Using a cloud service means moving from a “hands on” management model to one of indirect governance. But how can an organisation use an indirect governance to assure trust in the service provided?
Some of the risks associated with cloud computing are new, but many of the risks are already found with any outsourced IT service. The risks can be divided into three general categories; policy and organisational risks, technical risks, and legal risks. Examples of these risks include: loss of compliance; business continuity – the recent reported outages of major cloud services show that 100% availability may not be guaranteed; and data security.
Cloud services are outside the direct control of the customer organisation, and their use places control of the IT service and infrastructure in the hands of the cloud service provider (CSP). A governance-based approach is needed that allows trust in the CSP to be assured indirectly through a combination of internal processes, standards and independent assessments.
Here are some practical tips on how to assure cloud services:
Adopt a good governance approach: this is fundamental to assuring cloud services. The cloud offers an alternative way of obtaining IT services and, for most organisations, will form just part of the overall IT service infrastructure. IT governance provides a way to manage, secure, integrate, orchestrate and assure services from diverse sources, including the cloud, in a consistent and effective way.
Adopt the best practices that are relevant to your organisation, from one or more of the frameworks or industry standards that are available. COBIT 5 is an excellent example - this represents the combined knowledge and experience of the best brains in the industry. However, be selective. Not everything will apply to your organisation.
Benefit from the advice available: There is no shortage of advice on cloud computing – there are at least 35 different standards initiatives as well as frameworks, certifications and auditing standards. However, a survey by ENISA of SLAs across EU Public Sector in Dec 2011 showed that, while 60-70% of respondents had adopted standards like ISO27001 and ITIL for internally produced IT services, only 22% required external IT providers to adhere to the same standards. Here is a list of some of the most useful sources:
- ISACA IT Control Objectives for Cloud Computing
- ISO/IEC 27001-27005
- AICPA/CICA Trust Services (SysTrust and WebTrust)
- Cloud Security Alliance Controls Matrix
- BITS Shared Assessment Program
- Jericho Forum® Self-Assessment Scheme (SAS)
- CSA Shared Assessments
- ENISA Procure Secure
- German BSI Security Recommendations for Cloud Computing Providers
- NIST Cloud Computing Synopsis and recommendations
Whatever standards you choose, select CSPs that conform to these standards.
Make sure your organisation is ready for the cloud. The ISACA document IT Control Objectives for Cloud Computing Appendix A provides a mapping of the entire COBIT control objectives to cloud computing. Appendix B provides a detailed cloud computing management audit/assurance work program, which is obtainable online or as a printed publication. Use this to establish your organisation’s readiness and the providers that match with your needs.
Understand the business requirements for the cloud service as the assurance needs to follow directly from these. There is no absolute assurance level for a cloud service – it needs to be as secure and cost-effective as dictated by the business needs, no more and no less.
Create a standard process for selecting cloud providers: this should enable a fast, simple, reliable, standardised, risk-oriented and comprehensive selection of cloud services. Without this, there will be a temptation for lines of business to acquire cloud services directly, without fully considering the needs for assurance.
Classify data and applications: in terms of their sensitivity and regulatory requirement needs. This helps the procurement process by setting many of the major parameters for the cloud service and the needs for monitoring and assurance in advance.
Develop scenarios to understand the risks. Use this information to determine the requirements for controls based on your enterprise’s risk appetite.
Agree the key service parameters: Understand and agree with the CSP the key service parameters that you require to be assured. Make sure you also understand what your own responsibilities are. These service parameters should be traceable back to the business needs. This is to ensure that measured performance can be related back to these needs.
Look for regular independent certification that these service parameters are being met. Typically, external audits are performed once or twice per annum and so while they are important, they only provide snapshots of the service. It is important to understand what these certifications actually cover. Here is a summary of some common ones:
- SOC Reports— these are based on International Standard on Assurance Engagements no. 3402, Assurance Reports on Controls at a Service Organisation. There are two types of reports (often referred to as SOC 1 and SOC 2 reports). A type 1 report provides the auditor’s opinion on whether or not the description of the service is fair and whether or not the controls are appropriate. A type 2 report is similar to a type 1 report but includes further information on whether or not the controls were actually working effectively.
- WebTrust/SysTrust: Trust Services (including WebTrust® and SysTrust®) are a set of professional assurance and advisory services based on a common framework to address the risks and opportunities of IT. The Trust Services Principles and Criteria were established by the AICPA for use when providing attestation services on systems in the areas of: security, availability, processing integrity, privacy and confidentiality
- ISO/IEC 27001 Certification: ISO/IEC 27001:2005 is a well-established standard that provides a code of practice for information security management. The standard identifies 134 controls and provides detailed advice on this subject. Organisations can be independently certified to this standard but note that certification is limited to the specified area within the organisation.
Require regular access to performance data: from the CSP that allows you to monitor the service parameters. This is needed to provide continuous assurance of the cloud service.
Trust but verify – remember that there is no absolute standard for cloud services - focus on meeting your business needs in a cost-effective manner within your organisation’s appetite for risk. You need to trust the CSP but be sure to verify that trust.
Mike Small is a member of the London Chapter of ISACA, a fellow of the BCS, and an analyst at KuppingerCole.