Challenges in Auditing Cloud Computing

Cloud Computing:

As a relatively recent trend, the industry is still settling on the definitions of cloud computing. Gartner defines it as 'a style of computing that provides scalable and elastic, IT-enabled capabilities ‘as a service’ to external customers via Internet technologies.'

The National Institute of Standards and Technology (NIST) defines cloud computing as 'a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.'

Although cloud computing and outsourced operations can provide benefits to a company in terms of cost and resource efficiency, they also introduce additional risks, as the company gives up control over its data and IT environment.

Primary Models of Cloud Computing:

The important concept to understand is the three primary models of cloud computing. The classifications of these three models have been broadly accepted as:

• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)

Although these are primary models for cloud computing there is an increasing number of variations as 'hybrids' being adopted by clients.

Cloud Security Responsibilities:

Just because the clients have migrated their applications or infrastructure to the Cloud does not mean that they are not responsible for the security of their data or IT systems.

IBM has identified the security responsibilities in each of the 3 models between the client/consumer and the service provider.

As IBM had demonstrated, the clients/consumers of Cloud Computing are still responsible for the security in whichever model they had chosen. Therefore, IT auditors must test the IT security controls that are the responsibility of the clients/consumers.

It is worth noting that clients often provide an excuse that their ‘right to audit’ is unclear under the outsourcing agreement and more often than not, they don’t have the right to audit. However, clients are ultimately responsible for the security of their data and IT systems. Therefore it is important to robustly cover all the risks.

Minimum IT Audit Skills Requirements (per ISACA):

Cloud computing incorporates many IT processes. As the focus is on information governance, IT management, network, data, contingency and encryption controls, the audit and assurance professional should have the requisite knowledge of these issues. In addition, proficiency in risk assessment, information security components of IT architecture, risk management, and the threats and vulnerabilities of Cloud Computing and Internet-based data processing is required. Therefore, it is recommended that the audit and assurance professional who is conducting the assessment has the requisite experience and organisational relationships to effectively execute the assurance processes. As Cloud Computing is dependent on web services, the IT auditor should have at least a basic understanding of Organization for the Advancement of Structured Information Standards (OASIS) Web Services Security (WS-Security or WSS) Standards.

It is also important that the IT auditor has sufficient functional and business knowledge to assess alignment with the business strategy.

Wake-up call for all IT Auditors:

Too often IT auditors entirely rely on Third Party Audit (TPA) reports for Cloud-based systems assurance. Often IT auditors take the firm’s outdated IT audit questionnaire for IT external audits and find that the client had migrated all their applications or infrastructure to the Cloud. They realize that the IT audit questionnaire is not 'fit-for-purpose' for modern digital and Cloud-based technologies. As a way out, they decide to rely entirely on TPA report without doing any testing. This is primarily due to lack of understanding of the primary models of Cloud Computing and Cloud Security Responsibilities. The TPA may only cover the security responsibilities of the service provider and not that of the clients/consumers.

Audit firms have not adapted to the changes:

I have worked for all the Big 4 firms, Grant Thornton and Mazars in London, UK in the field of IT Audit for the past 2 decades. In my view, with the exception of Deloitte, most other firms have not adapted their IT audit approach to the significant changes in the technology and still use the standard IT audit questionnaire (some of these were developed some 20 years ago) to audit modern technologies. I am not arguing that IT audit questionnaires are irrelevant, however, I strongly believe that these questionnaires adequately supported by technology tools are what is required for an effective IT audit. Some of these firms do not use any automated tools for IT audit and entirely complete the IT audit using these outdated questionnaires. In my experience, a number of IT auditors are not provided with the necessary training in modern technologies.

Inadequate Training Investment:

Audit firms are reluctant to invest adequately in training their IT auditors in the current digital and Cloud technologies. There are numerous awareness sessions provided by these firms but not actually offering adequate training in highlighting the risks, who is responsible for mitigating these risks, how to test the controls relevant for these risks and technology tools to support the efficient auditing. Some firms fear that offering the training in modern technologies to IT auditors will result in them leaving the firm. This is a false argument and I quote Sir Richard Branson below:

Conclusion:

The IT audit profession should wake-up to the fact that they need adequate and relevant training and skills in addressing the challenges in Auditing Cloud Computing. The IT audit questionnaire needs to be tailored incorporating various regulatory and standards requirements supported by technology tools. Based on the Cloud Computing model and the security responsibilities, the IT audit approach should be tailored to meet the audit objectives.

Author & Disclaimer:

Hari Iyer's qualifications include Chartered Accountant, CISA, MBA, Chartered FCSI, Fellow CPA. He is a senior technology audit professional with over 25 years of IT audit experience partly gained at Big 4 audit firms in London. He has significant experience in IT audit, SAP, Gaming technologies, Cloud-based solutions, Cybersecurity, Digital technologies, Governance, Risk & Compliance. The opinions and views expressed in this article are personal views of the author and does not represent the views of the employer/s or organisations that the author is associated with. 

Reference & Guidance:

There are a number of ISO standards, ISACA, AICPA and other regulatory bodies provide guidance and requirements for auditing Cloud Computing, however, it requires IT auditors to understand their clients’ Cloud-based systems and tailoring their IT audit questionnaires. Some of the standards include:

• ISO 27001 is a widely-adopted global security standard outlining the requirements for information security management systems and provides a systematic approach to managing company and customer information based on periodic risk assessments.
• ISO 27017 gives guidelines for information-security controls applicable to the provisioning and use of cloud services, as well as implementation guidance for both cloud service providers and cloud service customers.
• ISO 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO 29100 for the public cloud computing environment.
• ISO 22301 provides requirements for the planning, establishment, implementation, operation, monitoring, review and maintenance of business continuity management systems (BCMS) within an organization. The BCMS help an organization prepare for, protect against and recover from disruptive incidents when they arise.
• AICPA - A SOC 1 report focuses on controls at the service organization that would be useful to user entities and their auditors for planning a financial statement audit of the user entity and evaluating internal control over financial reporting at the user entity. SOC 2 and SOC 3 reports focus on the service organization's system description and controls in accordance with specific criteria related to availability, security and confidentiality. SOC 2 includes auditor testing and results, while SOC 3 is a summary of the SOC 2 report that is available for public use.
• To ensure consistent standards for merchants, the Payment Card Industry Security Standards Council established Payment Card Industry (PCI) data security standards. These standards incorporate best practices to protect cardholder data, and they often require validation from a third-party Qualified Service Assessor (QSA).
• The Information Security Registered Assessors Program (IRAP) is an initiative created by the Australian Signals Directorate (ASD) to provide high-quality information and communications technology services to the government in support of Australia’s security. IRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments.
• The Cloud Computing Compliance Controls Catalog (C5) introduced by the German Federal Office for Information Security (BSI) is a cloud-specific attestation scheme that outlines the requirements cloud service providers must meet in order to ensure a minimum security level of their cloud services. C5 elevates the demands on cloud providers by combining existing security standards (i.e., ISO 27001) with additional requirements for increased transparency in data processing. 
• The Cloud Security Alliance CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. One of the mechanisms the CSA uses in pursuit of its mission is the Security, Trust and Assurance Registry (STAR) — a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.
• ISACA - ITAF - A Professional Practices Framework for IS Audit/Assurance - ITAF is focused on ISACA material and provides a single source through which IS audit and assurance professionals can seek guidance, research policies and procedures, obtain audit and assurance programmes, and develop effective reports.