The Dangers of Remote Cloud Audits

A major area of risk that we’ve recognized is remote cloud audits. We hear many organizations indicate that because they are a cloud-based organization, they do not want or need onsite assessments, but we want to help them avoid this attitude. Let’s be clear: it’s completely inaccurate to say that everything is in the cloud. Why? Let’s find out.

Why You Need Onsite Assessments

Why You Need Onsite AssessmentsHuman error is often the weakest link in a security system, and the same is true for cloud environments. How did your data get into the cloud? Think of all the ways that an employee, user, or vendor interacts with your cloud – someone has to put data in the cloud, someone manages it, and someone accesses it. Each of these touchpoints is an opportunity for an insecure process, but remote cloud audits won’t be able to catch those vulnerabilities. An auditor needs to see how employees complete a secure process. They need to visit your office location and examine your heating and cooling systems, your power regulation, your physical security controls. They need to interview your employees who manage vendor compliance to verify that vendor processes are secure.

If you’ve partnered with KirkpatrickPrice on an audit before, you know that we try to eliminate as much intrusive and expensive onsite time as possible; with our Online Audit Manager, clients typically complete 80% of the audit before an onsite visit. Even with that goal in mind, we still believe that onsite assessments are necessary for a quality audit. Onsite assessments are for the review and testing of controls that cannot be tested remotely, and this purpose stands true for audits of cloud environments. Remote cloud audits will not be as thorough or accurate as ones that include onsite assessments.

It’s vital for auditors to examine your people, processes, and technologies, and it’s impossible for all of that to exist in the cloud. Onsite assessments help auditors understand the culture, physical security, and day-to-day processes of the organization being assessed.

What are the Requirements?

Need some evidence to convince you of the need for onsite assessments? From the SOC 2 perspective, the system being audited is composed of people, processes, applications, infrastructure, and data. One could argue that the applications and maybe most of the infrastructure is in the cloud, but the data has to come from somewhere. Even processes need people to complete them. How do you onboard your customers? It usually involves someone at the office doing something with the application that’s in the cloud.

PCI takes a very similar approach, where the scope includes people, processes, and technology that transmit, process, or store cardholder data, or are connected to or could impact the security of the cardholder data environment. Again, how do the people in your physical office location support the applications, infrastructure, and data that are in the cloud?

It’s understandable that a company would want to focus all of its attention on the technology in the cloud, but it’s an incomplete analysis to conclude that because you are a cloud-based organization, no onsite assessments are required. If your auditor isn’t even coming to meet you in person, you’re not getting a quality audit. If they’re not coming onsite to examine your people, processes, and technology, your audit is even more flawed. If you want a thorough audit of your cloud environment, let KirkpatrickPrice help. Contact us today.

More Cloud Security Resources

Who’s Responsible for Cloud Security?

12 Risk You Need to Know to Secure Your Cloud Environment

Cloud Security: The Good, The Bad, and The Ugly

Auditor Insights: Business Continuity and Disaster Recovery Plans for the Cloud

Most business owners understand the importance of Business Continuity and Disaster Recovery Plans. These documented sets of policies and procedures can be a lifeline to organizations following a disaster because they determine loss of operations, reputation, and revenue. But how does the cloud impact Business Continuity and Disaster Recovery Plans?

Myths about Business Continuity and Disaster Recovery Plans for the Cloud

When it comes to Business Continuity and Disaster Recovery Plans for the cloud, we often hear this feedback:

  • “I don’t have to worry about Business Continuity and Disaster Recovery Plans because my cloud provider does those for me.”
  • “We don’t need to test our Business Continuity and Disaster Recovery Plans, we’ve thought it through.”
  • “Our cloud service provider is taking care of our availability concerns.”
  • “Everything is in the cloud, so we aren’t at risk.”

Myths about Business Continuity and Disaster Recovery Plans for the CloudThese myths about Business Continuity and Disaster Recovery Plans for the cloud are hurting businesses. This way of thinking couldn’t be further from the truth. Business Continuity and Disaster Recovery Plans are not simply a technology roadmap; they describe how to recover business operations, which includes people and processes. How could a cloud service provider determine how your people and processes will recover?

Everything can’t possibly be in the cloud. Physical office locations, employees, weather patterns, heating and cooling systems, power regulation — these things don’t exist in the cloud. The shared responsibility model accounts for this. Microsoft Azure’s guidance states, “Cloud service providers offer considerable advantages for security and compliance efforts, but these advantages do not absolve the customer from protecting their users, applications, and service offerings.”

Organizations operating under the lift and shift methodology of moving an operation to the cloud without redesign or thought are not accounting for their people and processes. Cloud service providers cannot take care of all business continuity and disaster recovery needs. The lift and shift mindset cultivates complacency, which is a dangerous spot to be in.

What Should Business Continuity and Disaster Recovery Plans for the Cloud Include?

Business Continuity and Disaster Recovery Plans define an organization’s processes for protecting and recovering its business in the event of a disaster, such as a hurricane, flood, tornado, power outage, etc. With consideration to cloud computing, Business Continuity and Disaster Recovery Plans should answer:

  • How will your organization stay running in the event of a disaster?
  • How does your deployment model impact your level of risk?
  • How do your people and processes fit into cloud security?
  • Where will employees continue to carry out their work duties?
  • How will incident response be communicated throughout your organization?

To create Business Continuity and Disaster Recovery Plans, organizations must still go through these four basic steps:

  1. Conduct a Business Impact Analysis.
  2. Determine a recovery strategy based off the results of the Business Impact Analysis.
  3. Put a documented plan into place.
  4. Test it! Testing BC/DR Plans for the cloud is technologically easier.

About Michael Burke

Michael Burke of KirkpatrickPriceMichael Burke is an Information Security Specialist with KirkpatrickPrice with over 25 years of experience in the information technology industry. Michael holds a PhD in Information Technology from Capella University. He is a member of the EC-Council, the International Information Systems Security Certification Consortium, and the Project Management Institute. Michael also holds CISSP, CCISO, QSA, and CCSFP certifications.

More Resources

Business Continuity and Disaster Recovery Planning Checklist

3 Steps for an Effective Disaster Recovery Plan

Cloud Security: Business Continuity and Disaster Recovery Planning Checklist

Cloud Security: The Good, The Bad, and The Ugly

5 Best Practices for Cloud Security

How has the cloud impacted your organization’s security? Has it left you wondering – what consequences could we face if a malicious outsider gained access to our cloud environment? Would our clients stay loyal to us if our database was compromised? What can we do to implement cloud security?

Our five best practices for cloud security, especially in Azure and AWS environments, include:

  • Identity and Access Management (IAM)
  • Multi-factor authentication (MFA)
  • Hardening techniques,
  • Monitoring programs, and
  • Industry-accepted cloud security tools.

These best practices for cloud security work together and sometimes overlap to give your cloud environment the protection that it needs.

Learn more about the 12 most common cloud security problems most businesses face.

Implement IAM Best Practices

Implement IAM Best PracticesImplementing Identity and Access Management (IAM) best practices is a vital aspect of cloud security. IAM is a process for managing electronic or digital identities. Without IAM, you can’t track who has which type of access and what actions someone has taken with their access. IAM best practices include policies that outline strong password requirements, key rotation every 90 days or less, role-based access controls, and multi-factor authentication.

Azure and AWS both provide their recommendations for IAM.

Utilize Multi-Factor Authentication

Utilize Multi-Factor AuthenticationAs part of IAM, implementing access controls based on business need to know is a crucial aspect of cloud security. Access controls are key to preventing data breaches, account hijacking, breaches caused from shared resources, and creating a secure identity and access management (IAM) system, among other benefits. The more people who have access to sensitive areas, the more risk there is.

Implementing access controls like multi-factor authentication (MFA) adds an additional security measure for protecting user names and passwords. When MFA is enabled, a user will be asked for their user name, password, and a secondary verification method. This is something you know, something you have, or something you are. How many times have you entered your PIN after swiping your payment card this week? Your PIN is something you know. Has a website ever texted you a one-time password in order to log on? That one-time password is something you have. Do you use the face ID or fingerprint function to unlock your smartphone? Your face or fingerprint is something you are. This type of verification method, when used in addition to unique IDs, help protect user IDs from being compromised, since the one attempting the compromise needs to know both the unique ID and the password.

Azure and AWS make multi-factor authentication (MFA) an easy to use, scalable, protected, and reliable control.

Identify Responsibility

Identify ResponsibilityTo close some of the gaps in cloud security, you must understand what the cloud service provider is responsible for and what the cloud service customer is responsible for. If responsibility for cloud security is not defined, cloud security could be compromised. In general, the shared responsibility model outlines that providers are responsible for security of the cloud, and customers are responsible for security in the cloud. Cloud service providers and customers must work together to meet cloud security objectives.

Azure and AWS both define the shared responsibility model to give some perspective on how important it is to identify responsibility.

Continuous Monitoring Program

Continuous Monitoring ProgramA monitoring program should be a continuous, mostly automated process. Making your monitoring program a priority will help solve small problems or risks before they become a much larger issue.

Your monitoring program should answer: What are your goals for monitoring? Which resources you will monitor? Which monitoring tools will you use? How often will you monitor these resources? Who will perform the monitoring tasks? Who will be notified of an incident?

Utilize Cloud Security Tools

Utilize Cloud Security ToolsCloud service providers have developed many cloud security tools to help their customers achieve secure environments. Cloud security is just as important to providers as it is to customers. These tools can help you achieve best practices for cloud security, automate security assessments, give alerts for security incidents, and assess data security requirements to verify the security and compliance of cloud solutions. Amazon CloudWatch, Amazon Inspector, and Azure Security Center are a few examples of industry-accepted tools. You could also utilize another trusted advisor or tool, like third-party auditing firm or internal audit.

Has your organization implemented these five best practices for cloud security? Contact us today to start learning about protecting your cloud environments.

More Cloud Security Resources

The Top 10 Most Downloaded AWS Security and Compliance Documents in 2017

Azure Data Security and Encryption Best Practices

CIS AWS Foundations Benchmark

12 Risks You Need to Know to Secure Your Cloud Environment

Cloud Security: The Good, The Bad, and The Ugly

Who’s Responsible for Cloud Security?

As more and more organizations migrate to the cloud, it drives cloud service customers to consider how the cloud will impact their privacy, security, and compliance. First, cloud service customers must understand how their cloud service provider delivers a secure solution. Second, cloud service customers must consider their new role in cloud security. Some cloud service customers mistakenly believe that when they migrate to the cloud, their cloud security responsibilities also shift. Some important questions you should be asking when considering this shift are: Who’s responsible for cloud security? Why do you even need security in the cloud? Let’s discuss the shared responsibility model and help you understand which elements of cloud security that customers are responsible for and which fall under the responsibility of the provider.

What is the Shared Responsibility Model?

The shared responsibility model is a method for determining which roles cloud service providers and cloud service customers play in cloud security. In general, the shared responsibility model outlines that providers are responsible for the security of the cloud, and customers are responsible for security in the cloud. Cloud service providers and customers must work together to meet cloud security objectives.

The model varies with the provider and the service being offered. What this means is the cloud service provider takes responsibility for specific elements of the security related to the storage and physical security of the servers, and the customer takes responsibility for other specific elements. The line between who has responsibility for the different elements is dependent on the provider and the services being used. 

To understand the shared responsibility model, let’s think about security requirements as a spectrum. Cloud service customers add together all of the regulatory, industry, and business requirements (GDPR, PCI DSS, contracts, etc.) that apply to their organization and the sum equals all of that organization’s specific security requirements. These security requirements will help ensure that data is confidential, has integrity, and is available. On one end of the security requirement spectrum is cloud service providers and on the other is cloud service customers. The provider is responsible for some of these security requirements, and the customer is responsible for the rest, but some should be met by both parties. Cloud service providers and cloud service customers both have an obligation to protect data.

Microsoft Azure’s guidance on the shared responsibility model states, “The importance of understanding this shared responsibility model is essential for customers who are moving to the cloud. Cloud service providers offer considerable advantages for security and compliance efforts, but these advantages do not absolve the customer from protecting their users, applications, and service offerings.”

Shared Responsibility Model Across Service Models

When choosing which service model (IaaS, PaaS, or SaaS) your organization needs, you should consider which security responsibilities will apply to you. Technology stacks are a great way to see the shared responsibility model across service model types.

  • For IaaS solutions, the elements such as facilities, data centers, network interfaces, processing, and hypervisors should be managed by the cloud service provider. The cloud service customer is responsible for securing and managing the virtual network, virtual machines, operating systems, middleware, applications, interfaces, and data.
  • PaaS solutions shift the cloud service provider’s responsibilities and add a few elements to their duties. The customer is still responsible for securing and managing applications, interfaces, and data.
  • For SaaS solutions, the responsibilities shift again. Now, the cloud service customer is responsible for the security of interfaces and data.

Cloud service providers and cloud customers both have a responsibility to protect data. It’s also important to note that the execution of individual security management tasks can be outsourced, but accountability cannot. The responsibility to verify that security requirements are being met always lies with the customer.

Physical Security in the Cloud

Physical security in the cloud sounds like an oxymoron, right? Isn’t less management of a physical environment a major benefit of migrating to the cloud? We often hear this case from organizations who haven’t or don’t want to implement cloud security best practices. But…not everything is in the cloud. Everything can’t possibly be in the cloud. Office locations, employees, servers, heating and cooling systems, power regulation, device management—these things don’t exist in the cloud. That’s why physical security must be a major aspect of cloud security.

Best Practices for Managing the Shared Responsibility Model

If you’re a cloud service provider, we believe these best practices will help you better manage the shared responsibility model:

  • Consider risks from your customers’ perspectives, then implement controls that will demonstrate you’re doing everything you can to mitigate those risks.
  • Document the internal controls you use to manage risks.
  • Provide ample documentation on how your customers can use the security features that you provide in your solution. AWS does a great job of this through its educational programs.
  • Create a responsibility matrix that defines how your solution will help your customers meet their various compliance requirements.
  • Turn to the CSA’s CAIQ and CCM as starting points for establishing the shared responsibility model.

If you’re a cloud customer, consider these best practices:

  • Define your cloud security requirements before selecting a cloud service provider. If you know what you’re looking for in a cloud service provider, you can better prioritize your needs.
  • Harmonize your corporate governance program between traditional and cloud-based IT delivery. Migrating systems and applications into the cloud is going to require a difference in policy.
  • Establish contractual clarity on the roles and responsibilities of each party, especially when you get into the public cloud. Who’s responsible for cloud security? How far does the cloud service provider go?
  • Develop a responsibility matrix that defines the security roles and responsibilities for you and for each vendor, including cloud service providers.

Who’s responsible for cloud security? Does your organization understand the security requirements of your cloud provider? Do you understand what your own role is in cloud security? For more information on how to secure the cloud, contact us today.

How Cloud Computing is Changing Small Business

Is your small business considering migrating to the cloud? Has your large business seen more and more competition from small businesses? Cloud computing is essential for businesses of all sizes, but small businesses have seen an endless amount of benefits from cloud computing, including financial, operational, and security benefits. Let’s discuss how each of these items related to cloud computing is changing small business.

Affordable Investment

There’s been an enormous change in IT spending, shifting away from traditional IT offerings (enterprise software, data center systems, etc.) to cloud services. In fact, Gartner research shows that more than $1 trillion in IT spending will be directly or indirectly affected by the shift to cloud by 2020, making cloud computing one of the most disruptive forces of IT spending since the early days of the digital age.

So much money is being poured into cloud computing because there are so many financial benefits for small companies. The cost of cloud computing gives small businesses and start-ups access to the same software tools that larger competitors have. In the past, sophisticated software tools were only available in expensive, large packages. Now, cloud products are specifically designed to be used in the cloud and by businesses of all sizes and budgets. Instead of a huge annual fee, priced for hundreds of employees, small businesses can pay monthly fees and pay per user. This gives the users the ability to predict how much their cloud solution is going to cost and how to budget accordingly. Additionally, cloud solutions allow small companies to save on the cost to physically store servers and network equipment or pay for IT support.

Flexibility

Cloud computing gives small business the opportunity to be virtual instead of physical – think of all the ways this can positively impact a business. Employees have on-demand access the cloud environment anywhere, any time and the environments are readily available and dependable, which could improve overall team performance. Contractual agreements are also likely more flexible, solutions are customizable, which is important for a small business; you don’t want to get locked into a contract that doesn’t fit your needs. As your business grows, so can your cloud solutions.

Easy to Use

There’s a cloud service for everything: web hosting, email hosting, application hosting, productivity solutions, infrastructure, business support, and many more. No matter what type of service it provides, a well-designed, quality cloud solution should be user-friendly and customizable to your business. Cloud computing solutions usually easily integrate with other applications that you use, don’t require manual software updates, and increase overall productivity.

Security

People often say that cloud computing makes security easier or less costly. On one hand, yes, cloud computing enables small businesses to scale back on their information security resources if they use a secure cloud provider. What is a secure cloud provider? A provider who can assure their clients that their information is secure, available, and confidential through validation. If you’ve chosen a cloud provider whose cost is low, but they have not gone through an information security audit, you’ve chosen a solution that doesn’t make securing your data easy. It’s vital to choose a provider who’s invested in providing secure solutions. Your reputation, business continuity, competitive advantage, and branding depend on the quality and security of your cloud computing provider.

Preparing for the Future

Cloud computing helps small businesses prepare for the future. As the business grows, scalable cloud solutions can also grow and enhance.

In Gartner’s research, Ed Anderson states, “Cloud shift is not just about cloud. As organizations pursue a new IT architecture and operating philosophy, they become prepared for new opportunities in digital business, including next-generation IT solutions such as the Internet of Things. Furthermore, organizations embracing dynamic, cloud-based operating models position themselves better for cost optimization and increased competitiveness.”

Cloud computing is giving small businesses more opportunities to compete and grow their business. Is your small business considering migrating to the cloud?  Do you know which cloud security threats may impact you? To learn more about cloud adoption and how to empower your cloud environments through security audits, contact us today.

More Cloud Computing Resources

How Can a SOC 2 Bring Value to Your SaaS?