The world is moving from onsite to offsite computing and storage, which is commonly known as cloud computing. The question arises: ‘What is cloud?’ Cloud is just a metaphor for the internet.
In a survey conducted by GT (Grand Thornton LLP, 2014), 43% of Chief Audit Executives (CAEs) responded that they haven’t really given much thought to risk and control implications in a cloud environment.
In the simplest terms, cloud computing means storing and accessing data and programs over the internet, rather than storing it onsite in your own data center.
The table below shows key difference between onsite and offsite computing
Benefits of cloud computing include :
- ‘Pay as you use’, as it can be relatively easy scale up or down capability for your work requirements.
- Services are provided over the internet, therefore are accessible anywhere and anytime.
- Additional capacity and functionality can be acquired as required.
- Company capital can be saved on ICT infrastructure, as this is provided by the cloud service provider.
CAE Survey on Cloud Computing
In a recent Grant Thornton survey, more than 300 CAEs responded on cloud computing, with the key statistics being:
- 77% are at least somewhat familiar with cloud computing.
- 64% of respondents do not include cloud computing in their internal audit plan.
- When asked to describe their view of risk and control implications in moving to a cloud environment, 43% responded: “I haven’t really given it much thought”.
Cloud Computing models
- Software as a Service (SaaS) – Software applications delivered over the internet.
- Platform as a Service (PaaS) – Full or partial operating system and development environment delivered over the internet.
- Infrastructure as a Service (IaaS) – Computer infrastructure delivered over the internet.
- Business Process as a Service (BPasS) – A form of business process outsourcing that employs a cloud computing service model.
Cloud computing is growing, as the following graph shows:
KEY CLOUD COMPUTING RISKS
• Service provider data security standards may not match company requirements.
• System updates may not be timely.
• Security vulnerability assessments or penetration tests may not be regularly performed.
• Company data may be accessed by third-parties.
• There may be inadequate encryption to assure data is properly segregated at rest and during transit.
• Company data on shared server space may lead to regulatory non-compliance.
3. Data Location
• The company may be unaware of the physical or virtual data storage location.
• Service provider may change the location without informing the company.
• Company data may be stored in international locations that fall under foreign business or national laws and regulations.
4. Service Outage
• Service provider quality standards may not be in line with company requirements.
• Cloud system performance issues may lead to company services being inaccessible to employees or customers.
• The service provider may go out of business.
• The company may not be able to retrieve data, or a third-party may gain access to company data.
• The service provider may not be able to scale to meet the company’s growth requirements.
There are a considerable number of risks to be considered with cloud computing.
• Use your own contract and not the service provider contract.
• The contract with the service provider needs to include conditions that cover these risks.
• Insist on receiving the service provider risk assessments.
• Include penalties in the contract for service provider outages, non-delivery and under-performance.
• Require the service provider to meet your data security and other requirements.
• Determine whether service provider security posture is based on appropriate standards such ISO, PCI DSS (Risk Assessment Special Interest Group (SIG) and PCI Security Standards Council, 2012), etc, and the service provider performs regular security assessments.
• Determine the service provider Service Organization Control (SOC) (AICPA, n.d.) report addresses your company’s control requirements.
• Review the service provider methodology used to access data.
• Insist on a copy of the service provider business continuity arrangements, and reports from tests performed.
• Make sure the company business continuity plan is up-to-date and regularly tested.
AICPA, n.d. System and Organization Controls: SOC Suite of Services.
Available at: https://www.aicpa.org/interestareas/
[Accessed 22 02 2018].
Grand Thornton LLP, 2014. Risk & Rewards: Social Media and the
Available at: http://agabaltimore.org/wp-content/uploads/2015/09/
[Accessed 22 02 2018].
Risk Assessment Special Interest Group (SIG) and PCI Security
Standards Council, 2012. Information Supplement: PCI DSS Risk
Assessment Guidelines. [Online]
Available at: https://www.pcisecuritystandards.org/documents/PCI_
[Accessed 22 02 2018].