CLOUD SECURITY CONTROLS AND AUDIT METHODOLOGY
For any control and audit, there is a need of a reference point or compliance. This is not different in cloud computing. Cloud compliance requires meeting specific requirements or criteria needed to obtain a certification or framework. In cloud computing, the types of compliance differ according to industries, request for proposal, clients, etc. Providers such as AWS, Microsoft Azure, Google, etc. have been setting the tone in terms of compliance, security, and audit methodology. They actually have their own security controls in place, although a number of controls still remain the responsibility of the user to implement or enable. It is important to note that cloud service providers are generally committed to helping its users to meet security frameworks and certifications in order to facilitate the control processes carried out by auditors.
Cloud Auditing is the process carried out by a third-party, an independent body to obtain evidence through inquiry, inspection, observation, confirmation, analytics procedures over the cloud design and operational effectiveness of controls in a variety of areas. This can only be possible by completing specific steps in communication, security incidents, network security, system development or change management, risk management, data management, vulnerability, remediation management as well as obtaining the leaderships commitment to transparency and ethical behaviour.
However, this process is not without any challenge. To seamlessly follow any cloud methodology, the prerequisites will be to understand the scope of the environment. You need to establish whether the current risk assessment captures adequately the risks and then you need to select the right corresponding sample as well. Among other steps, it is also required to test the historical data on the cloud in case there are no audit details.
Cloud Auditing requires a methodology with specific goals and objectives. A strategic IT plan and the Information Architecture must be defined. This includes networks, systems, and security requirements needed to safeguard the integrity and security of information. Then IT Processes, Organization, and Relationships need to be created for a more stable IT environment. It is also important to assess and manage IT Risks, security vulnerabilities and regulations. And finally, we need to identify Vendor Management Security Controls.
The abovementioned sample of objectives should be considered although it is worth mentioning that the list is far from being exhaustive. More details can be found from the literature of the Information Systems Audit and Control Association (ISACA). ISACA is an independent, non-profit body which “engages in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems.” Its goal in a nutshell is to create a global standard in cloud computing audits and thus compliances and regulations.
Fortunately, cloud computing audits have become a standard in the world. The digitalization of the world simply enhances the need to mitigate the risk of cybercrimes for all data hosted by cloud services providers. Users are more and more conscious of the need to ensure that their data are safe. For these reasons they request various types of audits to reduce information hacking and ensure disaster recovery of data in case of any catastrophe, act of God or unforeseeable event.