Moving on-premises data centre architectures onto the cloud is what organisations are doing in order to deliver additional value and to increase business agility. But businesses encounter serious risks from security incidents.
The threats to assets, application performance and critical business data, creates further risks such as availability, authentication and virtual exploit risks through virtualisation.
The vast majority of businesses have already adopted cloud computing. Information assets and data have drifted away from the complexity of being hosted on premises with a dedicated physical server and local client applications to the cloud and this trend is growing in momentum.
Constructing IT infrastructure in the cloud is a very different process from structuring a traditional network. Service level agreements (SLA) have become more concerned about connectivity and service availability. Therefore, organisations transformed and improved their service levels, reliability, return on IT investment and security, all by using cloud services.
Virtualisation platforms for public, private or shared cloud services, are now available widely. Service providers like Amazon Web Services and Microsoft Azure, provide all sorts of cloud solutions, from data storage to information processing services and applications.
Increased ability and agility
One of the main opportunities for businesses in moving to the cloud is the ability to work with a wider range of vendors providing highly specialised solutions. There are many issues which heavily impact the choice of cloud vendors. The rate of growth, the ever changing and forthcoming business and organisational challenges, the compliance ecosystem, and the technology landscape all are important matters for businesses.
These issues, as well as agile and ad hoc business, and organisational and technological challenges, can all create security and auditing difficulties for many businesses.
The cloud facilitates low-cost agile innovation, but at the same time brings its own challenges, including security and auditability concerns. Cloud enables a company or entrepreneur to create a new product or service on the internet without having access to huge capital investment. This includes servers, computers and full information system capability.
Nowadays, any business idea can go live in a very short space of time. However, this requires the availability of the security products. This concerns anything related to data. Data is the most worrying security issue in the cloud environment. It requires encryption and adequate management of data. Therefore, auditing the cloud has become a massive headache for organisations.
The auditing process is essentially an assurance function that depends on the type of audit. It requires the auditor to systematically examine proof of compliance to established criteria. Understanding of organisational functions allows the establishment of the scope of the auditing process by identifying and mapping IT infrastructure to those functions to provide the best suited controls for them.
The very same requirements apply to the cloud. However, as business functions shift into a cloud environment, new risks to systems emerge. This is as the result of differences between cloud architectures and systems hosted by traditional IT infrastructure. Cloud architecture introduces some very likely changes that will impose modifications to the auditing process and scope.
Thorough testing
Moving an IT function to the cloud does not mean that the controls which protected that function in the internal organisational infrastructure will be moved to the cloud. This function which will be hosted by the cloud vendor. For example, many organisations do not run encryption of data or strong authentication and access controls on their premises. Instead, they rely on the existing security and controls of their internal systems.
The lack of access controls and authentication will compromise the very same data when it moves to the cloud as the same process has not been considered over there. Many in-house developed applications have not been tested for common internet vulnerabilities as they are heavily relying on the internal security and controls of organisations. Therefore, they may be vulnerable to a variety of breaches, scripting, hacking and worms. These applications must be tested carefully and thoroughly to guarantee access controls and authentication process.
Identity management would be another area of concern as in internal and local networks this can be run from a single centrally controlled service model such as active directory Kerberos and OpenLDAP of Linux or Red Hat Directory Server. This may introduce new risks due to the complexity if they do not test to the auditor’s satisfaction.
Another important issue in the process of auditing the cloud is about endpoint security. Ordinary and traditional networks expect to have firewalls that allow them to provide endpoint security despite a workstation turning off the firewall services as they assume protection within organisational infrastructure, which can be compromised in the cloud environment.
Finally, the cloud servers are under maintenance and they get patched by the cloud vendors. Auditing the cloud should confirm and reaffirm that vendors maintain and patch the servers to address new risks. Organisations should work collaboratively and narrowly with the cloud vendors in that direction.
New changes bring new challenges
Cloud services, regardless of their type - hybrid, public, or private - bring crucial changes to the network and IT services in respect to audit scope and process. Organisations can only address this challenge by a close and collaborative communication with the cloud vendors.
There are some distinctively important control areas in the cloud such as control access, authorisation and trusted control frameworks, which differentiate the auditing process of the cloud to the internal infrastructure. This should be considered by auditors.
Cloud hosted services, data, infrastructure and applications create new challenges for auditors as data privacy should consider international laws as data moves from one location to the other one in various geographical positions.
As effective audits require appropriate scope and controls, this will be unique to every system, therefore, auditors should study cloud resolutions cautiously. Audit requires a clear solution to the conflict of interests and evidently assert findings and qualified opinions-based evidence and documentation. This is quite similar to the auditing process of traditional infrastructure.
The main difference in audit comes from the various deployment models, including private, public or hybrid, as well as service model. The service model includes software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS).
The main variances are in the public and hybrid models because they rely greatly on contracts and complex SLAs and compliance to those agreements. Therefore, planning and implementing an audit process must consider that the organisational network will use the internet, so, the controls and other relevant features should be appropriate to these conditions.
Achieving a balance
Functionality of organisations is dependant, quite profoundly, on IT services. This reliance moved on at an exponential rate to the cloud platform and that introduced a number of risks to IT and, consequently, to organisations.
Cloud provided a serious and fundamental change in the way business models work. Legal, reputational and financial costs are the risks of the failures of the system and it is very hard to be compensated if cloud deployment fails.
Whilst cloud solution create economic advantages, the risks for failure are severe. IT risks create business risks and a balance is required. So, the auditors must be able to remodel their approaches to new technology and novel methods.
Data is processed in order to make an accurate risk and audit assessment. Auditors should modify and familiarise themselves with new challenges, vulnerabilities and threats in the cloud environment. The new cloud control models that introduced by the Cloud Security Alliance, NIST, and ISACA and should be learnt and exercised by auditors. This also concerns those organisations who are required to constantly check up on the most current guidance associated with the above cloud-related frameworks or standards.
Organisations can achieve balance between business risk and opportunity if they invest in an appropriate, effective and adequate internal audit of their cloud deployment.
Further reading
- Alavi, R., Islam, S. and Mouratidis, H., 2015. Human Factors of Social Engineering Attacks (SEAs) in Hybrid Cloud Environment: Threats and Risks. In Global Security, Safety and Sustainability: Tomorrow’s Challenges of Cyber Security (pp. 50-56). Springer International Publishing.
- Pearson, S.,Yee, G., 2013. Privacy and Security for Cloud Computing. Springer, London.
- Hogan, M. & Sokol, A., 2011. NIST Cloud Computing Standards Roadmap. In: Commerce, U. D. O. (ed.). National Institute of Standards and Technology (NIST). [Cited January 2016].