November 2012

Cloud Computing: What’s the Hype About?

By knowing the risks and applying audit principles, internal auditors can help their organization make the most of cloud services.

Shannon Buckley

Lately the term “cloud” has been reinterpreted as the silver bullet for all IT problems and issues. The exact value cloud computing can provide for a business has been lost in much of the hype, and what services it truly can offer has varied from vendor to vendor. From an audit perspective, though, the risks posed by this new type of technology service are not very different from what internal auditors have encountered in the past.


The U.S. National Institute of Standards and Technology (NIST) defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” NIST Special Publication 800-145 describes five essential characteristics of this model:

  • On-demand self-service. The business can choose the required computing capability at any time of the day to suit its individual requirements. There also is limited human interaction with each service provider.
  • Broad network access. Access to a business’ systems and data can be completed over the network using any device, including tablets and laptops.
  • Resource pooling. The provider is able to pool computing resources and allocate them as appropriate to all tenants. Location of the hardware and resources becomes irrelevant to the tenants.
  • Rapid elasticity. Computing resources can be released to suit a business’ demands.
  • Measured service. Quality of service can be obtained to suit the customer’s requirements.

NIST also describes three types of cloud service models:

  • Software as a Service (SaaS). The vendor is able to provide applications that are run “in the cloud” but are accessible from any device. Applications such as email and word processing packages are stored in the cloud and accessed by users through a browser. People with Web email accounts like Gmail or Hotmail are using the SaaS model.
  • Platform as a Service (PaaS). A business is able to deploy specific applications that are hosted on a hardware platform. The business does not concern itself with infrastructure. This concept is essentially an extension of a long-standing business practice of outsourcing development or hosting capabilities to service providers.
  • Infrastructure as a Service (IaaS). The business runs its own applications on the vendor’s infrastructure. An analogy is renting a car to drive oneself to a destination, making stops when necessary.

NIST further describes how these service models can be distributed:

  • Private cloud. An organization provisions infrastructure for its exclusive use. The maintenance of the infrastructure may be completed in-house, managed externally, or a combination of both. The infrastructure may reside on the organization’s premises or in another location.
  • Community cloud. The infrastructure is used exclusively by a group of like-minded organizations that have similar requirements. The infrastructure may be maintained by one organization, a combination of organizations within the community, or a third party, and may reside in-house or in an external location.
  • Public cloud. Infrastructure is used by the general public. It may be owned and operated by an entity such as a university or government organization.
  • Hybrid cloud. An organization’s infrastructure “lives” in a combination of private, community, or public models.


The recent Cloud Computing Market Maturity study conducted by the Cloud Security Alliance, a service-provider industry group, and the IT professional association ISACA identified 10 issues in which cloud users in 50 countries lack confidence regarding cloud services (ranked from least confident to most confident):

  1. Government regulations keeping pace with the market.
  2. Exit strategies.
  3. International data privacy.
  4. Legal issues.
  5. Contract lock-in.
  6. Data ownership and custodian responsibilities.
  7. Longevity of suppliers.
  8. Integration of cloud and internal systems.
  9. Credibility of suppliers.
  10. Testing and assurance.

The survey highlighted that the “cloud market has not yet reached a level of maturity that will support the scenario (significant opportunities ... to innovate in ways that could disrupt established ways of providing and using information technology).” Respondents consider the SaaS model to be in its early stages of market growth, while PaaS and IaaS are in their infancy.

Cloud Guidance

ISACA, Security Considerations for Cloud Computing. Free PDF download for members; US $75 for others.

ISACA, Cloud Computing: Business Benefits With Security, Governance, and Assurance Perspectives.

NIST Special Publication 800-145, The NIST Definition of Cloud Computing (PDF), by Peter Mell and Timothy Grance.

So what does the cloud mean for internal audit? Cloud computing is here to stay, and auditors need to be prepared to handle this change in business. There is much internal auditors can do to help their organization determine whether to adopt the cloud model.

A good place for auditors to start is conducting a detailed feasibility analysis that considers a variety of factors that can raise or lower risks to cloud operations. The ISACA publication, Security Considerations for Cloud Computing, outlines key risk factors posed by the various service and distribution models. The publication notes that risk to SaaS initiatives may be increased due to factors such as data ownership and disposal and identity access management, while factors such as improved security and application patch management can decrease risk. Likewise, application mapping and disposal can increase PaaS risk, but a short application development time can decrease risk. Risk to IaaS operations can be increased by legal requirements and poor visibility into security measures but may be decreased by factors such as scalability and disaster recovery capability.

On the deployment side, the ISACA publication points out that application compatibility is a factor that can increase risk for private cloud services, but the ability to build those services on an organization’s own premises can decrease risk. Using shared resources can increase risk for both community and public cloud services.

The risk assessment analysis of an organization’s potential move to the cloud should include experts from various fields including IT, legal, marketing, and finance. As part of the risk assessment, auditors also need to consider additional factors such as which service provider is the most appropriate.


Cloud computing appears to be around for the long term. As such, internal auditors need to increase their knowledge about what the cloud can do for their organization while ensuring they don’t get caught up in the hype and forget to apply the audit basics to these new services.

Shannon Buckley, CIA, CPA, CISA, CGEIT, is a senior auditor with Bupa International Markets in Sydenham, Victoria, Australia.

Share This Article:    


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 



IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University



facebook IAO