Leveraging the cloud has many advantages for organisations including cost, agility, elasticity, breadth of functionality, the ability to deploy globally in minutes - the list goes on. However, in migrating to the cloud, many challenges are present, and perhaps one of the largest challenges is updating an organisation’s overall GRC program. Capturing the benefits of cloud security with an effective GRC framework requires an organisation’s full commitment to the transition and proper education of key components and associated risks. We’ve gathered a number of things that IT auditors should know about IT GRC in the cloud, including recommended configurations, top risks, and information on how to make IT auditing of the cloud more efficient.
7. Secure by Design and Continuous Control Monitoring
There are several benefits to adopting a Secure by Design (SbD) framework, which is a security assurance approach. Among them include providing security controls which are embedded in the IT management process, the automation of security controls, and the ability to streamline auditing. Instead of taking a retroactive approach to auditing security, SbD enables visibility into security controls on a continuous, real-time basis. This makes it simple to demonstrate an effective control environment to IT Auditors, and also gives management the transparency to self-report security issues prior to an IT audit.
Mark Thomas of Escoute Consulting attests to the benefits of SbD.
“I love Secure by Design in the cloud,” he told Internal Audit Insights. “It allows you to formalise your design and automate security controls...however, this is not a ‘design and forget’ method - you need to manage this as the control needs can change depending on the threat landscape and compliance requirements.”
6. Organisational Culture
The culture of a company plays a key role in the success of using the cloud. First and foremost, not every risk can be fully mitigated, so it’s important to understand the organisation’s risk tolerance.
“You need to ask ‘what is my organisation’s risk profile?’” Thomas says. “The risk appetite and tolerance levels come from the board and should be aligned to decisions being made by management.”
Second, employees have historically been trained to manage the risks of a traditional infrastructure model and not the cloud. Previously, if an employee needed to request a new server, they requested this from the IT department, which is unfortunately known to not always be the simplest process yielding quick results. With the growing acceptance of the cloud, the increased pressure for employees to complete their work efficiently and on budget, and the ease of procuring cloud services, individuals in organisations without strong controls can now instantly use their corporate credit card to obtain the cloud services that they desire, without considering the associated risks.
5. Federated Identity Management
Federated Identity Management (FIM) refers to a way to connect identity management systems together. With FIM, the user’s credentials are always stored with a “home” organisation (the identity provider). When the user logs into the cloud service, instead of providing credentials to the service provider, the service provider trusts the identity provider to validate the credentials. The user never provides credentials directly to anyone but the identity provider.
FIM does allow organisations to enable automated account provisioning (users granted access into all assigned applications based on Active Directory or LDAP group memberships) which simplifies access management for IT departments, and even more so for users because only one username and password combination needs to be memorised. This configuration is also more straightforward for IT auditing, as there are less access controls which need to be validated.
4. Logging Actions in the Cloud
Organisations should log all actions that take place in the cloud. The comprehensive view of activity that can be gained from logging all actions that take place in the cloud provides insight to organisations that is not currently possible with legacy, on-premise environments.
Additionally, this can streamline audit preparation by having one authoritative source to provide to IT auditors. This reduces the burden for control owners in preparing requested documentation for an IT audit, and increases efficiency for IT auditors since there are fewer controls to review with a single source.
3. Disaster Recovery and Business Continuity
The cloud vendor’s ability to offer disaster recovery and business continuity services that suit the organisation is a must-have. Some cloud vendors do not back up data because it’s expensive, leaving the onus on the customer to either contract with a different vendor to back up the data in the cloud, or take on the task internally.
Yet another point of consideration, the business logic behind the cloud service offered is generally proprietary to the vendor, so even when the data is backed up, value can be lost if the actual cloud service is no longer available.
“A benefit of using cloud providers can be to help alleviate location-based risks such as weather. However, it is important to remember that, you are not outsourcing the accountability of the service, just the responsibility,” Thomas shares.
2. Vendor Management
The proper management of the entire vendor lifecycle for cloud providers is a top risk for organisations. Each vendor will claim that they are perfect and full of transparency, but they have never done their customers’ jobs with their customers’ tools, resources, and available budget. There are several questions that are imperative for IT auditors to ask:
- Where is the data?
- Who can see the data?
- Is the data untampered?
- How is processing configured?
These questions exist alongside others that may be more specific to each organisation’s business model.
1. Automated Application Performance Management
Metrics that align with the established service level agreement should be closely monitored by the technology and operations departments. There are many vendors that offer cloud performance management to customers. This is extremely important because, at the end of the day, organisations must have a seamless user experience - if users are getting slow logins or failed logins, this is a problem that can directly impact revenue.
There are certainly many considerations in order to have an effective IT GRC cloud program, and keeping in mind the aforementioned information will undoubtedly help organisations with this effort.