The word Cloud technology has become increasingly common in recent years. Individuals and organizations are finding it increasingly difficult to maintain all important information, services, and systems running on internal database servers due to the exponential rise in data use associated with the transformation of a population to the digital 21st century. Beside this nowadays companies are using heterogeneous infrastructure over multitude of access model, which is complex to manage in-house. The challenge become more complex with remote working and need to be resilient. To address same companies are  exploring option and migrating to cloud. In fact the solution to this problem has existed for as long as the Internet, but it has only recently gained much more popularity among companies. This is because compute as well as connectivity over internet has improved significantly and cost of compute, connectivity and storage has gone done substantially. Also cyber security and privacy also are assumed to be better managed by infrastructure, standardized processes and experts with cloud service providers.

Various estimate shows by 2025, the global cloud computing market is expected to exceed $650 billion. According to the latest forecast from Gartner, Inc., end-user spending on public cloud services particularly in India will reach $4.1 billion in 2021, up 29.4 percent from 2020. Cloud adoption has significantly also been accelerated due to CovId -19. AWS, Google, Microsoft all have reported almost double digit growth in their cloud business. These staggering figures are a testament to the meteoric rise of cloud computing in modern businesses and their dependence on this technology.

Some companies are moving complete data center infrastructure to cloud however, the vast majority of cloud adopters are doing so workload by workload, carefully reviewing their portfolio of workloads and applications, and determining the best cloud or non-cloud venue to host each. Efficiency, integration challenges, economics, competitive differentiation, solution maturity, risk tolerance, regulatory enforcement considerations, expertise availability, and partner environment are all factors in the decision-making process.

WHY DO YOU NEED TO AUDIT YOUR CLOUD?

Cloud adoption of all may not be equally technically and commercially be advantageous. Companies must determine which of their application and Infrastrucure have a competitive advantage and which do not when developing a cloud strategy. Companies should consider regulatory issues and geographical  impact when developing cloud strategies, as these can be a limiting factor or a driving force for cloud adoption. Cloud adoption require significant change in control framework with more integrated approach toward cloud and cyber, security model and existing tools and capabilities. It requires complete risk assessment of Geo-political, regulatory, data management, network and infrastructure, application architecture configuration and access management.

There is a myth looming around that security and cloud come hand in hand. Enterprises have a notion that once they migrate to the cloud, they don’t need security and proper auditing of the architecture as these responsibilities are vested with the vendor. But the truth is that the data in the cloud is not as secure as the perception is. According to a McAfee study, nearly one-fourth of cloud data could put a company at risk if it were leaked or stolen.

Companies are racing to build new cloud experiences at a breakneck pace, but they’re having trouble with configurations. Misconfigurations can be fatal for an organization, particularly as the practice of sharing sensitive data in the cloud has increased by 53% year over year.

At the present times when complete businesses are shifting to the cloud and enterprises are opting for private cloud infrastructure and data centers, a safe and secure strategy need to be in place. Cloud service providers just cover the cloud’s protection, not that of their customers’ data. Companies that use the cloud are responsible for the security of their data stored in cloud services, be it software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), or platform-as-a-service (PaaS). Falling back to the shared responsibility model, companies need to understand the dire need to implement cloud security solutions that cover the entire spectrum of cloud computing and actively audit their application/infrastructure/platform as case maybe, to stand a chance against the ever-evolving security attacks.

WHAT AND HOW TO AUDIT YOUR CLOUD?

Internal audit and compliance, particularly for third-party compliance, play a critical role in helping to manage and assess risk as cloud services develop. The primary role of the Auditor is to review the cloud strategy, whether it stands the challenge of technology model, third party risk, cost, security, privacy, resilience and regulatory requirements.

Auditor should adopt risk based approach to audit cloud, they should review governance and culture of risk management set with third party vendor. Internally and with third-party vendors, management must set the tone for a risk management and risk compliance culture, and staff and business partners must be reminded of the importance of ongoing risk management regularly.

To perform the audit auditors must first consider how data resides and travels within their organizations, including who manages information and what tools are used in processing, distributing, storing, and transferring data from in-house systems to third parties, until they can determine the risks associated with a vendor’s processes. An effective mix of investigation, site visits, regular meetings, screening, testing, and analysis of third-party privacy and security policies must be used to evaluate third-party vendors.

Cloud security audits, unlike traditional IT security audits, need to look at wide variety of risk beside traditional risk and need to focus on strategy, governance , third party risk ,regulatory and geopolitical , data access management impact and completeness and accuracy of report from cloud system, at much more details to have robust approach to cover their wide range of emerging security issues. A better approach would be to maintain the technology-neutral nature of well-known IT security auditing standards while supplementing them with cloud-specific details, such as what to look for and avoid adopting  traditional cloud security audit.

The internal audit should focus to review cloud migration and Change Management Processes. They should review cloud policies, risk controls, and third party audit reports for same. They should consider review of approval measures , patch management, integration management which may be manual or completely automated to detect and reject unauthorized changes.

Cloud configuration, network and infrastructure hardening, identity and access management are key to success of cloud adoption. Auditor should audit cloud hardening process and hardening documents and configuration. They should audit configuration for network and infrastructure for appropriateness of design, implementation and operating effectives from control perspective. Focus should be made on ingress and egress to network. They should audit how access is approved, given, managed, modified and removed on cloud environment. Zero trust approach should be adopted to manage cloud risk and auditor should review design, implementation and operating effectiveness of same.

Problem, event and Incident management is one such area that should be a primary focus for the audit team. There should be a clear demarcation of what an incident is according to the enterprise, how are the incidents categorized, and how the enterprise functions if such an incident occurs. There should be a team of experts, specialized to manage resources for responding to cybersecurity incidents. A well-staffed SOC team that collaborates closely with the organization’s incident management teams will help ensure that security concerns are resolved as soon as they are discovered. Auditor should review complete problem, event and incident management process for design, implementation and operating effectiveness.

The performance reports generated by the cloud vendors are useless unless they are first tested for completeness, accuracy to ensure they are reliable, thereafter they should be regularly analyzed and monitored. Auditors should analyse the review by management on periodic reports generated by the vendors to evaluate, monitor, and manage cloud-based services, infrastructure, and applications. This would also allow them to review how company  monitor  it  spend  on  cloud.

Auditor should review SOC2 report to understand cloud service provider risk management approach and risk and control design implementation and operating effectiveness over security, confidentiality, integrity, availability and privacy trust principle in scope .Control under shared responsibility  of user entity must be audited by auditor to gain assurance on overall cloud environment and any ineffective control at cloud service provider end should be evaluated for adequate risk disposal.

CONCLUSION

To summarize, organizations need to adopt a Risk-Based audit Approach and consider emerging risk like geopolitical, regulatory, governance, architecture alignment, third party and fourth party risk, zero day cyber attack, data governance and access management to streamline their cloud audit process. Understanding the different cloud models, as well as the risks and vulnerabilities associated with them, can aid risk based audit.