What an Auditor Should Know about Cloud Computing Part 3
With the launch of the Certificate of Cloud Auditing Knowledge (CCAK) credential by ISACA and CSA, Moshe Ferber has put together some of the insights gained during the creation of the CCAK. This is the third in a series of three blogs dealing with the essentials an auditor needs to know about cloud computing.
We began our series of blogs on the subject of “what an auditor needs to know about cloud computing” by explaining essential cloud terminology and how the different cloud models can affect governance. We then went on to discuss cloud governance in greater depth, and reviewed the foundations of governance - security assessment, contracts, and cloud policy.
In this section, we will take a dive into the tools and resources available to help auditors perform cloud auditing and assessment more effectively.
The first port of call for any auditor about to embark on a cloud audit is to check out the client’s cloud policy. The cloud policy defines the cloud migration process, sets out all relevant phases and stakeholders, identifies the risks and threats associated with the cloud migration, and puts in place measures for managing those risks. A good base reference for the cloud risks that should be covered is the top threats to cloud computing report released periodically by the Top Threats Working Group of the Cloud Security Alliance (CSA).
When building the cloud policy itself, the CSA’s Cloud Octagon Model offers an approach to assessing risk in cloud computing, especially for SaaS adoption. The model provides practical guidance and structure for all risk parties and operational teams involved. Organizations can choose to adopt the framework in its entirety or may choose to adopt only relevant parts.
When evaluating cloud providers, a mix of standards, best practices, and controls checklists is used.
One of the primary tools in the market for evaluating providers is the CSA’s Consensus Assessment Initiative Questionnaire (CAIQ), which has become a standard for documenting security controls. Cloud providers use CAIQ to elaborate on their security posture, while cloud consumers use CAIQ to evaluate provider controls and maturity.
CAIQ is part of the CSA’s STAR program, a multi-layer assurance program that covers the necessary pillars, from top to bottom.
STAR is founded on the technical best practice standards for security and privacy, which are comprised of:
- The Cloud Controls Matrix (CCM) - the CSA framework that unifies requirements from multiple laws, regulations, and standards into a single control framework.
- The CSA GDPR Code of Conduct - a best practice document for GDPR compliance, providing transparent guidelines for the level of data protection the providers are offering.
Another STAR program foundation is the Open Certification Framework (OCF), which delivers a global certification program for cloud providers. The OCF has three levels, ranging from self assessment (moderate assurance) to continuous audit and compliance (very high assurance). Auditors can use the program to leverage cloud agnostic standards, such as SOC 2 and the ISO/IEC 27000-series, for cloud-specific implementation with different assurance levels.
Over time, the CSA has developed additional tools to support the STAR program, including STARWatch - a SaaS application operated by the CSA to help organizations manage compliance by providing CCM and CAIQ knowledge in a more accessible format.
To conclude, these three blog posts have covered the essentials that auditors need to know about cloud computing, starting with understanding cloud models and deployments and how they affect governance considerations, followed by understanding cloud governance pillars such as security policy and cloud audits, and finishing up with CSA tools that were created to assist security professionals in evaluating and securing cloud services. Hopefully you have found it useful and, of course, if you have any questions on any of the above, please feel free to reach out via the CSA Circle network or social media.
Learn more about cloud auditing by attending the CCAK Virtual Instructor-Led Training, taught by the author of this blog series, Moshe Ferber.
Introducing the Certificate of Cloud Auditing Knowledge (CCAK), this certificate fills a gap in the market for vendor-neutral, technical education for IT audit, security and risk professionals to help their organizations reap the full benefits of cloud environments. The objectives of the 3-day CCAK training are to provide knowledge about:
- Cloud security assessment methods and techniques, and how to use them to evaluate a cloud service prior to and during the provision of the service
- How to ensure that a cloud service is compliant with the company requirements and is aligned with the governance approach of the organization
- Cloud and hybrid security auditing for those with on-prem IT security auditing roles and backgrounds
Click here to register and learn more about the training.
Moshe Ferber is a recognized industry expert and popular public speaker, with over 20 years of experience at various positions ranging from the largest enterprises to innovative startups. Currently Ferber focuses on cloud security as a certified instructor for the CCAK, CCSK & CCSP certifications and participates in various initiatives promoting responsible cloud adoption.