control, and governance
Cloud Computing: What’s the Hype About?
By knowing the risks and applying audit principles, internal auditors can help their organization make the most of cloud services.
Lately the term “cloud” has been reinterpreted as the silver bullet for all IT problems and issues. The exact value cloud computing can provide for a business has been lost in much of the hype, and what services it truly can offer has varied from vendor to vendor. From an audit perspective, though, the risks posed by this new type of technology service are not very different from what internal auditors have encountered in the past.
The U.S. National Institute of Standards and Technology (NIST) defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” NIST Special Publication 800-145 describes five essential characteristics of this model:
NIST also describes three types of cloud service models:
NIST further describes how these service models can be distributed:
RISKS IN THE FORECAST
The recent Cloud Computing Market Maturity study conducted by the Cloud Security Alliance, a service-provider industry group, and the IT professional association ISACA identified 10 issues in which cloud users in 50 countries lack confidence regarding cloud services (ranked from least confident to most confident):
The survey highlighted that the “cloud market has not yet reached a level of maturity that will support the scenario (significant opportunities ... to innovate in ways that could disrupt established ways of providing and using information technology).” Respondents consider the SaaS model to be in its early stages of market growth, while PaaS and IaaS are in their infancy.
ISACA, Security Considerations for Cloud Computing. Free PDF download for members; US $75 for others.
NIST Special Publication 800-145, The NIST Definition of Cloud Computing (PDF), by Peter Mell and Timothy Grance.
So what does the cloud mean for internal audit? Cloud computing is here to stay, and auditors need to be prepared to handle this change in business. There is much internal auditors can do to help their organization determine whether to adopt the cloud model.
A good place for auditors to start is conducting a detailed feasibility analysis that considers a variety of factors that can raise or lower risks to cloud operations. The ISACA publication, Security Considerations for Cloud Computing, outlines key risk factors posed by the various service and distribution models. The publication notes that risk to SaaS initiatives may be increased due to factors such as data ownership and disposal and identity access management, while factors such as improved security and application patch management can decrease risk. Likewise, application mapping and disposal can increase PaaS risk, but a short application development time can decrease risk. Risk to IaaS operations can be increased by legal requirements and poor visibility into security measures but may be decreased by factors such as scalability and disaster recovery capability.
On the deployment side, the ISACA publication points out that application compatibility is a factor that can increase risk for private cloud services, but the ability to build those services on an organization’s own premises can decrease risk. Using shared resources can increase risk for both community and public cloud services.
The risk assessment analysis of an organization’s potential move to the cloud should include experts from various fields including IT, legal, marketing, and finance. As part of the risk assessment, auditors also need to consider additional factors such as which service provider is the most appropriate.
SEE BEYOND THE HYPE
Cloud computing appears to be around for the long term. As such, internal auditors need to increase their knowledge about what the cloud can do for their organization while ensuring they don’t get caught up in the hype and forget to apply the audit basics to these new services.
Shannon Buckley, CIA, CPA, CISA, CGEIT, is a senior auditor with Bupa International Markets in Sydenham, Victoria, Australia.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.