Top Considerations When Auditing Cloud Computing Systems
As today’s organizations migrate to the cloud, they expose themselves to a rapidly growing threat landscape. As if protecting on-premise data wasn’t hard enough, your team faces many new security challenges in the cloud. Now is the time to ask some tough questions. How ready is your company for the next approaching cloud security audit? Any idea what the auditors will be prioritizing? Are you confident that your security management practices are able to keep data safe in the cloud? All right, deep breath.
The good news? You’ve come to the right place, and it’s not too late. On November 19th, 2020, we hosted a webinar with Jacques Nack, CEO at JNN Group, and John Gukian, senior engineer at IBM, and picked their brains on cloud security, compliance, and, specifically, how to audit your cloud environments to suss out potential vulnerabilities. This article will discuss industry changes, what many organizations currently do to keep their cloud data safe, and what your team can do to better prepare for your next security audit. There’s a lot to learn, so let’s get started.
Organizations have increasingly turned to cloud services in the last decade. In 2010, worldwide spending on public cloud services was 76.94 billion with projected growth to 362 billion by 2022. Keep in mind, 67% of enterprise infrastructure will be cloud-based and a whopping 82% of workload will be in the cloud by the end of 2020. Cloud services offer organizations increased agility, flexibility, and speed, but many aren’t prepared for the increased security and compliance challenges of using cloud resources.
Security risk has grown exponentially with the arrival of remote workforces. Cloud data is being accessed from anywhere and everywhere, attackers have more vulnerabilities to target, and the job of safeguarding data is more challenging than ever. Companies now realize security and compliance in the cloud requires ongoing, relentless effort.
Addressing security in the cloud
Securing data in your cloud environments comes with unique challenges and raises a new set of questions. What’s the appropriate governance structure for an organization’s cloud environment and the data that resides within them? How should cloud services be configured for security? Who is responsible for security, the cloud service provider or the user of that cloud service?
Cloud compliance is becoming front of mind for organizations of all sizes. Smaller companies with limited staff and resources tend to rely more on cloud vendors to run their businesses and to address security risks (we’ll get into why this is a bad idea later in this article). Often roles will overlap with team members wearing many hats in smaller operations. Larger enterprises frequently keep more security and compliance duties in-house, using vast resources to create individual teams for threat hunting, risk management, and compliance/governance programs.
Regardless of size, the challenge of balancing security and business objectives looms large for all companies. Security must be built around the business, and Jacques accurately describes the nature of the relationship: “Security is always a support function around your business.”
Many teams seeking to build assurance while managing cost rely on Governance, Risk and Compliance (GRC) frameworks to keep their data secure in the cloud. There are many available, such as the Cloud Security Alliance Cloud Controls Matrix (CSA CCM), NIST 70053, and ISO 27001, which can help your team better understand cloud-specific compliance considerations and prepare for IT compliance audits.
Which one you choose should depend on your organization’s unique circumstances, preferences, and partners. For example, the Cloud Security Alliance Cloud Controls Matrix is specifically designed to provide fundamental security principles to guide organizations in assessing the overall security risk of their cloud environments. FEDRAMP would be a sensible choice for companies doing business with the federal government. Jacques recommends taking the time to thoroughly understand your business environment, risk tolerance, and maturity level to implement controls before finalizing your risk framework.
Key Security and Compliance Considerations When Operating in the Cloud
When assessing the security posture of your cloud environment, the first question both you and your auditor need to ask is, “Where is your data going?” “Your data’s journey—how it’s received, stored, handled, and treated by third parties—will determine your cloud security and compliance agenda,” says Jacques. All security controls and processes must align with your data’s flow around business objectives. Keep in mind that security’s role is supportive but must never become secondary.
Security by design
During the age of legacy systems, security was often “bolted on” as an after-thought. This doesn’t fly today as cloud systems demand a renewed awareness and commitment from the top, embedding security into the company culture and daily operations.
With this new security by design mindset, all departments share responsibility and empowerment in the decision process. Security by design is the only way modern enterprises can achieve the agility and flexibility needed to face the cloud’s continually evolving threat landscape.
Building your cloud compliance program
Both of the experts we interviewed agree that today’s organizations need an established cyber program to help prepare for cloud compliance audits. If your company doesn’t have established security management processes, you will struggle when it comes to passing cloud audits.
So, what does your organization need to do to ensure compliance? Below are some key steps to create a compliance program:
Determine your level of risk tolerance
Assign critical roles like security and privacy officers
Select the compliance framework that you will build around
Design your controls in alignment with business objectives
Draft an administration contract to document your data handling policies
Adhering to these steps will help you create a solid foundation for maintaining information security in your cloud environment.
Key Compliance Considerations for Cloud Environments
One of the most important things to focus on is asset management. You need to document all the cloud services within your cloud environment as well as the data that resides within them. Organizations should define how all cloud services should be securely configured, to prevent them from becoming exploitable.
Knowing What Regulations Apply to Your Data
This can be tricky because you’ll need to keep up with region-specific and sometimes overlapping privacy regulations. For example, you’re doing business in Italy and must adhere to GDPR, but Italy may also have its own set of required laws.
Cloud Strategy & Architecture
Organizations should clearly define their cloud account structure, ownership, and accountability.
The agility, speed, and flexibility of cloud environments make changes difficult to control. Change processes in traditional on-premise environments typically involve multiple roles and approvals and could take days or weeks. With the cloud, infrastructure is software, and their entire lifecycle may only last minutes or seconds. Companies should use automation and leverage cloud services to continuously monitor configurations and immediately remediate issues.
Signs of success
How do you know your organization’s cloud security and compliance program is positioned for success? Besides getting a thumbs up from auditors, there are other ways to gauge your program’s effectiveness.
John Gukian suggests looking at a company’s onboarding process and how new staff is introduced to security policy. Is there a well-understood set of policies and procedures to guide the onboarding process? How is access control handled? What is taught during the initial training period regarding security? Are awareness and best practices emphasized in the daily routine out of the gate?
Speaking of training, are there continuous education programs to keep staff current on rapidly changing cloud threats and remediation tactics? Hopefully so, because in the final analysis, training can make the difference in driving high levels of security awareness.
Passing your compliance audit is the crowning act of affirmation that pleases stakeholders—feel free to take a deserved moment to jump in the air and fist bump your teammates. However, remember cloud compliance results from a program of well-documented policies and procedures built on a continuous pattern of disciplined habits and company-wide awareness.
Securing cloud environments today comes with unique challenges, and verifying compliance is an ongoing quest for organizations and external auditors. Securing your cloud environment starts with understanding all cloud services in your environment and the flow of data between various services and applications. You’ll also need to pay close attention to who gets access to that data and who is authorized to make changes to configurations. It is only then that your team can create the proper processes and controls to ensure safety and compliance in the cloud.
Compliant organizations have established, well-documented cyber programs modeled on appropriate risk management frameworks. Their leaders embed security awareness into daily operations. They continually ingrain security awareness into their culture with robust awareness training.
So, do you feel better prepared for your next cloud compliance audit? We hope so; at the very least, you know the steps secure and compliant organizations take to keep their data safe in the cloud, and that’s what we call a good start.