Cloud Auditing 101: How Do I Get Started?

Stephanie Urban
Author: Stephanie Urban, CISA, PMP, AWS Cloud Practitioner | Federal Reserve Bank of Chicago
Date Published: 3 September 2021

We’re entering what feels like a new era in re-inventing how we once worked. Pre-2020 seems like a lifetime ago, and not only are organizations accelerating their cloud adoption, we as practitioners are re-examining our own careers and skills.

I found myself forming a strategy this time last year on how to audit our organization’s cloud strategy, key processes, and controls. I quickly learned that I needed Friday mornings, coffee, and a team of people just as hungry as I was to make this happen.

As we read countless articles and journals and held brainstorming sessions, we knew we had to define the value to our auditees and ourselves. As a result, I am sharing an approach that may help you strategize how to approach auditing cloud adoption in your organization:

Step 1: Rally for interest and build talent. If you don’t have a team of people that are running toward the cloud competencies, then you will spend your energy and time convincing, over planning and execution. Upskilling is necessary for everyone no matter how many years of practical IT experience you have on your team. Consider rewards and incentives for those in the organization who are eager or interested. Seek out and hire individuals that already have these skills to encourage and bring others along. Create a burning platform and incorporate cloud skill expectations into job descriptions. These concepts apply not only to us, but to those we will audit.

Step 2: Identify where cloud activity exists. Like the challenge of identifying hardware and software assets in organizations today, seeking out where cloud activity exists is key to effectively strengthening your organization to deal with potential security risks and privacy issues. Methods to identify activity can include independent scans, tagging and tracking of invoices and chargebacks to cloud service providers, and/or the maintenance and verification of a cloud registry.

Step 3: Proactively identify risks as cloud maturity evolves. After you know where cloud applications or software exist in your organization, consider how you’d like to identify key risks and audit the controls. While your initial list of key risks may involve your go-to items like security controls or resiliency, they may not be ready for your review until you’ve understood the current state of affairs. A maturity assessment may be the right place to start.

Elements of the maturity assessment should align with where your key risks currently exist. For example, you may want to examine how individual and group access is assigned and managed in the new cloud environments, but those group policies are only being discussed and haven’t been set up yet. What better time to collaborate with your auditees?

Consider how the continuous development, integration and testing processes are set up. Remember that decade-plus of when our audit job was to keep developers out of production? The process is different now, and while segregation of duties still matters, it looks different than it once did. Changes are deployed real time and automated controls have replaced the “wait until someone logs in to approve” methodologies that were used in auditing before.

As your organization matures its cloud usage, update and enhance your audit coverage accordingly. Continuous auditing is necessary over the point in time “drive by auditing” of the past. Being an effective auditor requires consistent conversations and a regular seat at the table.

Step 4: Keep calm and adjust your sails. Will your cloud audit go as planned? Nope. Expect this and plan on including time buffers, and allow grace for learning and development. Not only is continuous, agile auditing necessary, it is essential for pivoting in your objective and swiftly swapping it out for an emerging risk.

Auditing evolving processes in the cloud environment requires patience, humility and a learning mindset. There are growing pains. Setting a multi-year strategy may be your best bet at accomplishing your goals and evolving your own auditing techniques and knowledge pool.

Remember, just like life, cloud adoption moves pretty fast. If you don’t stop and look around once in a while, you could miss it.

Author’s note: These views are my own and do not represent the Federal Reserve Bank of Chicago.

Editor’s note: Find out more about cloud auditing upskilling through the Certificate of Cloud Auditing Knowledge (CCAK), a Cloud Security Alliance and ISACA credential.