21% of data in the cloud is considered confidential. That means cardholder data, protected health information, password-protected information, personally identifiable information – it is all processed and stored in the cloud. The myth that most people believe is that everything in the cloud is safe simply because it is in the cloud, which is how so much confidential data has ended up there. We have implicit trust in Amazon, Microsoft, and Google, who run our lives and our businesses through their cloud. The harsh reality that many businesses have not faced yet is that their cybersecurity practices need to move to the cloud, just like their data has.
The Cloud Mentality
Cloud environments have brought incredible innovation to the world, but sometimes that innovation and accessibility overshadow the security needs of the cloud. Businesses tend to think that when they put “everything” into the cloud, it relieves them of the data security responsibilities they hold. In reality, that’s not the case at all. Confidential data is often left open to the public because of misunderstood security responsibilities.
A foundational element of using the cloud is the shared responsibility model (See AWS and Azure’s documentation). GCP says, “Security in the cloud is a shared responsibility between the cloud provider and the customer…As newer infrastructure models emerge, though, it’s not always easy to figure out what you’re responsible for versus what’s the responsibility of the provider.” Simply put, the shared responsibility model states the security of the cloud is up to the provider and security in the cloud is up to the customer.
What is security in the cloud? Let’s take IAM in AWS, for example. AWS can set up its IAM features as securely as possible and provide all the documentation and training necessary for you to know what is left for you, as the customer, to do – but AWS’ responsibility has its limits. Only your team can turn on MFA, set password parameters, or give role-based access controls. Capital One’s 2019 data breach occurred partly because of IAM misconfigurations, and they could not fault AWS for that breach. They only had their own team to blame.
On the other hand, we have security in the cloud. Sticking with the AWS example, let’s talk about availability zones, which falls under security of the cloud. Amazon operates state-of-the-art data centers within availability zones. Availability zones are fully under AWS’ security responsibilities. A customer would never be expected to be responsible for the security of Amazon’s data centers – that’s not reasonable.
In the same way that AWS wouldn’t place the responsibility of data center security on the customer, cloud customers cannot place the responsibility of data security on the cloud provider. This can happen when businesses start to think, “Everything’s in the cloud. It’s inherently safe.” Once your cloud mentality shifts and your team operates by the rules of the cloud responsibility model, your entire security strategy will become more robust.
Now that you’ve done your part as the customer and set up controls in the cloud, who verifies that you configured everything correctly? This is where an auditor comes in.
What is a Cloud Audit?
Not enough businesses are having a third party come in to check cloud configurations. This is partly due to a lack of cloud knowledge and expertise within auditing firms, and also due to the fact that customers aren’t aware cloud audits are an option. An assessment of configurations within AWS, Azure, or GCP will be a bit more customized than traditional information security audits, but when you find the right audit firm, a cloud audit is an option. Two crucial elements of cloud audits are how the audit framework was developed and if the auditor performs an onsite visit.
Similarly to how in the payment card industry, you audit against the PCI DSS, or in the healthcare industry, you audit against HIPAA Rules, cloud audits should incorporate the CIS Benchmarks. CIS Benchmarks set the industry baseline for cloud configurations security requirements, so any cloud audit that you consider should be based on information security and cybersecurity best practices, as well as applicable CIS Benchmarks. Reviewing the guidelines from CIS Benchmarks is also a great way to prepare for a cloud audit – do your current configurations meet or exceed their best practices?
It may seem irrelevant at first, but during a cloud audit, your auditor should come onsite to meet with your team. When you move away from the “everything is in the cloud” mentality, you realize that your people and processes needed to be assessed in addition to your cloud configurations – which makes the onsite visit a vital part of the audit. Every moment of human interaction with your cloud environment – putting data in the cloud, managing the cloud, accessing the cloud – is an opportunity for an insecure process, and without an onsite visit, you may not be able to catch those vulnerabilities.
Who Should Perform a Cloud Audit?
Cloud audits require someone who understands cloud computing and technology, not just an average auditor. It will typically be someone who specializes in cloud security or even a specific cloud platform, or you can look for individuals who hold certifications like the Certificate of Cloud Security Knowledge (CCSK) or Certified Cloud Security Professional (CCSP). You want a cloud security expert that’s willing to work alongside your team to ensure security in the cloud.
Because cloud technology is new and evolving, the industry lacks best practices that are known and understood. That’s why you want to find an auditing firm that does a thorough job, can provide you with a customized audit, and has auditors that understand the underlying technology of the cloud. During a cloud audit, a partnership mentality with your auditor will be extremely important.
If you’re considering a cloud audit, don’t hesitate. It’s incredibly easy to make small misconfigurations that can lead to massive consequences. Cloud audits are rising in popularity, so do your research and choose a firm that is equipped to learn and understand your cloud environment.