As financial service and financial technology companies move critical infrastructure to the cloud, they have a shared responsibility with cloud service providers (CSPs) to safeguard sensitive information. Regulators are becoming more prescriptive in their oversight of cloud operations, revealing a gap between regulatory expectations and a frequent lack of clarity among CSPs and institutions about whose responsibility it is to meet them.
On April 30, 2020 the Federal Financial Institutions Examination Council (FFIEC) issued guidance formalizing effective cloud risk management principles. The principles themselves aren’t new. Many have been highlighted by the CSPs and independent industry organizations, such as the Center for Internet Security (CIS), previously. In light of the gap, however, and the fact that this is the first formal guidance from the FFIEC on cloud security, we wanted to offer some thoughts on common cloud misconceptions and how internal audit functions can provide assurance on their institutions’ use of cloud computing environments — not only during cloud migration, but on an ongoing basis.
Failure to understand the division of responsibilities between the financial institution and the CSP may result in an increased risk of operational failures or security breaches. Processes should be in place to identify, measure, monitor and control risks associated with cloud computing. To this end, audit needs to widen its approach. Performing one “Cloud Operations” audit to address the numerous risks that the use of cloud computing poses is not enough. The cloud includes multiple risk domains which may require multiple cloud-specific audits and/or encapsulating cloud-specific control areas when performing routine audits, such as Change Management and Logical Access, for example. The audit cycle should be reevaluated and adjusted, where applicable, for all auditable entities that have cloud-specific risks.
Who Owns What: Understanding Responsibility
As a first step, IT needs to identify and inventory all the services that the financial institution consumes from a CSP. For each service, institutions and the CSP should clearly understand and define each party’s service level expectations and control responsibilities — for example, configuration and management of system access, security monitoring and vulnerability scanning, system updates and patch management, etc. For responsibilities that reside with the CSP, the institution needs to gain assurance from the CSP that it has controls in place which are adequate and able to be monitored. Ultimately, the institution should determine if there is a need for controls in addition to those a CSP contractually offers to maintain security consistent with the organization’s standards. If responsibilities remain with the institution, then it is up to the institution to define and build those controls.
Control design and sampling guidance for effectiveness testing should be adjusted to include sufficient coverage of internally managed and cloud-hosted systems and applications. For areas where cloud-specific audits are required, a defined and comprehensive audit work program should be developed to align with the organization’s cloud strategy. Example control considerations include an assessment of how the CSP executes data destruction and sanitization practices to prevent unauthorized disclosure of information; an evaluation of interoperability and portability of data and services in accordance with the organization’s risk appetite and contracted service model; and the review of third-party assurance reports to assess the CSP’s management of virtual infrastructure — to name a few.
Vendor-generated assurance reports (e.g., SOC 2), though they contain important information on cloud vendor security practices, may only be one component of an effective cloud security and control plan. Institutions should not assume that effective security and resilience controls work simply because a vendor says they are present. For example, a vendor may say it has recovery capabilities, but those capabilities need to be evaluated and tested periodically, along with incident response plans, to ensure the uninterrupted access and protection of critical information under a variety of scenarios, including such unlikely but obviously possible extremes as a global pandemic requiring global remote working with limited facilities access. Further, institutions must understand the unique aspects of every service they procure from the CSP and determine what recovery capabilities they themselves are responsible for.
Institutions should regularly test controls for critical systems and evaluate technical, administrative and physical security controls supporting systems and information assets residing in the cloud. Example areas of audit include:
- Data governance
- Cloud business continuity planning (BCP) governance
- Infrastructure as a code
- Automated cloud service provisioning
- Logging and monitoring
- Investigative/forensic support
Due to the increased number of detailed control tests required, institutions should embrace the use of automated tools and methods, such as hard-coded compliance rules to build control requirements into cloud computing systems; continuous monitoring of production systems for changes that violate requirements; and smart workflows (i.e., intelligent automation) that automatically trigger remediation upon the detection of any deviation from requirements. These are relatively new tools and may require additional training for auditors to understand how to utilize them effectively. The key here is being able to meet the demand for additional sophisticated and time-consuming assurance without overwhelming internal audit resources.
The FFIEC’s publication reinforces the idea that moving to the cloud does not outsource responsibility for internal controls. It is management’s job to verify the efficacy and limitations of CSP controls and determine what additional controls are required to maintain security consistent with the financial institution’s standards. As the last line of defense, it is the responsibility of internal audit to assess whether management has sufficiently defined controls for cloud computing environment. Internal audit may need to incorporate more cloud-specific IT audits and implement new cloud-specific automated tools. With many companies adding even more cloud functionality to accommodate the remote working requirements necessitated during the pandemic, now would be a good time to review the FFIEC guidelines and determine what additional controls and audit tools and procedures may be required.