编者按: The following is a sponsored blog post from AuditBoard.
While cloud computing provides a long list of benefits, it is not without challenges. 前面讨论过 云计算要素, in this article, we’ll focus on how to tackle key auditing challenges.
根据Flexera的2022 云状态报告, the need for security is the top cloud-related challenge. 事实上, 在过去的11份云状态报告中,有10份是如此, security was the number one challenge identified by those surveyed. 为什么云安全会带来这样的挑战?
云环境中的安全与威胁
Life before the cloud limited access to certain devices and networks, incorporated defensive layers to protect internal applications and data, and relied on a known and manageable security perimeter to prevent unauthorized access. 云中的生活控制较少. 在理论上, 拥有任何设备的任何用户都可以访问云, so it may not be as easy to control access to data. A clearly defined security perimeter may no longer exist, and there are limited tools and visibility detailing how users interact with cloud-based data when managed by a third-party vendor.
Consequently, the threats in the cloud differ from those in the traditional IT environment. 而不是感染设备, attackers infect users to steal their login credentials and gain access to cloud computing platforms. With traditional IT, security professionals monitor local network backdoors for unauthorized access. 在云端, there’s a need to monitor cloud application backdoors that are less controlled and less visible to your IT team.
审计云:五大挑战
So, with an understanding of how the cloud differs from traditional IT and an appreciation of the threat landscape, what are the top auditing challenges facing organizations?
- 你能识别云的使用吗? Is your IT team able to determine which cloud solutions are currently in use? Is there a process to authorize the use of additional cloud computing platforms? Identifying the use of cloud computing is important in understanding the cloud computing risks that are relevant to your environment to ensure appropriate controls are in place and operating effectively to mitigate against those risks.
- 如何控制和监视用户访问? What type of information do users access, store and transmit in the cloud? What checks and balances do you use to manage the type of information users can access? Do you manage each user’s role and permissions according to their job function? Provisioning access using the concept of least privilege is just as important in the cloud as in a traditional IT environment to ensure segregation of duties still exists.
- 您是否控制访问设备的安全性? Do you allow employees to use their own devices to access cloud computing platforms? For personal and company-issued devices, what security is in place to limit the risk of an attack?
- 你有审计的权利吗? Do your contracts with cloud providers include a right to audit clause? 云计算提供商的规模越大, the less likely they will allow the inclusion of such a clause, so it’s important to understand your rights and to request access to the cloud provider’s System and Organization Controls (SOC) reports to confirm appropriate controls are in place and operating effectively to ensure your data is secured.
- 您的审核团队是否具备审核云的能力? To audit and oversee the cloud, your audit team must possess the appropriate skills and expertise. The Cloud Security Alliance and ISACA jointly developed a Certificate of Cloud Auditing Knowledge (CCAK) credential, which includes a risk-based approach to cloud migration and auditing strategies.
To ensure your organization selects secure cloud platforms, your internal audit department should be involved in the procurement, 设计和采用云解决方案. Consider using the Cloud Security Alliance Controls Matrix and the Consensus Assessments Initiative Questionnaire (CAIQ) as resources to identify appropriate risks and controls related to your cloud computing environment. 使用 互联风险软件 to manage the controls needed to mitigate against cloud-related risk is a prudent investment that can provide peace of mind.
Cloud computing is a critical resource for most organizations, 虽然它会带来一定程度的风险, there’s much that your internal audit team can do to limit your exposure. By addressing the audit challenges described in this article, your organization will be able to embrace the cloud without accepting excessive risk.
