Some of the risks associated with cloud computing are new, but many of them are already found with any outsourced IT service. The risks can be divided into three general categories: policy and organizational risks, technical risks, and legal risks. Examples include: loss of compliance, business continuity, and data security.
Cloud services are outside the direct control of the customer organization, and their use places control of the IT service and infrastructure in the hands of the cloud service provider (CSP). A governance-based approach is needed that allows trust in the CSP to be assured indirectly through a combination of internal processes, standards and independent assessments.
The key to assuring trust is to understand business requirements – everything follows from these requirements. There is no absolute assurance level for a cloud service; it needs to be as secure and cost effective as dictated by the business needs – no more and no less.
First, classify data and applications, because some applications are more critical than others and some kinds of data are more sensitive. Then develop scenarios to understand the benefits and risks. Decide the appropriate response to these risks based on your enterprise’s risk appetite. Next, understand whether the certification and accreditations offered by the cloud provider actually support your needs. Finally, monitor the service provided using the agreed controls.
There is no shortage of advice on cloud computing; there are at least 35 different standards initiatives as well as frameworks, certifications and auditing standards. However, a December 2011 survey by ENISA of service level agreements (SLAs) across the EU public sector showed that while 60–70% of respondents had adopted standards like ISO 27001 and ITIL for internally produced IT services, only 22% required external IT providers to adhere to the same standards. The following summarizes some of the more useful sources of advice.
The ISACA document ‘IT Control Objectives for Cloud Computing’ Appendix A provides a mapping of the entire COBIT control objectives to cloud computing. Appendix B provides a detailed cloud computing management audit/assurance work program, which is obtainable online or as a printed publication. Use this to establish your organization’s readiness and match providers with your needs.
Independent certification by trusted third parties is also very useful; however, organizations should beware of self-certified accreditations. It is important to understand what these certifications actually cover.
SOC Reports
Auditing standard SSAE no. 16 (Statement on Standards for Attestation Engagements) is intended to satisfy the need for independent checking of service organizations. This is based on International Standard on Assurance Engagements no. 3402, Assurance Reports on Controls at a Service Organization.
A Service Organization Controls (SOC) report is based on the statement of the service that the organization claims to provide. It is not an assessment against best practice.
There are two types of reports (often referred to as SOC 1 and SOC 2 reports). A type 1 report provides the auditor’s opinion on whether or not the description of the service is fair and the controls are appropriate. A type 2 report is similar to a type 1, but it includes further information on whether or not the controls are actually working effectively.
An example of a cloud provider that offers such a report is Amazon Web Services.
WebTrust/SysTrust
Another kind of report is one based on established best practice criteria. Trust Services (including WebTrust and SysTrust) are a set of professional assurance and advisory services based on a common framework to address the risks and opportunities of IT. The Trust Services Principles and Criteria were established by the AICPA for use when providing attestation services on systems in the areas of: security, availability, processing integrity, privacy and confidentiality
An example of a cloud provider that offers such a report is SalesForce.com.
ISO/IEC 27001 Certification
ISO/IEC 27001:2005 is a well-established standard that provides a code of practice for information security management. The standard identifies 134 controls and provides detailed advice on this subject. Organizations can be independently certified to this standard, but note that certification is limited to the specified area within the organization. A complete list of organizations certified to ISO/IEC 27001:2005 is available online.
An example of cloud a provider offering ISO 27001 certification is Microsoft.
Choosing the Right Provider
Trust in the cloud depends upon an enterprise’s needs, the provider’s processes and independent auditing. Choose the right cloud service and delivery model based on business need and risk appetite.
There is no absolute assurance level for a cloud service – it needs to be as secure and cost effective as dictated by business requirements. Remember to monitor the controls and understand what independent certifications and audit reports mean. Finally, “Trust but verify.”
Mike Small is a member of the London Chapter of ISACA, a fellow of the BCS, and an analyst at KuppingerCole. Until 2009, Small worked for CA, where he developed CA’s identity and access management product strategy. He is a frequent speaker at IT security events around EMEA.