As customers move their data or applications to a cloud platform, they want assurance the cloud service provider (CSP) they choose will keep their data secure. Security solution providers who currently offer audits
Four steps in a cloud computing audit
Rapid advances in cloud services have generated many on-demand and scalable benefits. At the same time, however, cloud computing has significant and unprecedented risks related to the security of information as well as a loss of control over the IT infrastructure.
Security solution providers, in their role as auditors, can provide an independent audit of a CSP’s policies, procedures, security measures and practices for safeguarding electronic information against unauthorized disclosure, alteration or denial of availability. They can evaluate the cloud service provider’s security and offer recommendations for reducing security risks to an acceptable level.
Auditing a CSP involves the following steps:
- Plan and prepare – become familiar with the CSP and its products and services.
- Establish audit objectives – determine the audit scope (will it be a general security audit, or will it include auditing for compliance with certain industry regulations?), review audit areas and desired deliverables.
- Perform the audit – evaluate the CSP’s security controls against standards, guidelines and frameworks, and collect evidence to support findings and audit objectives.
- Create the audit report – summarize findings, prioritize risks and deliver the report.
Cloud computing audit: Standards, frameworks and guidelines
The solution provider’s proposal to audit a CSP should include references to appropriate standards, audit frameworks and guidelines that will provide a systematic approach to securing and assessing systems and services during the audit.
Some of the standards, frameworks and guidelines that auditors use in security audits include:
- ISO 27001/27002 standards
- Control Objectives for Information and Technology (COBIT) framework
- ISACA’s IT Assurance Framework (ITAF)
- IT Audit and Assurance Guidelines
- SysTrust and WebTrust frameworks
Depending upon the services provided by the CSP, the security solution provider should also look to the Cloud Security Alliance (CSA) for guidelines on cloud computing security and security assurance. Examples of CSA’s resources include:
- Security Guidance for Critical Areas of Focus in Cloud Computing (.pdf): Organizes best practices into specific domains and provides information on compliance and audit, data center operations, incident response, application security, identity and access management, encryption, virtualization and other important issues.
- Top Threats to Cloud Computing (.pdf): Helps organizations make educated risk management decisions regarding cloud adoption strategies.
- GRC Stack: An integrated suite of three CSA initiatives: CloudAudit, Cloud Controls Matrix and Consensus Assessments Initiative Questionnaire. The toolkit assesses cloud computing services against best practices, standards and compliance requirements.
For compliance audits, the security solutions provider may need to evaluate the CSP against regulatory requirements such as the Payment Card Industry Data Security Standard (PCI DSS), Health Information Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) and others.
Deciding which standards, frameworks and guidelines to use in the audit is an important decision in the auditor’s job. Most of the time, the auditor can look at the customer’s industry, check with special interest groups to see what others are doing, and work with the customer to establish the benchmark that will be used for the audit. Or the auditor may use their past experience and knowledge, as well as their own judgment to choose whatever standards, frameworks or guidelines are relevant to the audit’s scope.
The cloud computing audit process
During the audit, the CSP’s systems, people and processes are compared with the appropriate standards, frameworks, guidelines and compliance requirements. Deviations are “gaps” or risk areas that require additional analysis.
Once the evaluation and analysis are complete, an audit report is compiled, identifying the services performed, audit findings and recommendations for the customer. Findings are prioritized according to the likelihood of the event and the impact on the CSP and its customers, stakeholders, etc.
Each audit engagement is unique, and it is important that the security solutions provider’s services are aligned to meet the engagement’s audit objectives. Security solution providers that allocate resources to closely monitor security standards, frameworks and guidelines will have a more complete service offering and a competitive advantage over other firms.
The following resources may be helpful when auditing a CSP.
- Cloud Audit: Wiki (https://sites.google.com/a/cloudaudit.org/wiki/working-groups/tools)
- Cloud Security Alliance (https://cloudsecurityalliance.org/)
- Control Objectives for Information and Technology (http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx)
- Information Technology Assurance Framework (http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Pages/default.aspx)
- ISO Standards (http://www.iso.org/iso/home.html)
- WebTrust and SysTrust (http://www.webtrust.org/)
About the Author
Jim Kelton is Managing Principal of Altius IT. Altius IT is an IT security audit and security consulting firm. Altius IT’s Certified Information Systems Auditors (CISA) and Certified Risk and Information Systems Controls (CRISC) experts help organizations reduce risks, keep sensitive information secure, and meet compliance requirements.
This was first published in September 2011