You’ve passed your SOX audit, but is your cloud environment really secure?
Blog Article Published: 08/10/2020
By Petrina Youhan, Director of Channel Partnerships and Services at Hyperproof
Many organizations believe their cloud environment is secure because they passed their Sarbanes-Oxley (SOX) audit, but passing an audit doesn’t necessarily mean that your cloud environment is secure. Cloud environments have unique risks that are not fully addressed by SOX. Additionally, while SOX does support good IT control hygiene, the actual scope of a SOX audit leaves out key security principles that are imperative for ensuring your cloud environment is secure.
SOX requires that organizations establish and comply with internal controls over financial reporting, and a variety of IT security controls are included within the scope of SOX because they support data integrity. SOX audits really only cover a small part of cloud security and IT infrastructure.
The typical IT scope of SOX covers:
- Access Security: e.g., user access privileges and authentication
- Data Center & Network Operations: e.g., data backups, job scheduling and network security
- System Change: e.g., changes made to applications, databases, network and operating systems, as well as data conversion
The ultimate goal of an effective risk management strategy is maintaining a risk environment that is within an acceptable risk tolerance level for the organization. This requires a cloud risk mitigation strategy that addresses the inherent risk of keeping sensitive data in the cloud and aligns with the broader risk management strategy of an organization. While I recommend leveraging a comprehensive framework, such as The Cloud Security Alliance Cloud Controls Matrix (CCM), in this article I will focus on the following control categories: Governance, Change Control, Identity & Access Management, and Logging and Monitoring.
When effective cloud governance controls are not in place, sensitive data is at risk for being exposed publicly. A few key areas of cloud governance includes the following:
- Asset Management: It’s important for organizations to be aware of all of the cloud services within their cloud environment as well as the data that resides within them. Organizations should define how all cloud services should be securely configured, to prevent them from becoming exploitable.
- Cloud Strategy & Architecture: Organizations should clearly define the cloud account structure, ownership, and accountability. Additionally, cloud security should be integrated into the organization’s security policies, procedures, and standards.
- Financial: Cloud services have different pricing, which can result in unexpected high costs. Organizations should establish a process to ensure all purchases of cloud services are authorized. Additionally, a DevFinOps function is helpful for optimizing alignment of cloud usage with cost efficiency.
Ineffective change control is a common cause of misconfiguration in clouds environments. The agility, speed, and flexibility of cloud environments make changes difficult to control. Change processes in traditional on-premise environments typically involve multiple roles and approvals and could take days or weeks. With the cloud, infrastructure is software, and their entire lifecycle may only last minutes or seconds. Companies should use automation and leverage cloud services to continuously monitor configurations and immediately remediate issues.
Cloud services introduce multiple changes to traditional identity and access management (IAM) practices. A few leading practices for IAM in cloud include:
- If possible, disable the root account. The root account has unrestricted access to all resources in the cloud account, which makes the potential impact of the account being compromised huge. Usage of the root account should be monitored through log metric filters and alarms, and MFA should be enabled.
- Implement role-based access. Assign privileges at the group level, not to individual users.
- Segregate and segment accounts, virtual private clouds (VPCs), and identity groups based on business needs and the principle of least privilege
- Rotate keys, remove unused credentials and access privileges, and employ effective key management.
- Disable dormant accounts after a set period of inactivity.
- Enforce MFA for all accounts that have access to the administrative console.
The complexity of cloud environments, wide array of cloud services, and decentralized nature of the cloud places an even higher need for effective logging and monitoring. Additionally, logging and monitoring is needed to utilize the robust detective and corrective controls that cloud services provide. Key considerations for logging and monitoring include the following:
- Ensure logging is enabled for all cloud resources.
- Protect the logs through encryption and ensure they are not in publicly-facing storage objects.
- Monitor log activity and establish log metrics and alarms.
Security and compliance may serve different purposes. However, there is key overlap between them, and the failure of either can have significant implications. It’s important to understand the overlap, what may be missing, and to continuously monitor the effectiveness of the controls. Today, organizations can utilize innovative continuous compliance solutions to manage their control environments and easily identify where the overlap is between security and compliance risk mitigation strategies.
About the Author
Petrina Youhan, CPA and CISSP, is the Director of Channel Partnerships and Services at Hyperproof. Prior to joining Hyperproof, previously worked at a Big 4 firm advising clients across the second and third lines of defense. Petrina has designed & implemented compliance programs, led IT security and regulatory assessments, and overseen compliance managed service offerings. Her vast experience spans all sizes of organizations, ranging from startups through mid-sized and global companies.