Auditing in the Clouds, Coming Down to Earth

“The cloud” appears to be the next big thing in Corporate America, with advocates touting its potential to simplify IT infrastructure and lower costs. Cloud computing provides a way for companies to outsource everything from data storage to powerful service applications, paying only for what they use, scaling rapidly, and cutting IT costs in the process.

Yet for the internal auditor and compliance professional the cloud raises significant data security concerns. Cloud computing further disrupts an organization's style of working by altering business processes, information flows, and (above all) control over IT systems exerted by individual departments.

The shift toward cloud services is more than just a shift in technology. It fundamentally alters the way business and IT systems function. For internal audit the challenges are that no standards yet exist for security, and no way currently exists to audit the cloud in a consistent manner.

Consider: In the cloud where a company's data may reside and circulate among multiple data centers, how do you define data preservation? How do you preserve privacy and confidentiality? How do you apply a retention policy to the records when they're not in your custody?

Organizations have to consider the effect of cloud computing on the ability to meet regulatory requirements and on investigations, litigation holds, and related legal processes. Keep in mind that while the management of data can be undertaken by a third party, the ownership of the data and resulting accountability still remains with the organization itself.

What Is Cloud Computing?

Cloud computing refers to the use and access of multiple server-based computational resources via a digital network (WAN, Internet connection using the World Wide Web, and so forth). Users don't download and install applications on their own device or computer; all processing and storage is maintained by the cloud server. Centralization gives cloud service providers control over the versions of the browser-based applications provided to clients.

The cloud environment creates the following issues for the internal auditor to consider:

Do you know and trust your vendor? The organization must evaluate vendors based on their financial viability, as well as their ability to provide service quality, meet service-level agreements, and keep services and underlying technologies updated to business requirements. What if the vendor providing you services via the cloud proves unreliable or financially unstable? What if you have a security breach and valuable intellectual property is exposed?  

How do I audit or evaluate security controls of the cloud-based infrastructure? If the accessibility to audit security controls is low, are you willing to rely on the results of an audit performed by an independent third-party auditor? Creating a set of clearly stated security requirements that a cloud services provider must meet, based on an information risk assessment, is vital.

Does your cloud provider meet the regulatory or compliance requirements needed by your organization? Organizations need to ensure specific compliance requirements are met to mitigate their own risks. A generic statement of control compliance may be insufficient. Access to certain transactions, events, and audit logs may be critical for auditors, and the organization will want to ensure that compliance requirements are addressed in a manner that can withstand legal and regulatory scrutiny.

Does your organization understand the potential legal and compliance implications of managing data across borders? Conducting an investigation or searching data for e-discovery purposes will rarely be as straightforward as it was when companies knew where all their data was stored. In the cloud, data might be stored in multiple locations, or be moved among multiple locations, without the corporate owner's knowledge.

That could raise concerns about legal ownership, availability, and privacy if the data is moving across borders. Complicating matters is the practice among some cloud computing vendors of “sub-sourcing” their services to other cloud providers. Companies should include clauses in the service-level agreements that address investigative and e-discovery data preservation with detailed descriptions outlining responsibility and liability.

Consider the implications of a security breach and the inability to access your own data quickly. Risks may emerge from external hackers, internal employees, or employees of the provider manipulating or stealing data. It is important to evaluate the risk of this data being available in a manner that can affect customer confidence or competitive advantage or violates compliance and regulatory requirements before it is outsourced to the cloud provider.

With a thorough data mapping and data classification the organization is in a much better position to develop a broad strategy of how to handle the cloud.

Many regulations—the Federal Rules of Civil Procedure, the Electronic Communications Privacy Act, the Gramm-Leach-Bliley Act, the European Union Data Protection Directive, and more—haven't been updated yet to address the problems of a cloud-computing world. Fortunately the concerns associated with compliance and cloud computing appear to be well defined, and standards organizations such as NIST, ISO, the Cloud Security Alliance, and CloudAudit are working to solve and allay these issues. 

How Internal Audit Can Help

While auditors and compliance officers have become familiar with what cloud computing technology is and the impressive opportunities cost savings it can bring, they have justifiably raised caution of the risks. New technologies take time for adoption, which will allow audit professionals to revamp their mindsets, tools, and training programs to address the new challenges presented by cloud computing.

Where internal audit can play a critical role is in the understanding the organization's data, where it resides, and where it flows. The internal audit department is often a repository of such information when performing information security audits and risk assessments.

Before using a cloud computing vendor, internal audit can support the task of classifying the various types of company data and then assessing its value and risk. An information risk assessment can be undertaken to determine what data can be more safely stored in the cloud (product name, store locations) versus those that would be much more risky (patient medical records, customer credit scores).

IA can also examine the associated risks before entrusting organizational data to a cloud-based service. This should cover all security controls used in the information lifecycle to ensure the confidentiality, integrity, and availability of data during creation, processing, transmission, storage, archival, and deletion.

Working with the IT department, IA can assist to ensure that the existing technology environment prior to migration to a cloud is well documented, versioned and archived. Application security measures can be evaluated, that offer key control mechanisms (such as to ensure that no malware exists that create backdoors or time bombs have been embedded in application source code). 

With a thorough data mapping and data classification the organization is in a much better position to develop a broad strategy of how to handle the cloud.  With the compliance officer, internal auditors can help develop company policies and procedures that educate the workforce on the risks of creating their own clouds without taking into account privacy and security requirements. A strategy with employee awareness can allow the company to better monitor and enforce such policies. Ultimately a clear understanding of the security controls based on security, operational, and business risks can limit information silos and the creation of pockets of data in the cloud others don't know about.

There has been analysis that suggests users of cloud-based Web security had substantially better results than users of on-premise Web security implementations in the critical areas of security, compliance, reliability, and cost. While this is promising, organizations should still carefully assess the risks and make an intelligent decision before they move operations to the cloud, and ensure they have an appropriate level of security and privacy protection.

Ultimately, the immense potential of cloud computing comes with added responsibility for those who wish to tap it. While cloud computing standards are still a vision for the future, the risks are understood and the critical controls to address those risks can be defined.