Presented at ISACA Indonesia Monthly Technical Meeting, 11 Dec 2019 at Telkom Landmark.
Key takeaways from my presentation:
1. Cloud customers have to understand the share responsibilities between customer and cloud provider
2. Different cloud service model (IaaS, PaaS, SaaS) has different audit methodology
3. Customer’s IT Auditor have to be trained to have the skills needed to audit the cloud service
4. Understanding IAM in Cloud is very important. Each Cloud Service Provider has different IAM mechanism
5. Understanding different type of audit logs in cloud platform is important for IT Auditor
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Art of Cloud Auditing - ISACA ID
1. 11
THE ART OF
CLOUD AUDITING
Eryk Budi Pratama
CSX Team
ISACA Indonesia Chapter
11 December 2019
2. About Me
❑CSX Team Member, ISACA ID
❑Cyber Security & IT Advisory Professional
❑Community Enthusiast
❑Blogger / Writer
❑Knowledge Hunter
❑Do some “magic”
❑https://medium.com/@proferyk
❑https://www.slideshare.net/proferyk
https://www.linkedin.com/in/erykbudipratama/
3. ISACA Indonesia Chapter (Join Us ☺)
http://www.isaca.or.id
The chapter was established in 1993. We have been and continue organizing various talks, seminars, conference,
forums and other activities to keep our members informed of the latest audit, security and control issues which
members can attend at concession rates.
Growing number of members of more than 700, with 400++ ISACA certified members from various industry
https://www.isaca.org
4. Setup the Context
Industry, Geography, Sector, Market, Regulatory Environment
Management, Funding, Staffing Levels & Competencies, Strategy & Initiatives
Procure to Pay, HR, Operations, Revenue & Receivables, SG&A, Marketing, Legal
SaaS, On-Premise (tied to lines of business and processes)
App Code, Databases, OS, Hypervisors, Compute, Networks (SAN, Backup, WAN/LAN)
Business Processes
Application
Infrastructure
Micro
Macro
Know how
each layer
impacts
the others
What should not go to the cloud? Why?
How does this broader context affect
your perspective of cloud services ?
Common IT focus
6. Deployment Model
Service Model
Essential Characteristics
6
Cloud Computing – Know the Basic
Cloud computing is a very clearly defined computing model with essential characteristics
On-demand
self service
Broad access
network
Resource pooling Rapid elasticity Measured service
Infrastructure as a Service
(IaaS)
Platform as a Service
(PaaS)
Software as a Service
(SaaS)
Public Private Hybrid Community
7. 7
Common Cloud Risk Questions
What do you believe to be the most common cloud risks?
Account lock-out /
resource hijacking
• Who has administrative control over the service or account?
Misconfiguration
leading to a breach
• How can we assess the security and appropriateness of
configurations?
Loss of control • How are we defining control in the context of the cloud?
Asymmetries between
the provider and
customer
• Who has greater power in negotiations (T&Cs / Pricing)?
Multi-tenancy • What are the impact of multi-tenancy?
Jurisdictional
• How does the location of services impact legal / compliance
requirements?
8. Shared Responsibilities for Cloud Risk & Security
The adoption of cloud introduces a shared responsibility model for security. Consumers have the most responsibility with IaaS and
least with SaaS cloud models. Organizations should clearly define cloud security roles and responsibilities and ensure cloud vendor
contracts, cloud vendor implementations, and control operations address gaps.
Infrastructure
as a Service
Physical Hosting
Network
Infrastructure
Storage
Infrastructure
Compute
Infrastructure
Platform
Application
Software as a
Service
Physical Hosting
Network
Infrastructure
Storage
Infrastructure
Compute
Infrastructure
Platform
Application
Shared
Shared
Shared
Platform as a
Service
Physical Hosting
Network
Infrastructure
Storage
Infrastructure
Compute
Infrastructure
Platform
Application
Physical Hosting
Network
Infrastructure
Storage
Infrastructure
Compute
Infrastructure
Platform
Application
On-Premise
Service Demarcation: SLAs and Roles & Responsibilities
Security, Monitoring & Governance: Critical Foundation
Client
Cloud Provider
9. Cloud Risk per Cloud Service Model
Infrastructure as a Service Platform as a Service Software as a Service
▪ Virtual Server Images
✓ Controls for how a virtual server images
are created/destroyed
✓ Controls for maintaining the integrity of
server images
▪ Virtual Server Inventory
✓ IaaS servers should have an audit record
for when they were started and ended
▪ Security Policy
✓ The use of consistent automated tools
✓ Who will manage the kernels
▪ Application Development
✓ Specific requirements and controls are in
place to filter or detect unwanted
code/malicious code
▪ Environment Separation
✓ Separation from other applications
▪ Software Development Life Cycle
(SDLC)
✓ New risks may exist as Cloud Computing
can expand and shorten the SDLC cycle
▪ Licensing
✓ Examine tools used for usage tracking
and licensing
✓ Examine accuracy of reporting
▪ Environment Separation
✓ Separation from other applications
▪ Software Development Life Cycle
✓ New risks may exist as Cloud Computing
can expand and shorten the SDLC cycle
▪ Management of Software
Dependencies
✓ Due to technical architecture complexity
and potentially restrictions by the cloud
provider, replicating data back to the
enterprise or to another provider may
be difficult
10. 10
Critical Areas of Focus in Cloud Computing
The domains are divided into two broad categories: Governance and Operations. The governance domains are broad and
address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical
security concerns and implementation within the architecture.
Governance and
Enterprise Risk
Management
Legal Issues:
Contracts and
Electronic
Discovery
Compliance and
Audit
Management
Information
Governance
Management
Plane and Business
Continuity
Infrastructure
Security
Virtualization and
Containers
Incident Response,
Notification and
Remediation
Application
Security
Data Security and
Encryption
Identity,
Entitlement, and
Access
Management
Security as a
Service
Related
Technologies
11. 11
Top Cloud Security Risks based on ENISA
Top Cloud
Risk
Loss of
Governance
Lock-In
Data
Protection
Compliance
Risk
Isolation
Failure
Management
Interface
Compromise
In using cloud infrastructures, the client necessarily hand over
control to the Cloud Provider (CP) on a number of issues which
may affect security. At the same time SLAs may not offer a
commitment to provide such services on the part of the cloud
provider, thus leaving a gap in security defenses
There is currently little on offer in the way of tools,
procedures or standard data formats or services
interfaces that could guarantee data, application
and service portability. This can make it difficult
for the customer to migrate from one provider to
another or migrate data and services back to an
in-house IT environment
Cloud computing poses several data protection
risks for cloud customers and providers. In some
cases, it may be difficult for the cloud customer
(in its role as data controller) to effectively check
the data handling practices of the cloud provider
and thus to be sure that the data is handled in a
lawful way.
investment in achieving certification (e.g., industry standard or
regulatory requirements) may be put at risk by migration to the
cloud: (1) IF the CP cannot provide evidence of their own
compliance with the relevant requirements or (2) IF the CP does
not permit audit by the cloud customer (CC)
This risk category covers the failure of
mechanisms separating storage,
memory, routing and even reputation
between different tenants (e.g., so-
called guest-hopping attacks).
Customer management interfaces of a
public cloud provider are accessible
through the Internet and mediate access
to larger sets of resources (than
traditional hosting providers) and
therefore pose an increased risk
13. 13
The Future of Audit
The issues that will have the greatest impact on the audit profession over the next three to five years
Source: https://images.forbes.com/forbesinsights/StudyPDFs/KPMG-AFocusOnChange-REPORT.pdf
14. 14
Typical Audit Plan
▪ Internal Controls
▪ Regulatory Requirements
▪ Vendor Management Requirements
(Second/Third Party Audit)
▪ Policy Procedures
▪ Business Processes
▪ Functions
▪ Applications
▪ Infrastructure
▪ Vendors / Cloud Provider(s)
Some basic questions when building cloud audit
plan:Audit Objectives
Audit Scope
Cloud
Audit
Context
Is the service or application authorized to be in the
cloud?
What is the role of the application or service?
What type of information or data is used by
the application?
Do we have the right skills, competencies and
staff to operate in the cloud?
Have risks changed given the use of cloud services
be they SaaS or IaaS?
15. 15
Auditing Challenges with Cloud Computing
A disruptive technology, like cloud computing, can impact “how” to audit
❑ Understanding the scope of the cloud computing environment
✓ Do you use the same matrix for public clouds as for private clouds? (internal vs external)
✓ The concept of a perimeter in a multi-tenant environment doesn’t make sense anymore
❑ Can your current risk assessment capture the risks correctly?
❑ Sample selection
✓ What is the universal population from which to pick a sample from?
✓ What would your sample selection methodology be in a highly dynamic environment?
✓ A snapshot in time may depend if it’s a high or low peak point in time
❑ Audit trails
✓ How do you “test” historical data if there was no audit trail?
❑ Other
✓ Educating the audit committee
✓ Overcoming internal barriers restricting the early involvement of internal audit as a ‘risk
advisor’ to the business and IT
16. 16
Standards applicable to cloud security auditing
Standard Type Strength
Sponsoring
Organization
Service Organization
Control 2
Audit for outsourced
service
Technology neutral AICPA
ISO 27001 & 27002 Traditional security audit Technology neutral ISO
NIST SP800-53 rev 4 Federal Government
audit
Technology neutral NIST
Cloud Security Alliance Cloud-specific audit Dedicated to cloud
security auditing
CSA
PCI DSS PCI Qualified Security
Assessor cloud
supplement
Cloud specific and
provide guidance
PCI DSS
17. 17
Auditing the Cloud
Service Organization Control (SOC)
▪ Service Organization are replacing traditional in-house functions (payroll processing, medical claims
processing, human resources, document, workflow, and tax processing)
▪ SOC for Service Organizations reports help service providers build trust and confidence in their
services and controls
▪ SOC 1 Pertains to financial controls
▪ SOC 2 Pertains to trust services (Security, Availability, Confidentiality, Process Integrity, and
Privacy)
▪ SOC 3 Also pertains to trust services (Security, Availability, Confidentiality, Process Integrity, and
Privacy)
▪ SOC for Cybersecurity - To provide intended users with information about an entity’s
cybersecurity risk management program for making informed decisions
▪ SOC Type I & II
Internal and External Audit Customer and Cloud Service Provider
18. 18
SOC Comparison
SOC Type Who Uses the Audit Info Why
What the Audit Reports
On
SOC 1 Users’ controller’s office and
users’ auditors
Audits of financial
statements
Internal controls over
financial statements
SOC 2 Internal management,
regulators
▪ GRC programs
▪ Oversight
▪ Due Diligence
Security, availability,
processing integrity and
privacy controls
SOC 3 General public ▪ Marketing Purposes
▪ Detail not required
General customer
assurance, marketing
SOC Cybersecurity Senior management, board
of directors, analysts,
investors, business partners
To provide intended
users with information
about an entity’s
cybersecurity risk
management program
for making informed
decisions
Enterprise-wide
cybersecurity risk
management program
19. 19
Service Organization Controls - SOC 2 and 3
AICPA guidance — Footnote 1 of TSP section 100, Trust
Services Principles, Criteria, and Illustrations for Security,
Availability, Processing Integrity, Confidentiality, and Privacy
(AICPA, Technical Practice Aids), contains the following
definition of a system:
▪ Infrastructure — The physical and hardware
components of a system (facilities, equipment, and
networks)
▪ Software — The programs and operating software of a
system (systems, applications, and utilities)
▪ People — The personnel involved in the operation and
use of a system (developers, operators, users, and
managers)
▪ Procedures — The automated and manual procedures
involved in the operation of a system
▪ Data — The information used and supported by a
system (transaction streams, files, databases, and
tables)
Criteria for evaluating and reporting on controls related
to security, availability, processing integrity,
confidentiality, and privacy:
▪ Security — The system is protected against
unauthorized access (both physical and logical).
▪ Availability — The system is available for operation
and use as committed or agreed.
▪ Processing integrity — System processing is
complete, accurate, timely, and authorized.
▪ Confidentiality — Information designated as
confidential is protected as committed or agreed.
▪ Privacy — Personal information is collected, used,
retained, disclosed, and destroyed in conformity with
the commitments in the entity’s privacy notice and
with criteria set forth in Generally Accepted Privacy
Principles (GAPP)
20. 20
SOC 2 Applicability
Considerations of where SOC2 reports may be applicable for your organization, SOC 2 Reports are
applicable when an entity outsources the collection, processing, transmission, storing, organizing,
maintenance or disposal of the entity’s information.
Here are some examples where a SOC 2 report should be obtained:
Cloud Service
Providers
Fintech
Intellectual
Property
Protection
Sales Force
Automation
HealthCare
Providers and
Payers, HIPAA
Data Center
Hosting Service
Providers
21. 21
Service Organization Controls - SOC 2/3
Security
▪ IT security policy
▪ Security awareness and
communication
▪ Risk assessment
▪ Physical access
▪ Environmental controls
▪ Security monitoring
(breaches)
▪ User authentication
▪ Incident management
▪ Asset classification and
management
▪ Systems development and
maintenance
▪ Logical access
▪ Configuration
management
Availability Confidentiality Processing Integrity Privacy
▪ Availability policy
▪ Backup and restoration
▪ Disaster recovery
▪ Confidentiality policy
▪ Confidentiality of inputs
▪ Confidentiality of data
processing
▪ Confidentiality of outputs
▪ Information disclosures
(including third parties)
▪ Confidentiality of
Information in systems
development
▪ System processing
integrity policies
▪ Completeness, accuracy,
timeliness, and
authorization of inputs,
system processing, and
outputs
▪ Information tracing from
source to disposition
▪ Notice
▪ Choice
▪ Access
▪ Security
▪ Data Integrity
▪ Training and Awareness
▪ Enforcement and
Compliance
22. 22
Cloud Security Alliance - Cloud Controls Matrix
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is specifically designed to provide
fundamental security principles to guide cloud vendors and to assist prospective cloud
customers in assessing the overall security risk of a cloud provider.
▪ It provides a controls framework is aligned to the
Cloud Security Alliance guidance in 16 domains.
▪ The foundations rest on its customized relationship
to other industry-accepted security standards,
regulations, and controls frameworks such as the
ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho
Forum and NERC CIP
▪ It will augment or provide internal
control direction for SOC attestations
provided by cloud providers.
26. Cloud Audit Implementation - Example
Disclaimer:
Because of time limitation to present the material, for example purpose, this section will cover the overview of Google
Cloud features which support audit function as the speaker experience is on GCP platform.
27. 27
Identity and Access Management in GCP
Source: https://cloud.google.com/iam/docs/overview
Policy is set on a resource, and
each policy contains a set of:
▪ Roles
▪ Role members
Resources inherit policies from
parent:
▪ Resource policies are a union of
parent and resource.
If parent policy is less restrictive,
it overrides a more restrictive
resource policy
Understanding IAM in
Cloud is very important !!!
29. 29
Audit Logs in GCP
Cloud Audit Logs returns three types of logs:
Log Entry
Type
Description Operations (sample)
Retention
Period
Admin
Activity
Contains log entries for operations that
modify the configuration or metadata
of a Compute Engine resource. Any API
call that modifies a resource such as
creation, deletion, updating, or
modifying a resource using a custom
verb fall into this category
▪ Creating resources
▪ Updating/patching resources
▪ Setting/changing metadata
▪ Setting/changing tags
▪ Setting/changing labels
▪ Setting/changing permissions
400 days
System
Event
Contains log entries for system
maintenance operations on Compute
Engine resources
▪ On host maintenance
▪ Instance preemption
▪ Automatic restart
▪ Instance reset
400 days
Data
Access
Contains log entries for operations that
perform read-only operations that don't
modify any data, such as get, list, and
aggregated list methods. (ADMIN_READ
and DATA_READ)
▪ Getting information about a resource
▪ Listing resources
▪ Listing resources across scope
(aggregated list requests)
30 days
Understanding different type of
audit logs is important !!!
30. 30
Groups vs Label vs Tags
Source: https://cloud.google.com/blog/products/gcp/labelling-and-grouping-your-google-cloud-platform-resources
Labels -> billing / cost transparency
Tags -> manage network traffic
Security Marks -> resource grouping
34. 34
Cloud Audit Logs Best Practices
Cloud Audit Logs is a powerful tool that can help you manage and troubleshoot your GCP environment, as
well as demonstrate compliance. Here are some best practices to keep in mind:
❑ Use a test project to validate the configuration of your data-access audit collection
before propagating to developer and production projects
❑ Be sure you’ve applied appropriate IAM controls to restrict who can access the audit
logs
❑ Determine whether you need to export logs for longer-term retention
❑ Design aggregated exports on which your organization can filter and export the data
for future analysis
❑ Configure log sinks before you start receiving logs
❑ Follow the best practices for common logging export scenarios
❑ Make sure to use exclusion filters to exclude logging data that isn’t useful.
35. 35
See the difference between
“IT Auditor” and “Engineer Auditor” ?
General Control Specific Controlvs
Surrounding environment Specific Resources
36. 36
KEY TAKEAWAYS
Cloud customers have to understand the share responsibilities between customer
and cloud provider
Different cloud service model (IaaS, PaaS, SaaS) has different audit
methodology
Customer’s IT Auditor have to be trained to have the skills needed to audit
the cloud service
Understanding IAM in Cloud is very important. Each Cloud Service Provider
has different IAM mechanism
Understanding different type of audit logs in cloud platform is important for IT
Auditor