Five Major Auditing Challenges in Cloud Computing and How to Overcome Them

This article originally appeared on the ISACA Blog.

While cloud computing provides a long list of benefits, it is not without challenges. Having previously discussed cloud computing essentials, in this article, we’ll focus on how to tackle key auditing challenges. 

According to Flexera’s 2022 State of the Cloud Report, the need for security is the top cloud-related challenge.  In fact, in ten of the eleven past State of the Cloud reports, security was the number one challenge identified by those surveyed. Why does cloud security present such a challenge? 

Security and Threats in the Cloud Environment 

Life before the cloud limited access to certain devices and networks, incorporated defensive layers to protect internal applications and data, and relied on a known and manageable security perimeter to prevent unauthorized access. Life in the cloud is less controlled. In theory, any user with any device can access the cloud, so it may not be as easy to control access to data.  A clearly defined security perimeter may no longer exist, and there are limited tools and visibility detailing how users interact with cloud-based data when managed by a third-party vendor.

Consequently, the threats in the cloud differ from those in the traditional IT environment. Instead of infecting devices, attackers infect users to steal their login credentials and gain access to cloud computing platforms. With traditional IT, security professionals monitor local network backdoors for unauthorized access. In the cloud, there’s a need to monitor cloud application backdoors that are less controlled and less visible to your IT team. 

Auditing the Cloud: Top Five Challenges 

So, with an understanding of how the cloud differs from traditional IT and an appreciation of the threat landscape, what are the top auditing challenges facing organizations?

1. Can you identify cloud usage? Is your IT team able to determine which cloud solutions are currently in use? Is there a process to authorize the use of additional cloud computing platforms? Identifying the use of cloud computing is important in understanding the cloud computing risks that are relevant to your environment to ensure appropriate controls are in place and operating effectively to mitigate against those risks. 
2. How do you control and monitor user access? What type of information do users access, store, and transmit in the cloud? What checks and balances do you use to manage the type of information users can access? Do you manage each user’s role and permissions according to their job function? Provisioning access using the concept of least privilege is just as important in the cloud as in a traditional IT environment to ensure segregation of duties still exists. 
3. Do you control the security of access devices? Do you allow employees to use their own devices to access cloud computing platforms? For personal and company-issued devices, what security is in place to limit the risk of an attack?
4. Do you have a right to audit? Do your contracts with cloud providers include a right to audit clause? The larger the cloud computing provider, the less likely they will allow the inclusion of such a clause, so it’s important to understand your rights and to request access to the cloud provider’s System and Organization Controls (SOC) reports to confirm appropriate controls are in place and operating effectively to ensure your data is secured.
5. Is your audit team equipped to audit the cloud? To audit and oversee the cloud, your audit team must possess the appropriate skills and expertise. The Cloud Security Alliance and ISACA developed a Certificate in Cloud Auditing program, which includes a risk-based approach to cloud migration and auditing strategies.

To ensure your organization selects secure cloud platforms, your internal audit department should be involved in the procurement, design, and adoption of a cloud solution. Consider using the Cloud Security Alliance Controls Matrix and the Consensus Assessments Initiative Questionnaire (CAIQ) as resources to identify appropriate risks and controls related to your cloud computing environment. Using connected risk software to manage the controls needed to mitigate against cloud-related risk is a prudent investment that can provide peace of mind. 

Cloud computing is a critical resource for most organizations, and while it inserts a degree of risk, there’s much that your internal audit team can do to limit your exposure. By addressing the audit challenges described in this article, your organization will be able to embrace the cloud without accepting excessive risk.