If you want to audit the use of cloud services and establish good risk management and governance, it's not sufficient to just look at security and privacy.
That was the message delivered at EuroCACS yesterday by Matthias Kraft, a senior manager in internal audit at a major financial services company and also international committee member of ISACA's young professionals advisory committee.
In an interview following his presentation, Kraft told SCMagazineUK.com: “While security is a big part-and-parcel [issue for cloud uptake], there's much more to cover. Fortunately there's already a lot of things out there that people can leverage [in terms of standards and certifications] to make the cloud journey successful.”
With companies placing more and more of their business and their trust in the cloud, it's important for them to understand fully the risks that they are facing.
The coffee chain Starbucks suffered a major outage due to a cloud computing failure in 2015 that prevented sales registers in 8,000 stores from working. Luckily for the company, it happened on a Friday night when demand was low so it chose to close the stores early so it could deal with the problem offline.
When looking at cloud services, bear these issues in mind, he said:
* Understand the cloud-scope characteristics, service and deployment models as well as any border issues.
* Be clear on what you are trying ot achieve (eg, who is your customer and what are the expectations).
* Work out your legal, regulatory and compliance requirements.
* Try sticking to standards and best practice.
Kraft gave the audience a list of his top 10 issues to address when setting up and managing cloud computing services:
1. Unknown risk profile
2. Data loss and leakage
3. Unsecure networks, interfaces and APIs
4. Identity management
5. Unknown third parties
6. Lack of compliance
9. Vendor lock-in and viability
10. Shared resources
Many of these issues can be addressed with what he calls the five pillars of cloud computing.
The first one is the organisational pillar. Organisations should have a clear view of what they want from the cloud, and when starting any new projects, it's worth asking if there is an existing cloud service which they can adopt without having to develop it in house.
The second one is technology. If you want to adopt new technology, though, you need to ensure that it is compatible with the legacy systems that already exist within your organisation. “Identity and access management, processes and frameworks can be quite a challenge in really doing something different,” he told the audience.
The third pillar is security and data privacy. In Kraft's home country, Germany, he said there is a list of 19 countries that are considered safe for working with when processing data, but your analysis of the risk factors should go beyond that to include such issues as data segregation – make sure you get assurances from your service provider on how they are going to keep your data separate from their other customers.
Legal, governance, compliance and audit are the fourth pillar. Be certain as to where the data is being stored and who within your organisation is responsible for governance. And with your service provider, know what your escalation and response mechanisms are – these need to be underpinned by SLAs.
When it comes to privacy, consult with lawyers who are local to where you are collecting and storing data to ensure you understand the issues.
And the fifth pillar is services. Again, Kraft couldn't overemphasise the importance of SLAs to measure service effectiveness. Do your due diligence on the company, as well – bankruptcy of your service provider could result in total loss of your data.
He told SC that accessing your data in the cloud can be a complex picture. As well as ensuring access to the service provider's servers (in case of bankruptcy), he mentioned encryption.
“It's a key control to encrypt data when it goes into the cloud but it's not always compatible with what the organisation wants,” he said.
He recommended using a combination of in-house ‘cloud' and off-premises solutions. “It is a healthy approach to have a mixed approach. What you have in house you have more control over, so you might decide especially if it's strictly confidential and classified data to keep it in house and you get just better controls,” he told SC.
This could involve running your own servers or contracting the provision of in-houses servers to your cloud service provider. “You could run it yourself but you would probably miss some of the key criteria around the on demand service,” he said.