Cloud Risk Insights

Cloud Risk Insights

Cloud Risk and Controls Assurance

Services

Cloud GRC and Audit

Traditional assurance processes need to change with the disruption that cloud is bringing.

“Assurance needs to become more real-time, continuous and process-oriented vs. transactional in focus….” (Controls and Assurance in the Cloud using COBIT 5)  

GRC and Audit have a broad context in the cloud ecosystem. It spans across first line of defence (monitoring and measurement),  second line of defence (oversight processes and risk management frameworks ) and third line of defence (assurance processes ).

Governance, Risk and Compliance of cloud covers both, the Cloud Service Provider (CSP) and Cloud Consumer. Cloud Consumer’s assurance and GRC models need to be enhanced and adapted based on risks assessment of the shared responsibility between Cloud Service Provider and Cloud Consumer.

Assurance and GRC management face certain challenges due to loss of visibility and control in cloud environment. CSPs and third parties provide tools to monitor and measure performance, security attributes and events which need to be leveraged for better control and visibility into cloud risks.

Cloud Service Provider’s infrastructure is not directly auditable by Cloud Consumer given a large number of clients CSPs serves. This is a characteristic of multi tenancy in cloud i.e. sharing the same cloud infrastructure among many clients. Cloud Consumers are provided with third party assurance certificates such as SOC1, SOC2, SOC3 and other industry, sector specific e.g. HIPPA, FedRAMP etc. Cloud Service SLAs need to be understood and agreed with service provider to manage performance, operations and controls.

Cloud Access Service Brokers (CASB) provide functionality around Visibility, Compliance, Data Security and Threat Protection. CASB functionalities enable more detailed risk assessments using the continuous monitoring and analytics functionalities.

Some of the Cloud GRC & Audit services we can provide are :

  • Identify cloud specific risks internal to the organisation and in the cloud ( e.g. SaaS, PaaS and IaaS)
  • Develop risk based control and assurance programs specific to entities’ requirements  based on agreed upon frameworks such as NIST, 2013, 2014; SANS, 2016, ISO 2700x  COBIT , CSA Cloud Control Matrix etc.
  • Review existing GRC processes. Enhance, adapt and develop GRC and security audit programs for SaaS, PaaS and IaaS environment
  • Leverage Cloud Service Provider and third party audit logging tools as appropriate
  • Facilitate cloud self assessment audit using tools such as Cloud Security Alliance StarWatch ©
  • Review and incorporate Cloud Service Provider’s SLAs in audit program
  • Assess third party risks
  • Identify opportunities for audit automation
  • Collaborate across the organisation to support assurance objectives of stakeholders
  • Leverage CASB (Cloud Access Security Broker) functionalities in developing analytics based audit programs