XaaS — Everything as a Service: Legal, Compliance and Auditing
The Cloud adoption in any of it service and deployment models, is the opportunity that the infrastructure -and associated processes- to be born with an adequate governance and control, that possibly the legacy systems of the organization did not have. This is a work that must be done prior to the adoption of cloud computing and XaaS solutions, so the focus of the auditing areas must pass from corrective controls to preventive controls.
During the acquisition of services, it will be necessary for them to participate actively in such modeling and negotiation with the service provider (CSP), -whether directly or indirectly-, defining (or adapting) standards and regulations, providing internal consultancy and recommendations; and finally contributing to safeguard relevant aspects for the acquiring organization, which guarantees having a properly governed service. I refer to aspects such as:
• Which local or international regulation applies to the contracting company -or its suppliers- and must be included in the contracting terms.
• The possibility of auditing CSP controls and processes, including by independent auditors.
• The physical location of the data or the independence of the environments where they are stored, in case compliance regulations restrict their location or at least have knowledge of it.
• Safeguards, information protection mechanisms, including those that prevent the attempt to gain access illegally from within the CSP or from external attacks.
• Availability of access to historical information of clients, transactions, access for certain mandatory periods.
• Exposure of confidential data to third parties.
• Definition of which organization owns what data and what application logic, APIs used or configurations made, applicable rights and royalties that eventually restrict use, access, ability to modify, porting, integrating).
• The liability applicable to the interruption of services or loss/theft of information.
• The processes and responsibilities for granting and managing access.
• What are the applicable processes for change management and configurations.
• CSP policies on “decommissioned” resources.
• Incident response mechanisms.
• Strategies for the continuity of operation and disaster recovery.
· Caution the possibility of leaving the contract, and the conditions applicable in that case.
The systems auditors should refocus their role and develop additional competencies; will need to understand the capabilities and risks associated with new technologies. Their contribution -as I have mentioned- will be relevant in the creation of a framework of control, standards, risk identification and thresholds, which can then be used during implementation and operation.
Already during the operation, it will not be easy (or possible) to enter into detail of the operation of solutions that will be housed in facilities of a supplier, and in fact it is not part of their duties directly; the approach should be focused on measure quantitative and qualitative factors in the service, as well as controls agreed upon during the contracting period.
There are already reference frameworks that can be used by organizations for their areas of methodology, operational risk and auditing, with the objective of defining and negotiating procedures and controls to reduce the impact on the operation due to failures, interruptions or poor quality in the service or exposures. Some of them are, for example: the document NIST SP 800–144 “Guidelines on Security and Privacy in Public Cloud Computing”, the “IT Control Objectives for Cloud Computing” (that collects practices applicable to cloud computing from the frameworks and tools like: COBIT, Risk IT, Val IT and Business Model for Information Security (BMIS), or the CSA Cloud Controls Matrix v3.0.1.
I find the CSA matrix particularly valuable because it is an artifact that has been specifically defined thinking in cloud computing models and includes 133 specific and applicable controls. The authors did an excellent job also identifying the relationship of each control versus different frameworks (such as COBIT, ISO / IEC 27001, HIPAA / HITECH Act, Jericho Forum, NIST, PCI DSS).
Standard audit evaluations such as the SSAE-18 / SOC 1 / SOC 2 / SOC 3 reports, or similar models such as the International Auditing and Assurance Standards Board (IAASB), are also perfectly applicable for assessing the suitability of Cloud providers.
Finally, it is important to understand that risks cannot be seen as a whole, the chosen service or deployment models will condition the risks that are potentially generated in different ways. A gradual adoption -beginning with on-premise cloud deployments- would allow the organization to gradually build robust practices that prepare it for the time when it decides to adopt a public or hybrid cloud model. Another valid approach is to implement in to the cloud, solutions and processes that are not mission-critical, or that do not expose sensitive data of their clients, in this way can develop better controls that will allow to move later critical processes with greater confidence.