All types of organizations are relying on cloud computing to improve performance and reduce costs. Pharmaceutical company Pfizer Inc. uses the cloud’s elasticity to increase its computing and analytics power during peak periods of drug development to levels not feasible in a traditional data center. Professional services firm Towers Watson says it is saving 40 percent on costs by using a combination of cloud and company-managed servers to help its insurance clients set auto policy rates based on individual drivers’ behavior. Using cloud infrastructure to bypass lengthy technology build cycles enabled Dow Jones and Co. to quickly introduce its financial solutions to the Asian market.
Such successes are a big reason why cloud infrastructure growth is outpacing data center infrastructure growth by more than 46 percent (see “Cloud Computing’s Dramatic Growth” below). Commissioning a cloud service provider can enable an organization to off-load much of the difficulty that comes with implementing, maintaining, and physically protecting the systems required for company operations. The organization no longer needs to employ a large team of network engineers, database administrators, developers, and other technical staff. Instead, it can use smaller, in-house teams to maintain the cloud solution and keep everything running smoothly. Moving to the cloud also can introduce new capabilities, such as the ability to add and remove servers based on seasonal demand, an option that would be impractical for a traditional data center.
With cloud computing becoming mainstream, internal auditors need to devise new ways of pinpointing the risks these services pose and verifying the security, reliability, and availability of critical data housed by an outside provider. Based on this assessment, internal auditors can advise their organizations about choosing a cloud service provider and preparing for the challenges of overseeing the cloud platform and infrastructure.
The Choices and Complexities Ahead
|Cloud Computing's Dramatic Growth|
In the most recent edition of its annual IT Spending & Staffing Benchmarks report, market research firm Computer Economics describes 2015-2016 as “a tipping point where investment in cloud applications and infrastructure is rising.” According to the annual survey of more than 200 IT organizations across 23 industry sectors in North America, “a net 56 percent of IT organizations currently are increasing spending on cloud applications compared with a scant 10 percent that are growing spending on data center infrastructure.”
Other analysts make similar projections. Forbes’ “Roundup of Cloud Computing Forecasts and Market Estimates, 2016” found double-digit growth for various cloud computing specialties and services across more than a dozen industry surveys, with cloud industry revenues of more than US$100 billion.
The cloud encompasses application service providers, cloud infrastructure, and the virtual placement of a server, set of servers, or other set of computing power in an environment that is shared among many people and organizations. Cloud platforms and servers extend and supplement an organization’s own servers, resulting in multiple options for computing and application hosting.
It is not sufficient to think of cloud platform and infrastructure oversight as mere vendor management. Internal auditing of these environments is more complex, because of several factors about which the audit function needs to make decisions when determining the audit scope.
No Two Clouds Are the Same A cloud deployment can be just as variable as a traditional IT implementation. Among the numerous cloud platforms, the most common are infrastructure as a service, software as a service, and platform as a service. Using these three options alone makes a wide variety of models and other options available. Each of these options poses a different set of risks and controls, depending on an organization’s specific deployment of a particular cloud platform and infrastructure.
Third-party Barriers Many challenges and barriers to the audit appear when an organization is dealing with a third-party vendor. In some cases, auditing the cloud service provider’s processes and infrastructure might not be allowed. In its place, the vendor may offer attestation reports such as the American Institute of Certified Public Accountants’ (AICPA’s) Statement on Standards for Attestation Engagements No. 16 (SSAE 16) as evidence of organizational controls. In other cases, the provider might restrict the audit to a select portion of the service. Further, providers often require the client to obtain specific approvals before any audit activities can begin. An organization should take these types of considerations into account before contracting with a cloud vendor.
Control Responsibilities Are Shared One of the most difficult aspects of auditing a cloud infrastructure deployment is determining which controls are to be managed by the organization and which by the cloud provider. With many cloud deployments, few controls are actually the responsibility of the provider. For example, the organization itself may be responsible for configuration management, patch management, and access management, while the provider is only responsible for physical and environmental security.
Tracking Cloud Deployments Is Difficult An organization’s physical assets are tangible. The organization buys a physical piece of equipment and keeps a record of this asset; an auditor can see all the organization’s technology assets by walking through the data center. Cloud infrastructure deployments, however, are virtual, and it is easy to add and remove these systems. Many organizations base their models on servers and systems that are there one day and gone the next. IT departments also struggle with managing cloud assets, and tools to help cloud providers are evolving. As a result, the audit scope is hard to manage.
Cloud Infrastructure Expertise Is in Short Supply Because cloud computing is a relatively recent and fast-growing technology service, an organization’s employees may not have cloud expertise. This scarcity creates risks because IT administrators aren’t positioned to explain the details of the cloud deployment, and internal auditors aren’t trained to interpret and assess deployments.
Cloud Risk Assessments
Migrating from facilities that are operating internally to cloud-based services can dramatically alter the risk profile of any organization. For example, when an organization moves to a cloud-based service, in most cases, all of its data is stored on the same physical equipment where other organizations’ data is housed. If configured inappropriately, data leaks could result. Following leading audit practices, internal auditors first must perform a cloud risk assessment to identify the specific risks and controls associated with their organization’s deployment strategy. A thorough assessment is needed, regardless of whether the organization is contemplating hiring a cloud service provider for the first time or is considering expanding its business with a provider. Internal auditors should incorporate several factors into the risk assessment of their organization’s cloud platform and infrastructure.
Strategy Interacting with the organization’s IT and business leadership is the auditor’s first step toward understanding the organization’s cloud strategy. How does the organization expect to use the cloud, and what are the benefits of using it that way? What is the scope, from a macro perspective, of the organization’s plans for cloud deployments? The lack of a cohesive, formal, and well-aligned cloud infrastructure strategy should be a red flag for an internal auditor.
Personnel Part of the organization’s cloud strategy should be a staffing strategy for the three lines of defense functions. Cloud servers don’t run themselves. While fewer employees might be needed because of the absence of physical equipment and the ease of maintenance, experts in all three lines need to be trained and available to address the risk, according to their role. Organizations should consider training options available from the Cloud Security Alliance, CompTIA Cloud Essentials, and Rackspace Cloud University. Moreover, CAEs should consider how they will staff the audit and whether assessment of personnel qualifications to manage the cloud deployment should be in scope for the risk assessment.
Security Program IT departments and business units should have a cloud security strategy. A strategy includes determining the type of data permissible to store in the cloud and how its security will be enforced. It also includes the integration of the information security program into the cloud. All the usual IT risks of traditional data centers apply to cloud deployment as well — among them, malware propagation, denial of service attacks, data breaches, and identity theft — all of which, depending on the implementation, can fall to either party.
Professionals who have received training in cloud computing may be able to adapt traditional IT programs for auditing servers in physical form to a cloud environment. There’s more good news: Cloud infrastructure brings with it myriad security technologies that are not affordable in traditional deployments such as identity and access management systems, network segmentation, and multifactor authentication.
Penetration Testing All systems, including systems in the cloud, have the potential to be hacked. Many cloud service providers test their environment regularly to analyze their ability to withstand wide-scale attacks. This testing, however, rarely covers the deployment specific to the cloud customer. Organizations should contract separately to have a penetration assessment of their cloud infrastructure conducted periodically. Doing so requires written authorization from the vendor, which is likely to be provided, as long as the requesting organization follows the rules specific to the cloud service provider’s individual system. Obtaining the provider’s authorization can be time-consuming, so cloud clients should plan far ahead.
Reliability and Redundancy Internal auditors must understand the organization’s expectations for resilience from disruption. Because IT departments often have too few people or an insufficient budget to implement reliable and redundant systems in a self-managed infrastructure, many look to the cloud for a solution. Management might assume that redundancy is automatically built into the service provider’s infrastructure, but frequently that assumption is incorrect. Rather, organizations need to intentionally deploy redundant environments in the cloud.
Not Just Another Vendor Assessment
Overall, internal auditors should not approach a cloud engagement in the same way they approach other third-party vendor audits. Cloud engagements present their own complexities, which auditors must understand to assess them adequately. SSAE 16 and other attestation reports based on audit and attestation standards are valuable, but they are not sufficient.
A correctly implemented cloud infrastructure can actually reduce an organization’s residual risk by off-loading a portion of the responsibility for managing IT risks to a cloud service provider. Internal auditors have a valuable opportunity to see that their organization is benefiting from the cloud while adequately addressing the new risks that are introduced when their organization contracts with a service provider and moves IT operations to the cloud. Applying the same level of rigor to cloud technology that they previously applied to technology managed in-house creates an environment in which the internal audit function can be a primary advocate for a strong cloud strategy that is implemented within the organization’s risk tolerance.
Jared Rittle is a technology risk consultant with Crowe Horwath LLP in New York.
Jill Czerwinski, CISSP, CISA, CIPP, is a technology risk senior manager with Crowe Horwath LLP in Chicago.
Michele Sullivan, CPA, CRMA, is a partner with Crowe Horwath LLP in South Bend, Ind.