Many IA leaders are considering the responsibilities their organizations have for cloud security, said Grant Thornton Internal Audit Cybersecurity Partner Scott Peyton. “We’re hearing from many of our internal audit clients who are in the cloud and asking the question: ‘Where should we draw the line between our role and responsibilities and that of our cloud service provider?’”
How IA provides perspective on cloud security
IA plays a critical role in assessing and enhancing your cloud security by:
- Helping management understand cloud security architecture, with associated risks and challenges
- Identifying areas for improvement and communicating them to management and the board
- Supporting collaboration among the cloud service provider, IT, IS and leadership
IA’s assistance is also vital in helping to bring leading practices to a cloud security strategy, with a focus on the risk and control elements primarily driven by people, process and technology:
- Address risks from a lack of skilled cloud security experts
- Identify key dependencies on the cloud service provider and critical third-party providers
- Evaluate clearly defined roles and responsibilities, ensuring that risks are collectively mitigated
- Evaluate alignment of cloud security against business goals and objectives
- Assess non-standard processes introduced through migration to the cloud
- Evaluate processes for risk mitigation as responsibilities transition from one business function to the other
- Examine adoption of cloud controls, and how they impact risk and compliance efforts
- Address risks related to privilege access, data storage and security
- Evaluate risks that protect against shared responsibilities from third-party service providers that provide cloud services
“Given the number of internal and external players who have a role in cloud security, leaders must constantly emphasize the importance of shared responsibilities. While the cloud provider is responsible for security OF the cloud, the organization is responsible for security IN the cloud.” said Grant Thornton Internal Audit Cybersecurity Director Vikrant Rai.
Focus on these cloud security areas
When your organization has accepted its responsibility to ensure strong cloud security, it can move forward to develop a program that identifies key focus areas and an action plan to audit those functions. Concentrate on the most important areas, including:
- Cloud program governance: Policies, procedures and risk-based planning and assessment; for compliance with standards, regulations, legal, contractual and statutory requirements
- Policies and procedures: Identification and assessment of how identity inventory, password policies, and other information is managed
- Application security: Secure application design and development, such as access code, logic and secure coding practices
- Data security: Data inventory, classification, storage, ownership and privacy
- Key management and encryption: Policies, procedures, roles and responsibilities, and encryption requirements on classified data
Management needs to ensure that the cloud security program is built into the overarching enterprise resiliency architecture. That means, environment aside, you need to ensure you are following the security controls and requirements that can help reduce the risk to your organization.
A strong cloud security audit program must develop a “cadence,” or a regular review cycle of cloud security, configuration and other factors. In addition to an annual audit, cloud security should be reviewed with each change in strategy or with the introduction of a new application. As the cloud strategy evolves and major applications are being moved to the cloud, it’s important to perform a pre-implementation review.
Awareness is critical. In a poll that was part of the Grant Thornton webcast Internal audit’s role in establishing an effective cloud security program, the highest numbers of respondents indicated that their organizations have not put effective cloud security into place and the security responsibilities are not fully understood.