Many consider Enrico Rastelli to be the greatest juggler ever — in his heyday, he could juggle six plates while bouncing a rubber ball on his forehead.
But a cloud security audit program can be more complex.
To construct and conduct a cloud security audit program, an Internal Audit (IA) team needs to understand and evaluate a company’s technology infrastructure. There are a lot of variables to handle at once, and each one can seem fragile. There are end users, new and varied software applications, cloud service providers that hold massive volumes of data, third-party vendors, a constantly changing digital environment, cybersecurity threats and more.
To keep all of these factors in flight, a cloud security IA program needs to identify the opportunities and challenges, develop a clear role for IA in the company’s cloud community, then use agile testing strategies to build and maintain a mature cloud security audit program.
Opportunities and challenges
“Our job as auditors is to understand the cloud environment from a cloud governance, operations and infrastructure perspective.”
“The cloud environment creates new and diverse risks. Our job as auditors is to understand the cloud environment from a cloud governance, operations and infrastructure perspective,” said Scott Peyton, Grant Thornton IA Cybersecurity Practice Partner. Cloud-based solutions can introduce challenges with data security, data mapping, roles and responsibilities, access limitations, and more.
In a recent Grant Thornton webinar on cloud security audits, a survey of more than 700 attendees indicated that data security and shared responsibility were the biggest challenges:
Fortunately, IA teams can start to address these challenges through cloud management solutions that also help improve cloud adoption, delivery, speed and security. These solutions can even incorporate advanced analytics, predictive models and artificial intelligence that help deliver a cohesive cloud security audit.
As organizations consider their larger digital transformation, these solutions can also help them integrate new technologies into the audit program. IA teams need to ensure the security and transparency of roles, capabilities and other factors as they integrate any new technology, solution or provider.
Role of IA in the cloud community
“The key thing is to get a handle on security posture, and put in a process that gives you control over how the overall security posture is managed and maintained in a continuously changing environment.”
IA has an ongoing role in helping organizations maintain strong cloud security posture management (CSPM) and data security posture management (DSPM). “The key thing is to get a handle on security posture, and put in a process that gives you control over how the overall security posture is managed and maintained in a continuously changing environment,” said Vikrant Rai, Grant Thornton IA Cybersecurity Managing Director. To achieve this comprehensive view of the security posture, IA needs to have visibility of the cloud strategy, architecture and operating environment, along with controls to evaluate it.
A cloud security audit needs to take a holistic approach to evaluate cloud infrastructure as well as the content (the data in the cloud environment). While a CSPM audit provides insight into how infrastructure services are configured and operationalized in a cloud environment, a DSPM audit provides insight into how data is organized and protected in the cloud environment — and whether the current controls are sufficiently protecting data in the cloud. Together, they help IA fulfill its role of maintaining a strong security posture that reduces vulnerabilities and drives compliance with standards and regulations.
Cloud audit program maturity
Armed with information about an organization’s cloud infrastructure and data, the IA team can start developing a mature cloud security audit program. The program needs to focus on security-by-design, to help maintain secure business operations amid the changes that can arise in identity and access management, application and data security, network security and other factors.
“You're not going to be able to do everything in the first phase, so you could think about it as a multi-year roadmap. You need to hand-pick those control areas that are most applicable and most relevant.”
“You're not going to be able to do everything in the first phase, so you could think about it as a multi-year roadmap,” said Grant Thornton IA Cybersecurity Practice Director Brook Buchanan. “You need to hand-pick those control areas that are most applicable and most relevant.”
To develop the roadmap, IA ultimately needs to meet six objectives:
- Define a cloud security program governance and operating model.
- Identify business processes and review the business application cloud migration strategy.
- Review the cloud security control environment, evaluate the current-state security control posture and identify the target state.
- Audit technical controls through a CSPM and DSPM.
- Perform testing, identify control gaps, prioritize issues and remediate findings through a risk mitigation strategy.
- Monitor and report on security, assign accountability, re-evaluate the cloud security posture and perform an assurance review to ensure sustainability.
The IA team needs to define, identify, review, audit, perform and monitor the many variables in the cloud environment. The roadmap will help IA see potential security challenges, along with the opportunities to strengthen and improve the organization’s security posture.
Juggling in the cloud
“It's increasingly important to understand the intended business flow of data through your organization, including who should have access,” said Buchanan. Your organization’s environment has many players, and many moving parts. Even an experienced IA team might start to feel like it’s a lot to manage.
That’s why an effective cloud security IA program needs to stay ahead of the changes — so it can be ready to catch the next issue in flight. It’s a matter of monitoring and guiding the various controls and influences in the cloud while simultaneously anticipating complications. With this approach, your cloud security IA program can help ensure you identify potential risks before they can take hold in your organization.
Our cybersecurity and privacy insights
No Results Found. Please search again using different keywords and/or filters.
Share with your network
Share