Cloud Auditing
Ayhan Yavuz – ABN AMRO Platforms & Technology
Agenda
1. What is cloud computing 2. Challenges and concerns 3. Audit approach
4. Third Party Assurance
1. What is Cloud Computing?
4
What is Cloud Computing?
On demand delivery
Of compute, memory, storage and applications Via the Internet
With pay-as-you-go pricing
Public Cloud is rapidly becoming of strategic importance
Increased agility, resilience and skills It facilitates disruptive innovations
It is more and more becoming a matter of survival
Covid-19 pandemic: Use of Teams, Zoom and cloud-based collaboration tooling in general has skyrocketed
Public cloud is here to stay
Cloud computing stats
Cloud Deployment Models vs Enterprise IT
Example: Azure Regions
Example: Azure availability zones and data centers
Example: Azure services
2. Challenges and concerns
Challenges and concerns
• Insufficient added value – when is a cloud implementation beneficial?
• Loss of physical control – fear of the unknown?
• Availability – are we sure we can rely on the service provider to provide the services in line with availability requirements?
• Data privacy – are we sure the Service Provider will not gain access to our data?
• Isolation/security between virtual machines – how do we know that other tenants will not be able to access our data?
• Customer support – what kind of support can we expect in case of incidents?
• Communication happens over the Internet – how to ensure confidentiality/integrity?
• Vendor lock-in – will we be able to switch vendors against reasonable costs?
Challenges and concerns
So how do we manage these challenges and concerns?
3. Audit approach
Statement 1
“When we migrate our applications to the cloud then we
primarily need to do our audits in the cloud”
Culture & Behaviour
Governance & the Target Operating Model
Cloud Service Provider CSP Landing Zone
Essential services (DevOps Pipeline, Security Information Event Management, IAM Services)
Management / Maintenance Processes Workloads
Agile Teams / DevOps Blocks
Components to be considered for audits
RUN / Business as Usual Change
External: Regulations, Guidelines, Best Practices / Internal: Policies and Standards
(Platform) Strategy
Change organisation
Transformation planning
Risk Management Business case
Technical Cloud Foundation Workload migration Organisational readiness
So what is different compared to audits
regarding on prem systems?
4. Third party assurance
Statement 2
“All major CSPs and SaaS providers have a multitude of
assurance reports. It is therefore not necessary to do
vendor audits”
Third party assurance - EBA requirements
Scope covers the key systems and controls
Thoroughly assess the content of the certifications or audit reports on an ongoing basis Verify that the report is not obsolete
The audits are performed against widely-recognised relevant professional standards and include a test of the operating effectiveness of the key controls in place
Key systems and controls are covered in future versions of the certification or audit report Aptitude of the certifying or auditing party
Contractual right to request expansion of the scope of the certifications or audit reports Retain the contractual right to perform individual audits