Preparing to perform a cloud assessment – Effective Techniques for Preparing to Audit Cloud Environments

Preparing to perform a cloud assessment

As an auditor, you are performing a critical role in assessing cloud controls. According to several reputable organizations, most cloud security failures and breaches are due to misconfigurations. Diligent and thorough auditing can help you identify those misconfigurations so that they can be addressed and the associated risks can be remediated. Like many other IT audits, performing a cloud assessment begins with a foundation of IT general controls. A gold standard reference for IT general controls is ISACA COBIT controls. In the cloud context, you need to establish other referential and ancillary frameworks that will help with establishing an audit program that is specific to the cloud. The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is one the leading cloud-specific frameworks. More information on additional frameworks will be shared in the Auditing frameworks and governance section later in this chapter.

In preparing to start your enterprise cloud assessment, you must determine the management objective of this audit. The objective of the audit will be determined through discussion with the management of the cloud customer. Document the stated business purpose for which the cloud environments and services to be audited exist. Not only does this help determine the approach that should be taken with the audit, but this will also determine the most relevant frameworks to be utilized, as well as the scope of controls to be assessed as you begin to build an audit plan that effectively covers the in-scope components of the enterprise cloud environment(s).

The next step is understanding the cloud service model (IaaS, PaaS, or SaaS) and deployment model (public, private, community, or hybrid) to enhance the context and further define the scope. The cloud service model identifies to what extent resources are managed by the cloud customer in comparison to the cloud service provider (shared responsibility model) . As a cloud customer moves from SaaS to PaaS to IaaS, their responsibility accumulates and so does the risk. For example, in SaaS, the cloud customer is not responsible for applying security patches to the application, but in IaaS, the cloud customer is responsible for applying patches to any application installed on the infrastructure.

In addition, the cloud deployment model defines the specific type of cloud environment based on ownership, as well as the cloud’s nature and purpose.

The next essential area will involve gathering security and compliance artifacts and documentation from the cloud service provider. Each of the big three cloud service providers – AWS, Azure, and GCP – provide on-demand access to security and compliance reports for the products and services that they run.

In AWS, these reports are available in Amazon Artifact: https://aws.amazon.com/artifact/.

In Azure, the reports are available in Microsoft Trust Center:https://www.microsoft.com/ en-us/security.

Finally, in GCP, the reports are available in Google Compliance Reports Manager: https://cloud.

google.com/security/compliance/compliance-reports-manager.

Reports available include Service Organization Control (SOC) reports, International Organization for Standardization (ISO) reports, and certifications from accreditation bodies, among otherdocumentation. For audits related to trust services criteria (security, availability, processing integrity, confidentiality, or PR), the IT auditor should review a SOC 2 type 2 report. For audits related to internal control over financial reporting, the IT auditor should review the SOC 1 type 2 report.

Confirm if there is an existing cloud-related framework in use or work with stakeholders to identify a framework that incorporates cloud-specific functions. The CSA CCM is one of the leading cloud-specific frameworks that the IT auditor can utilize. (More on industry frameworks that can be used is covered in the Auditing frameworks and governance section later in this chapter.) In alignment with other IT audits, you will need to review the risk register, previously assessed controls, and previous audit results. Identify if anything has changed in the risk management approach and if any previously assessed components have been newly migrated to the cloud.

If any compensating controls have been identified, are they still relevant based on any new or changed operations within the cloud environment? Determine if the controls are operated manually or automated and if that’s changed since the last time a formal audit was conducted. Here, you will also want to access and review any cloud provider SLAs, compliance reports, and audit attestations, such as in a SOC 2 type 2 report and service trust reports from the cloud service provider, and contract agreements, and compare this with the customer controls list and risk register to identify coverage and ownership of controls for customer-identified risks related to cloud applications and services. For both IT and business processes now performed in a cloud system, does the current control list adequately cover the identified risks, risk classification, exposure, and plans to address? As cloud services often change, determine if the testing procedures noted are still accurate or if any updates are needed.

As the next step, get an inventory of the cloud applications in use by both business and IT individuals to fully vet which cloud applications and services are in scope for the audit. A comparison should be made of the controls within the IT network and integration architecture that includes the cloud applications and services. In addition to understanding third-party integrations, APIs, and workload identities impacting the network and integration architecture for the cloud systems, it’s also key to understand the criticality of the data, what types of data flow in and out of cloud applications and services, how that data is accessed and processed, and where this data is stored either short or long term within a cloud environment. Be sure to also review the company policies and procedures for IT and cloud computing applications and services to identify any separation-of-duties requirements related to cloud infrastructure components, system access, and data processing that must be enforced at a technical controls level. You should also request information on the roles, responsibilities, and procedures related to supporting, configuring, and using cloud services, as well as responsibilities related to establishing new cloud services and performing billing operations.

As part of the initial audit interviews you would be conducting, you should ask specifically about cloud service points of contact. With the dynamic and self-serve nature of cloud applications and services, functions that were traditionally considered IT responsibilities may now be performed by someone with a traditional business role or title. An auditor should not assume an individual in IT is responsible for the configuration or operational maintenance of a cloud service.

When gathering foundational and control test items, you may have the ability to gather some of this information yourself directly from the cloud application or service through an auditor or view-only role. In some cases, an auditor role may provide limited privileges for you to view information for specific areas only and restrict you from others. Some view-only capabilities within cloud environments may require elevated rights, which means working with the appropriate administrator of that service to pull the information needed. This book is a guide to knowing what questions to ask and will provide specific guidance on which areas within the cloud environments you should expect to see evidence from based on the control area(s) you are assessing. In summary, here is the checklist for preparing to audit the cloud:

• Define audit objective

• Understand the cloud service and deployment model to define the scope

• Gather security and compliance artifacts and documents from the cloud service provider

• Adopt and tailor a cloud-specific framework

• Identify the current controls and risks

• Get an inventory of cloud applications

• Understand cloud integrations and data flows

• Obtain cloud customer policies, standards, and procedures

Now that we’ve covered the preparation needed to begin a cloud audit, let’s look at techniques for understanding how to effectively map IT general controls to enterprise cloud environments.