policy, cloud security assessment and cloud contracts.

Learn more about cloud auditing by attending the CCAK Virtual Instructor-Led Training, taught by the author of this blog series, Moshe Ferber.

Introducing the Certificate of Cloud Auditing Knowledge (CCAK), this certificate fills a gap in the market for vendor-neutral, technical education for IT audit, security and risk professionals to help their organizations reap the full benefits of cloud environments. The objectives of the 3-day CCAK training are to provide knowledge about:

• Cloud security assessment methods and techniques, and how to use them to evaluate a cloud service prior to and during the provision of the service
• How to ensure that a cloud service is compliant with the company requirements and is aligned with the governance approach of the organization
• Cloud and hybrid security auditing for those with on-prem IT security auditing roles and backgrounds

Click here to register and learn more about the training.

Moshe Ferber is a recognized industry expert and popular public speaker, with over 20 years of experience at various positions ranging from the largest enterprises to innovative startups. Currently Ferber focuses on cloud security as a certified instructor for the CCAK, CCSK & CCSP certifications and participates in various initiatives promoting responsible cloud adoption.