10 Steps to Cloud Security: Step 2 — Audit operational and business processes

(Originally published by author in Dec. 2017 in Peerlyst.com)

In continuation to my series on “Steps to Cloud Security”, let us explore the audit function. What does it mean from cloud perspective and how the scope of auditing will change when you move your on-premises infrastructure to cloud.

But, to begin with, let us list down our 10 steps to cloud security as defined by Cloud Standards Customer Council.

1. Ensure effective governance, risk and compliance processes exist
2. Audit operational and business processes
3. Manage people, roles and identities
4. Ensure proper protection of data and information
5. Enforce privacy policies
6. Assess the security provisions for cloud applications
7. Ensure cloud networks and connections are secure
8. Evaluate security controls on physical infrastructure and facilities
9. Manage security terms in the cloud service agreement
10. Understand the security requirements of the exit process

We will be discussing the step 2 today — Audit operational and business processes.

So, what is auditing in reference to IT infrastructures? Auditing is a mechanism to:

1. Document compliance with internal requirements or external standards or regulations
2. To identify deficiencies in the security of the infrastructure.

There are two important aspects as well that we should remember when planning audit activity:

1. It should be independent (no interested party/stakeholder should be part of the auditing team and you would have already seen this as a cross-functional audit during internal audit in your organization)
2. Scope of the audit should be clearly defined and approved by top management.

Remember, Audit is an important governance tool and its output should result into a report comprising of a list of identified issues, risks and recommendations.

Now, after knowing what is auditing, let us understand how it is done when you have your infrastructure in the cloud.

As you will go through my previous articles, you will know that security is a shared responsibility between cloud customer and cloud security provider. And if you look at cloud architecture as a whole, there are two layers of infrastructure — first one is CSP’s infrastructure comprising on physical servers, storage, networking etc and second one is customer’s virtual infrastructure which sits on top of the CSP’s infrastructure. Therefore, it becomes evident that implementing security controls is also a shared responsibility. So, from auditing perspective as well, we will have to look at auditing both CSP and customer infrastructure. Let us dive into it.

Auditing CSP’s Infrastructure

In our traditional environment, we are used to auditing our vendor and third-party providers but this is not possible in the case of cloud service provider. CSP will never allow things like on premise audits due to the nature of multi-tenancy of cloud environment and it is not feasible as well to facilitate large number of tenants to visit datacentres. As a cloud customer, you will have to depend on third-party attestations and that too, CSP may provide audit reports (like SOC2) under a NDA with you for a non-disclosure of detailed risk assessments and security controls.

In this situation, I would like to you remind you that contracts and SLAs play a very important role in deciding the level of access you will get to audit information. So, make sure, you have provisions for accessing audit data in your contract.

There are three main areas of interests that you should keep in mind when going through CSP Audit reports and relevant documentations:

1. Audit reports and documentation should help you in understanding the internal control environment of the cloud provider, including risks, controls and other governance issues.
2. It should help you in providing access to corporate audit trail, including work flow and authorisations.
3. It should provide documentation on physical access controls and how facilities/datacentres are secured.

There are several industries based standards like CSA CCM, ISO 27001, ISO 27005 & ISO 31000 (for risk management), COBIT, SSAE16 reports. As a cloud customer, you should ensure that you can obtain audit reports based on these standards with clearly defined scope and list of specific security controls evaluated. One thing to remember here and is often overlooked is that most of these compliances and attestations are ‘point-in-time’ activities. It means that services are attested for a fixed period of time. Therefore, both cloud service provider and customer should make sure that it is an on-going activity and certifications should be kept current.

Another important aspect is maintaining audit trails or Artefacts. These are generally logs, documentation or other materials which serve as evidence of support during audits. It is responsibility of both CSP and customer to maintain the artefacts.

Auditing Cloud Customer’s virtual infrastructure

Most of today’s organisation have some auditing in place, whether it is compliance for nist standards if you are a US-based organization or ISO standards if international. There are standards specific industry as well like PCI DSS for credit card processing or HIPAA for healthcare.

Now, let us see how does that change when you move infrastructure to the cloud. The process of auditing, itself, does not change, however you may see additional controls and documentation. For eg, if you are an ISO27001 certified organisation, you will have to look for additional standards like ISO 27017 (for controls) and ISO 27018(for privacy). ISO 27017 is the standard which is specific to cloud computing security controls and provides distinction between responsibilities of customer and CSP.

So, that is from a compliance perspective, but what about a generic security audit process for infrastructure in cloud?

That question can be answered with the help of excellent document by ISACA and it is called “IS Audit/Assurance Program in Cloud Computing”. It is a good document with detailed spreadsheet listing areas of audit and checklist for effective auditing.

According to this document, you can divide whole your audit process into two main-areas — Governance and Operations.

Governance can have following sub-divisions:

1. Governance of cloud computing services
2. Enterprise Risk Management
3. Information Risk Management
4. Third-party Management
5. Legal & Electronic Discovery
6. Legal Compliance
7. Right to Audit
8. Auditability
9. Compliance Scope
10. Certifications
11. Service Transition Planning

Operations can have following sub-divisions

1. Incidence Response, Notification and Remediation
2. application security
3. Compliance
4. Tools and Services
5. Application Functionality
6. Data Security and Integrity
7. Key Management
8. Identity and Access Management
9. Virtualisation
10. Standards and Best Practices

So, as you see, this documentation provides excellent support in building your own audit program for internal and external audits.

At the end of the day, I would say auditing is not different in cloud than that of traditional on premise systems but you need to remember that you need to have two sets of audits and reports — one is your CSP’s audit and other is of your virtual infrastructure.

That’s it for now and we will cover other steps of cloud security in upcoming articles.