Auditing frameworks and governance
With the growth of enterprises using cloud services, frameworks with specific best practice cloud controls have been created by several reputable sources and are a great starting point for developing new cloud-specific controls for a business. Organizations such as CSA and ISACA have published both general controls for cloud environments, as well as some that are specific to cloud vendors. One thing to keep in mind is that these really should be used as a starting point. Depending on how your enterprise is integrated, the services they’ve adopted, and if it’s a multi-cloud environment, you will likely need to make some adjustments to ensure all risks are covered and that the testing procedures reflect the specific environment you are testing.
The CSA is a non-profit organization that not only offers education and information on securing cloud environments but also offers certifications for individuals as well as an assurance registry of trusted cloud providers. The CCM, which can be found at https://cloudsecurityalliance.org/ research/cloud-controls-matrix/, is focused on addressing cybersecurity controls and is periodically updated to remain relevant as cloud computing changes. In the Effective techniques for aligning IT controls to cloud environments section earlier in the chapter, we reviewed that as an ITauditor who is performing with due diligence within a cloud system, cybersecurity should be reflected in operational risks and fully incorporated into operating controls; referencing the CSA CCM will assist with this. Some additional pros of the CCM are that the controls that are included are mapped to other well-known and global security standards, regulations, and control frameworks, helping to reduce the number of reference resources that might be required based on your auditing goals.
ISACA is another well-known global organization focused on equipping those in the governance, risk, and security domains with best practices, education, and frameworks that support assurance and control assessment. ISACA may be best known for its COBIT Controls framework as well as several certifications related to IT risk management and IT auditing, including the Certificate of Cloud Auditing Knowledge (CCAK), which was developed in conjunction with the CSA. Like the CSA,they offer a general cloud computing audit program/framework. This program does not provide a map of other industry standards and controls but does map to controls within COBIT. Additionally, ISACA does offer more specific audit programs for some cloud service providers with general testing step information that can be referenced.
In addition to CSA and ISACA resources, traditional security frameworks continue to be extremely valuable when auditing an enterprise cloud environment, and as highlighted earlier in this section, some cloud-specific frameworks refer to other established IT general control frameworks. Another resource that IT auditors may find valuable to help in establishing enterprise cloud controls is the one made available by the Center for Internet Security (CIS). CIS offers a list of both general and cloud provider-specific controls focused on cybersecurity and hardening an IT/cloud environment. The controls, like what is offered by CSA, are mapped to other established regulatory and security frameworks.
Beyond the items listed, there are many other established frameworks that an IT auditor can certainly use and map cloud controls to. The important step with these traditional frameworks is understanding what your testing procedures will be in the cloud to address that control and for those new to cloud computing, this may be a challenge. Given the additional overhead in performing that step, it is worthwhile to leverage cloud-specific frameworks for the cloud-specific portion of your IT auditing when you are able.
In this section, we’ve covered helpful techniques for aligning IT general controls with enterprise cloud risk and control assessments. Now that we have an idea of how to align our controls with enterprise cloud environments, let’s look at the tools available to assist with performing cloud audits across the three major cloud providers.
