adam's notes

Auditing Cloud Environment and Provider

  • Audits are broken into 2 categories:
    • Internal audits
      • conducted by internal staff
      • intent:
        • ensuring ongoing operational integrity
        • identifying improvements
        • validating against industry standards
    • External audits
      • conducted by third-parties
      • rely on industry standard practices or audit targets
  • Audits cover:
    • organizational administrative practices and procedures
    • risk assessment and management
    • monitoring and alerting capabilities
    • logical and physical security controls
    • security and systems operations
    • patch management
    • security awareness and general communications
    • change management
  • Cloud providers publicly publish their own audit results
    • Service Organization Control (SOC) 2, Type 2 audits
  • good to ask for audit information from any third-party vendors
    • understand the basics of a SOC report

Adapting Processes for the Cloud

  • lack of direct access to hardware, shared services, and other limitations
    • so either accept restrictions or identify other ways to meet audit objectives

Assurance Challenges in Virtualized Environment and the Cloud

  • Assurance
    • the ability to assert that a system, process, procedure, or data is as it is intended to be
    • difficult in the cloud
    • ephemeral nature means many artifacts that are auditable may not exist in durable, verifiable way
      • systems spin up, scale, then destroy
    • Software or code-defined infra can be audited at the code level
    • log info can be captured to analyze ephemeral systems
  • containerization and virtualization need to be part of audit plans
  • infra design should support creation of a verifiable audit trail

Planning for Cloud Audits

  • Starts at the infrastructure design phase
  • parameters of audit engagement are negotiated prior to start of audit
  • limitations are placed on which locations, artifacts, systems, and business processes will be part of the audit
    • scope of the audit
    • determines impact, price, and usefulness of results
  • cloud audits require additional scope attention
    • port scanning may be prohibited
    • some data may not be available in cloud environments
    • assessment of underlying hardware are not possible
  • Many cloud providers have:
    • audit info for common standards
      • PCI DSS
      • SOC audits
    • agreements required for compliance
      • business associate agreements (BAAs)
      • nondisclosure agreements (NDAs)

Graph View

Backlinks