What an Auditor Should Know about Cloud Computing Part 2
Deep Dive into Cloud Governance
With the launch of the Certificate of Cloud Auditing Knowledge (CCAK) credential by ISACA and CSA, Moshe Ferber has put together some of the insights gained during the creation of the CCAK. This is the second in a series of three blogs dealing with the essentials an auditor needs to know about cloud computing.
Written by Moshe Ferber, CCSK and CCAK Instructor
In the previous post, we discussed the importance of cloud service levels and deployment modules for the organization's cloud governance program and how a cloud governance program is part of the IT governance program, which in turn is part of the corporate risk management program.
In this second post, we dive deeper into the cloud governance program and its basic pillars.
Cloud governance challenges
Three key factors make cloud computing governance more complicated than regular IT governance:
- Migrating to the cloud means introducing new business models;
- Cloud computing introduces new technologies, which bring with them new advantages but also new risks and attack vectors;
- Cloud computing introduces new third party management relationships, often based in different jurisdictions.
Each of these three factors introduces governance challenges. An organization needs to put in place a cloud governance program in order to manage these challenges, and to ensure that the cloud migration supports its business goals and provides value to stakeholders. This program is relying on the following pillars:
- Cloud security policy
- Cloud security assessments (audits)
- Cloud contracts
Cloud security policy
The goal of a cloud security policy is to provide practical guidelines for cloud migrations. These will be rooted in the organization’s ERMF (Enterprise Risk Management Framework), which sets the baseline for its attitude toward risk. The policy should identify potential risks, evaluate them and set out steps for managing them, according to the organization’s risk perception.
Migration guidelines dictate what elements of the organization’s operations may be migrated to the cloud. These will take into account relevant laws and regulations that, for example, limit the type of data that may leave the jurisdiction, and identify the relevant stakeholders and processes involved in ensuring compliance. The guidelines are also dependent on enterprise risk management, which may dictate what assets may not be migrated, and may include robust data classifications, such as a requirement that public data may be migrated, but highly-confidential data may only be migrated if securely encrypted.
The migration guidelines will also set out threats and risks to be considered (both during the migration and in the course of ongoing operations), identify key stakeholders for successful migration, and even cover the process of evaluating cloud providers in terms of legal, security, and operational requirements, providing standards and checklists for evaluating the providers’ security posture.
Cloud security assessments
Cloud audits are a useful tool for evaluating cloud security posture. The assessment may be carried out by an external third party or internally, and it may be triggered by external regulatory requirements or by an internal process. Scenarios in which a need for an audit may arise include: evaluating a new provider before migration, a periodic review of supply chain providers due to some regulatory requirement, and adding new workloads to existing environments.
Assessments are usually carried out against standards or checklists that contain controls. To properly select the relevant control frameworks, the assessor needs to understand:
- What cloud service and deployment modules are in use?
- What are the risks and threats associated with the specific cloud application?
- Which laws and regulations are relevant to the specific cloud application?
Examples for cloud-specific control frameworks include ISO 27017, BSI C5 and PCI Cloud Guidelines
Cloud contracts are a major foundation of governance since, by their nature, they address many potential cloud challenges. The cloud contract is necessary for a proper understanding of the shared responsibility model and compliance requirements, and provider-side controls and responsibilities can only be enforced if properly included there.
There is a common belief that cloud contracts are non-negotiable, but in the real world this may not actually be the case. While the larger providers (especially IaaS/ PaaS providers) tend to be less flexible, small SaaS providers may be more flexible on certain aspects of a contract.
The terms and conditions of a cloud contract will usually address the following:
- Legal aspects - relevant jurisdictions, dispute handling, available remedies; and
- Service aspects - Service Level Agreement, support, provider/ consumer responsibilities, security controls, standards.
This is a good place to note that in cloud computing there are organizational stakeholders that should be included in any cloud governance program and especially during contract negotiations and signing. These include:
- Legal department - responsible for the contract signing process, legal experts are very important in the process, since in most cloud deployments the contract is the only way to enforce the controls;
- Procurement department - responsible for making sure each cloud services acquisition follows the cloud policy guidelines, procurement experts also play an important role in cost optimization and cost governance (known today as cloud FinOps) by planning the budget, tracking deviations from the budget, and terminating orphan accounts (accounts that were left when the employee retired or left the organization).
Having now covered cloud governance, part 3 of our blog will review the resources at an auditor’s disposal for carrying out their assessment.
Learn more about cloud auditing by attending the CCAK Virtual Instructor-Led Training, taught by the author of this blog series, Moshe Ferber.
Introducing the Certificate of Cloud Auditing Knowledge (CCAK), this certificate fills a gap in the market for vendor-neutral, technical education for IT audit, security and risk professionals to help their organizations reap the full benefits of cloud environments. The objectives of the 3-day CCAK training are to provide knowledge about:
- Cloud security assessment methods and techniques, and how to use them to evaluate a cloud service prior to and during the provision of the service
- How to ensure that a cloud service is compliant with the company requirements and is aligned with the governance approach of the organization
- Cloud and hybrid security auditing for those with on-prem IT security auditing roles and backgrounds
Click here to register and learn more about the training.
Moshe Ferber is a recognized industry expert and popular public speaker, with over 20 years of experience at various positions ranging from the largest enterprises to innovative startups. Currently Ferber focuses on cloud security as a certified instructor for the CCAK, CCSK & CCSP certifications and participates in various initiatives promoting responsible cloud adoption.