Why Onsite Visits are the Smart Choice for Cloud Environments 

by Joseph Kirkpatrick / August 9th, 2019

The National Institute of Standards and Technology, NIST, defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Cloud computing is both a transformative and disruptive technology that provides an opportunity to rethink the way organizations fix problems that have been around for a long time. It’s important to recognize the value cloud environments can bring to the table, while also understanding the risk that is coupled with storing data in the cloud.

The assumption that everything is based in the cloud is simply not true. Not only is it inaccurate, it is harmful to an organization to believe an onsite analysis of its security controls is a waste of time. While your data may be stored in the cloud, your physical security processes, onsite technologies, and personnel who process the data are not in the cloud.

Risky Business in the Cloud

The 2019 Cloud Adoption and Risk Report from McAfee reports that 48% of all files in the cloud are eventually shared. The risk that is inevitably born out of cloud computing increases with the amount of sensitive data that is stored. While your organization can work to minimize risk from the inside, the best way to reduce security threats is to have an independent auditor reviewing an organization’s controls onsite.

While some organizations believe an onsite visit for a company that works in the cloud is pointless, at KirkpatrickPrice, we know there are many moving parts to an organization with a cloud environment that need to be reviewed onsite. Although your data may be stored in the cloud, there are security measures that should be in place to protect access to the cloud.

Onsite Security for a Cloud Environment

Physical security practices must be implemented to mitigate the risk that cloud computing brings to an organization’s data. There are physical security processes auditors review during an onsite visit that an organization should be aware of:

  • Employee Operations: How does sensitive data get into the cloud? Who processes the information and manages updates to data? How often do your employees access the data stored in the cloud?
  • Physical Security: Do you have badges, biometric access controls, or security guards that allow access into your organization’s secure areas? Do your employees understand your physical security controls and use them properly?
  • Identification and Authentication: Who has access to the cloud? What multi-factor authentication processes are in place to properly identify personnel with access?

An auditor needs to review and monitor these security controls as they happen on an everyday basis. It’s a necessary component of a high-quality audit to have an auditor onsite during the audit process, especially for an organization that stores data in a cloud environment. Your organization is still susceptible to harm even with a cloud-based system. Don’t let threats have the upper hand on your organization’s data because you think an onsite visit is unnecessary. Let KirkpatrickPrice perform an audit that will leave you assured in your cloud environment’s security.

One of the biggest issues these days is that a company needs to go through an audit, but they’re not willing to bear the expense of an auditor traveling and meeting them in person. The argument that we’re given is, “Well, everything is in the cloud. That’s where our production environment is. There’s nothing to see here, right?” I think ignorance is bliss in that situation. We really like the idea of outsourcing the responsibility to a cloud service provider, but the truth is, everything is not in the cloud. What about your people? What about the processes that you expect your people to follow? What about the locations and the environment that the people work in? What about the data? How did it get into the cloud? Who has access to it? What about the developers and the code they have access to? Wouldn’t you want a qualified, experienced auditor to come inspect your environment and understand how you’re interacting with that cloud service? Last year in the McAfee security report, it talked about how 48% of the files in the cloud are eventually shared. This is one of the primary things we find in our audit. When we come and inspect your processes and what you’re doing, we usually find surprises about where your data resides. Our clients are really appreciative to finally understand how those things are working. Another thing that we find is that you might have some good processes for securely accessing your cloud environment, but sometimes your people will bypass those security controls. They won’t use multi-factor authentication, for example. This is something we want to inspect and work with you on so we can understand the risks that you’re truly facing when you’re interacting with that cloud environment. Be sure to work with a qualified, experienced auditor that’s willing to come and meet you, get to know you, work with you personally, and inspect your environment to identify the risks that you’re actually facing.

About the Author

Joseph Kirkpatrick

Joseph Kirkpatrick is the Managing Partner at KirkpatrickPrice and holds the CISSP, CISA, CGEIT, CRISC, and QSA certifications, specializing in data security, IT governance, and regulatory compliance. He enjoys helping our clients and stakeholders by navigating them through the complex maze of compliance and regulatory requirements.