Effective techniques for aligning IT controls to cloud environments

As an IT auditor performing risk and controls assessments within an enterprise cloud environment, establishing audit goals is essential to helping you develop a clear alignment between controls to be tested and the process to effectively test those controls within the cloud. As mentioned in the Preparing to perform a cloud audit section earlier in this chapter, the paradigm of classifying business versus IT functions has changed with the migration to the cloud, requiring a shift in how we think about and assess technical controls within an enterprise cloud. From a broad sense, in the cloud environment, we should focus on determining whether the risks and controls we are assessing for effectiveness are financially focused, operationally focused, or cybersecurity-focused to come up with a logical grouping or mapping of what should be in scope for testing. Let’s look at them in detail:

  • Financially focused:

If the risks are determined to be financially focused, the control testing should identify who has access to modify control configurations for establishing new and extending existing resource and application capacity (including automated scripts that may perform this function), how those costs are allocated, and who receives billing and capacity related event information. From a financial standpoint, there also needs to be an awareness of any regulatory and legislative requirements that need to be adhered to (such as PII and data privacy protections) since violations of these requirements could lead to significant financial implications. In this instance, adopting controls and test procedures that focus on data security (storage, masking, encryption, and loss prevention) will be required.

  • Operationally focused:

When the controls being assessed are centered around operational risks, the IT auditor will want to scope in controls related to the change management of IT resources within the cloud (including VMs, databases, applications and services, automated scripts, and APIs). To effectively assess change management, an asset inventory should be maintained, and asset management tools, configuration, and automated policies should be in scope for review. There should also be robust logging in place that captures changes being performed, as well as clear procedures and separation of duties technically enabled within the enterprise cloud. The retention period for these logs should also be reviewed. Another area that falls under operational risks would be assessing the software supply chain, especially in the case of enterprises that have adopted PaaS services to support their software development life cycles.

  • Cybersecurity focused:

Although cybersecurity has been called out as a separate area of focus, the reality is that anything and everything that is digitally connected should be assessed for cybersecurity risks and control effectiveness. In this section, we’ve highlighted this separately for ease of pointing out more granular areas of cybersecurity controls. However, as part of due diligence on the part of an IT auditor, we strongly encourage the cybersecurity components to be incorporated into every enterprise cloud audit, and it may be beneficial to have the results of any recent pen testing findings while going through the controls assessment.

Your cybersecurity controls will fall into three categories that align with the acronym CIA, which is a well-known acronym within the cybersecurity industry. This acronym stands for Confidentiality, Integrity, and Availability and essentially any cybersecurity controls that protect a business shouldbe in support of one or more of these areas:

  • In the area of Confidentiality, access to applications, services, and data is limited to those who require it. With this in mind, we should focus on IAM controls that support least-privilege and just-in-time zero-trust access for all identities, logical access controls and data loss procedures, automated policies that enforce security controls on dynamically configured resources (such as VMs), and properly configured network boundary and firewall controls.
  • Next in the CIA triad is Integrity. Integrity assessments and controls should validate that applications, resources, and data all exist in the form in which they were intended, and any changes have been appropriately authorized. In the cloud, controls focused on network and infrastructure resource management, default resource images and policies, and change management

procedures should all be in scope for review. There should be established technical controls for how changes are approved (or rolled back), and the ability to detect any unauthorized changes in an environment, with an amount of logging configured that aligns with the ability to detect changes as well as the risk appetite of the enterprise. Technical data security policies exist and should also be part of the change management procedures.

  • The last component of the CIA triad is Availability. The intent is to ensure cloud services are running and operational based on business service-level requirements. One area to have in scope here would be to assess monitoring and alerting configurations – in the event of service degradation, has monitoring and alerting been established to detect this, and does it align with business service-level requirements? Who will receive alerts and what is the technical process to review and respond? Are there preventative controls that are or can be put in place, such as failovers or automatic capacity increases? Another area to be mindful of when it comes to availability is backups and business continuity. Does the contractual agreement with the cloud service provider align with the business risk appetite and requirements? There should be a review of which resources and services are included in backups, where those backups are being stored, and for how long. And be sure to assess whether backups are being stored in the same region as the primary service and if this is an acceptable risk for the business. Additionally, it’s important to understand if the enterprise environment is multi-cloud and how that would impact business continuity.

Going back to Chapter 1, Cloud Architecture and Navigation, where we discussed shared responsibility and the role of a cloud auditor, we must keep in mind that some of these controls may not be owned or configurable by the enterprise. The cloud service provider may be responsible for some portion of the controls, and it is important to review any agreements for this. Although the cloud service provider may take a level of responsibility, the enterprise still has accountability for effectively controlling risk in their IT and business operations, which may necessitate additional controls above and beyond what the cloud service provider takes responsibility for.