Cloud adoption surged in 2020, driven by COVID-19 disruption and the need to quickly shift to a remote-work footing. That pace is expected to accelerate in 2021 as more and more companies make the move to a cloud environment, hoping to achieve the cost savings, operational flexibility and on-demand scalability of infrastructure as a service (IaaS) that others have already experienced.
As organizations migrate their data centers — servers, software and applications — to the cloud, internal audit teams must adapt their audit procedures to ensure that compliance and governance controls remain effective regardless of where data resides.
Most internal audit teams approach cloud audits by performing targeted tests on specific capabilities within the cloud environment, such as change management, security or operational resilience. These tests might occur as part of an overall IT general controls-type audit or perhaps as part of a targeted capabilities audit.
With either approach, however, it is important to audit holistically when working in a complex infrastructure — to follow data through the entire environment, both on-premises and in the cloud, paying special attention to transfer points, which tend to be the areas most vulnerable to attack.
This can be a complex process, especially during migration, when companies may be operating a hybrid configuration of servers and applications with data moving back and forth between on-premises (or co-located) data centers and the cloud.
For example, an audit plan for change management might need to be rescoped to include new cloud infrastructure and any interfaces where data might cross over from one system to another. Conversely, an audit team performing a cloud-only audit might want to remove change management from the scope of that audit and reassign the tests to be performed as part of a holistic change management audit.
Internal auditing is all about frameworks and leading practices. Foundations Benchmarks, created by the Center for Internet Security (CIS), are the gold standard for foundational cloud controls. That is a good place for auditors to start, along with any well-architected framework documentation and cloud service-specific guidance from the cloud vendors.
At Protiviti, we have developed a comprehensive audit approach based on those sources to help guide the discussion. Let’s take a look at them.
- Control standard review
Before an auditor can determine whether relevant controls have been comprehensively deployed, it is important to determine what controls were selected by the organization.
In interviews, it is common for internal auditors to ask what standard was used by IT to determine the controls established for the environment. The most common cloud-specific control standard is the CIS Cloud Foundations Benchmark. Most cloud service providers (CSP) will also publish provider-specific security and configuration leading practices. Beyond the cloud-specific standards, many auditors rely on the CIS Critical Security Controls.
- Comprehensive deployment
Moving to the cloud is a learning experience. A cloud environment is API-driven, so everything can be codified. This allows organizations to programmatically create and deploy resources and stand up new environments, which gives them a lot of flexibility and agility to respond to business needs and operate at a faster scale and lower cost than previously possible.
One challenge that a number of organizations have is inconsistency in the way they configure those services. As a result, the controls already baked into the system may not be comprehensively deployed. For instance, it is not uncommon for an auditor looking into the logging of network traffic to find that a handful of accounts or virtual private clouds (VPC) failed to enable such logging during deployment.
Encryption configuration errors are another fairly common mistake. What often happens in these instances is that a procedure is established upfront, perhaps by a consultant or vendor, and somewhere along the way an important step is forgotten or inadvertently skipped.
A quality cloud audit looks for these anomalies, often through interviews and a review of documentation related to the company’s current cloud adaptation approach and relevant business and IT priorities. It is also possible in the case of API-driven systems for an auditor to programmatically query the environment. The auditor can ask all the resources, “Are you configured with this setting?” and the system will tell them.
- Configured with corrective action
Former President Ronald Reagan was known to say, “Trust, but verify.” Once an auditor has determined what controls are supposed to be in place and the standards that were used to select those controls, it is important to identify the process by which IT monitors those controls and what corrective actions procedures are in place to remediate control failures.
In other words, an auditor might ask, “You say you’re looking for control configuration anomalies; what do you do when you find one?”
Corrective actions in the cloud can be traditional, such as when a ticket is filed, and someone works the ticket when it comes up in the queue. Or they can be automated, such as in the case of private, stored data inadvertently made public. An automated control can detect and correct the issue in a matter of minutes, versus weeks or months, perhaps avoiding an embarrassing or expensive privacy violation.
Internal auditors need to validate that the appropriate alert mechanisms are in place and working, and that appropriate personnel are being notified to take corrective action.
One of the great things about a cloud environment is that it enables rapid elasticity of services. Companies are growing accustomed to the freedom of being able to scale and update simply by switching to a newer or bigger server. That can be a big relief after years of having to maintain, patch and care for an on-premises system. That blessing, however, can also be a curse if the policies and standards that the organization has written don’t reflect the different way of operating in the cloud — and those differences could pose compliance risks.
On the other end of the spectrum, some companies fail to avail themselves of all the vendor and third-party provided tools that could help them secure their cloud environments, and waste time and money reinventing the wheel, going it alone and missing out on significant value.
Finally, even though cloud environments are often used specifically to simplify remote access for authorized users, some companies, in providing that convenience, have inadvertently created threat vectors for direct system access by unauthorized users. Best practices prohibit direct access via public internet and use some kind of escalated user credentialing, such as two-factor authentication or tokenization, to ensure that only the right people have access.
Time to plan
There is no magic bullet to running well-governed cloud environments. Cloud defense and ensuring that data security and privacy controls are effective require a creative and tactical mindset. More importantly, it requires a plan. And planning, as it happens, is what internal auditors do best.
This article was originally published in Footnote, the official magazine of the MNCPA. It is used with permission.