Cloud architecture
There are an infinite number of variations on how a company may choose to implement its cloud environment, and each may have nuances to consider when performing an audit assessment; however, we will focus on the most important general concepts you will encounter and need to know to build a good foundation concerning cloud architecture. Let’s find out what they are in the following sections.
Public and private cloud deployments
A company may choose to operate within either a public or private cloud environment, or even have some combination of the two, depending upon their business, operational, security, and/or compliance requirements. With a public cloud deployment, the company has chosen to use services from a CSP, where the CSP is managing the physical infrastructure in a location that is owned/managed by the CSP. In the case of a private cloud deployment, the infrastructure may be managed both on-premise at the customer’s location or by a third-party CSP. A private cloud restricts the use of the infrastructure to a single company or organization.
Hybrid cloud environments
Considering there are companies that have been around much longer than the concept of cloud computing has been in existence, it can be expected that there are a large number of organizationsoperating in environments that use a combination of on-premise and cloud IT technologies. This may be due to the complexity of migrating all their legacy functionality to the cloud, or there may be legal, compliance, security, or data sensitivity reasons. Referring to the information we covered on the shared responsibility agreements between CSPs and customers, the customer may have chosen not to accept the risk related to moving certain applications or workloads into a cloud system. Having the context of why the customer is operating within a hybrid environment is highly relevant to understanding which
security and data controls should be in place to maintain the separation, assessing the effectiveness of controls that have been put in place to protect boundaries, and understanding and articulating the risk if boundaries have been crossed as part of the use or integration of a particular cloud service.
Cloud-native/cloud-first environments
Some companies have chosen to adopt a technology philosophy of only using solutions that are built in the cloud and specifically for cloud environments. In this type of architecture, it comes critical to have reliance on third-party audits (such as SOC 2), the time period and cycle of such audits, and the assessment of where gaps may exist between the third-party-assessed controls of the cloud provider compared to the controls that the customer requires.
Multi-cloud environments
As companies utilize more cloud services, it is becoming increasingly common to find architectures that are based on multi-cloud environments. Having a multi-cloud environment means the company is leveraging one or more service models from at least two different cloud providers. In some cases, this may be to take advantage of the best -in-class features of a given CSP, or it may be to support redundancy or other business operational requirements. In assessing multi-cloud environments, the auditor should have familiarity with each of the cloud platforms as well as an understanding of any integration occurring between them. Now that we have learned about forms of cloud architecture and their impact on auditing, we will now look at the various types of cloud services.
