Cloud services

In general, there are three cloud service models covered in the following list. This book will focus on the first two:

  • Infrastructure as a Service (IaaS): In this service model, the cloud customer manages the virtual compute, storage, and network resources through a portal (also known as a management plane), or through APIs with the CSP. The customer is not responsible for securing the underlying physical hardware but is responsible for the operating systems and software running within this service. As an auditor, some key testing and control questions to ask could include the following:
  • Who has access to the management plane to administer the infrastructure resources?
  • Who has access to the administration APIs?
  • Which images are being used, and do they adhere to company policies and standards?
  • What is the backup strategy being used for the infrastructure?
  • What is the process used for maintaining patching?
  • Platform as a Service (PaaS): In this service model, the CSP manages the hosting environment, services, and tools, and the customer creates, manages, and deploys the applications running

within the environment. The CSP is generally responsible for both the physical and virtual infrastructure security and maintenance. As an auditor, some key testing and control questions to ask might include those previously shown, as well as the following:

  • What is the process for reviewing and managing changes by the CSP as part of periodic updates and patches it may be applying?
  • Who has access, and what is the process to deploy a new application?
  • Is this application internal- or external-facing? What are the network controls surrounding who can get to this application?
  • Software as a Service (SaaS): With this service model, the customer is interacting with an application that has been built and provided by the CSP. This application may be hosted with the CSP or with another third party; however, responsibility for the security and configuration of the entire underlying infrastructure is generally the responsibility of the CSP. In this instance, some key testing and control questions an auditory may ask could include the following:
  • Which data does this application have access to?
  • How is this application integrated through APIs and other methods into other parts of the IT environment?
  • Who is responsible for managing users and the user life cycle regarding access to this application?

In the previous sections, we covered some foundational information about the architecture of cloud environments and the types of cloud services that you as an auditor may find as you begin to perform an IT general computing controls audit. As a final step in building your foundational toolkit and preparing to learn auditing best practices, we’ll next look at how to perform basic navigation to a cloud environment.