Understanding ‘the cloud’ and how internal auditors can address the risks it poses.
Many of us, even if we are not familiar with ‘cloud computing’, may already be familiar with the cloud in our lives. Streaming movies from Amazon or Netflix, storing data and photos on Dropbox or iCloud, social messaging with Facebook or Twitter and using email such as Hotmail or Gmail. These are all examples of the cloud in everyday use.
In a business context, the cloud has become mainstream. Many organisations routinely backup data to the cloud and use the cloud to process emails, payroll, HR or sales administration. With just a few clicks, an organisation can now easily connect to a new SAP or Oracle ERP system - something that previously would be costly and time consuming.
What is ‘the cloud’? A dictionary definition from Google:
a visible mass of condensed water vapour floating in the atmosphere, typically high above the ground.
a state or cause of gloom, suspicion, trouble, or worry.
a network of remote servers hosted on the internet and used to store, manage, and process data in place of local servers or personal computers.
It’s the last definition that’s relevant from a cloud computing perspective but the second definition is quite illuminating as it is how many of us see the cloud in terms of security and third party governance risks.
The cloud is any service utilising on-demand shared computing resources (eg networks, servers, storage, applications) provided via the internet. Cloud services can be shared with many companies (ie a public cloud) but also can be for a single company as a ‘private cloud’.
Other cloud concepts are Software as a Service ‘SaaS’ (where the cloud vendor provides software to the business), Platform as a Service ‘PaaS’ (where middleware systems are provided such as databases and integration systems) and Infrastructure as a Service ‘IaaS’ (where the core network and infrastructure are provided, linking middleware and software systems).
Benefits of the cloud One of the key benefits of cloud computing is the ‘on demand’ nature. You pay for what you need and can avoid much of the set-up capital costs and operational costs of running your own data-centre and systems. When you do not need the cloud, you stop paying the rental costs. This means that businesses can be more flexible and agile, scaling-up quickly in times of need and back in less busy periods. The cloud can help organisations focus on core business activities while outsourcing non-core activities to the cloud (eg payroll).
One of the selling points of the largest cloud service providers is their sheer size and economies of scale. A cloud vendor that manages IT systems for a number of businesses can spend more on leading edge security and disaster recovery systems. These benefits can be passed down to customers who only need to pay a (relatively) small monthly rental fee.
What areas should internal audit focus on? IA is in an ideal position to help their organisation ensure that adequate and effective controls are in the cloud, in the following areas.
Evaluating the cloud strategy An appropriate business case should be established and reviewed by key people across the business and IT. The justification for moving to the cloud should be formally documented and aligned with the firm’s strategy and risk appetite. A detailed review of the risks, benefits and costs by IA is essential:
what are the risks from moving data to the cloud? eg privacy, access requests, data retention and limitations of liability
are there software or technical complexities to consider such as licensing, escrow, patching and support?
who will be responsible for the interfaces between you and the cloud provider?
what would be the impact if the cloud services failed? Can you easily recover to your own systems or to an alternative?
has management estimated the performance, volume and storage requirements and is this aligned with what the cloud vendor can actually provide?
A full impact analysis of moving data and systems to the cloud needs to be undertaken and reviewed by IA. Many organisations do not fully understand the current state of systems and data - failing to understand risks at the start can prove disastrous once the cloud contract is signed. Internal audit has a key role to play given IA’s expertise in risks, processes and controls.
Evaluating cloud vendors Corporate procurement policies need to be complied with and these should include an assessment of the reputation, history and financial sustainability of the cloud vendor. A short-list of cloud suppliers should be reviewed by IA to ensure that the selection has an appropriate balance between benefits, risks, controls and costs.
The continuity arrangements of the cloud service provider should be clearly understood and such plans obtained. Most organisations will need to integrate cloud plans with their own continuity and insurance arrangements or may need to access their data directly from time to time. The timely recovery of proprietary systems and data in a suitable format should be provided. There are well documented examples where cloud vendors have ceased trading leaving no time for the business to retrieve their systems and data.
One of the key considerations for IA is the adequacy of information security controls at the cloud vendor. Security risks should be assessed carefully in the following areas:
where will your systems and data be located? Are there any local regulations such as privacy or taxation to be concerned about?
who will have physical and logical access to your systems and data? How will the access rights of employees, contractors and third parties be screened, authorised and periodically reviewed?
how will data and systems be segregated from other organisations (eg logically and physically) and will your data be encrypted?
how vulnerable are systems and data to inappropriate or unauthorised change or misappropriation while at the cloud service provider? Are full security audit trails enabled? Are security controls tested and effective?
Many cloud service providers are key targets for cyber criminals – remember the celebrity photo hacks earlier in 2014? Access to one cloud provider could allow access to many organisations. The cyber-readiness of the cloud provider is a key area for IA to examine. There are several good frameworks that can be used including ‘cyber essentials’ from the UK government, which is designed to address the most common cyber-threats.
Relevant certification reports should be obtained to assess the quality and security of each cloud vendor. These reports may include ISO certifications such as ISO 9000 (quality management) or ISO 27001 (information security) as well as payment card security certifications (if relevant for your organisation) such as PCI-DSS (payment card industry – data security standard). Cloud security should be designed to be consistent with best practice such as ISO 27001, the Data Protection Act or other local regulations such as FOI requests.
Ultimately, the cloud vendor should be able to clearly describe their internal and external security controls. This should be supported by requesting relevant security policies, recent vulnerability and third party attestation reports (such as ISAE 3402, SSAE16 or Cloud Association STAR assurance reports). Where these reports are not available, you will need to obtain sufficient assurance that the cloud controls meets your needs. This may include implementing a ‘right to audit’ clause in the contract so that you can directly assess the cloud vendor’s control environment.
Monitoring and service level management A robust service level agreement should clearly define the responsibilities of all parties and ensure effective and clear governance of the cloud. Single points of contact are needed for the coordination of activities and service level monitoring arrangements should be established to ensure compliance with service levels. Periodic security and service management reports (eg new or emerging risks, systems issues and time taken to fix faults) should be obtained and procedures implemented so that invoices are reviewed and matched against service levels prior to being paid.
As it is never possible to guarantee that problems will never occur, the cloud provider should have an adequate incident management and breach notification process, including provision of access to logs and audit trails if required. All security incidents at the cloud provider (whether resulting in a breach or not) should be notified promptly to allow the timely assessment of risks and to ensure management can react quickly if there is a security event arising.
Conclusion Cloud computing is continuing to be widely adopted by many organisations. The many benefits include leveraging the economies of scale of a cloud vendor and reducing capital expenditure. However, there are many risks including security and continuity that need to be fully understood if organisations are to take full advantage. IA should consider the risks outlined in this article and ensure they are closely involved in the cloud strategy at their organisation.
Gavin Davey - IT Assurance Services, Insurance Industry Group, Moore Stephens LLP