Auditors are responsible for validating that their clients adequately address a collection of controls and processes in order to receive a stamp of approval for satisfying the requirements of a given set of constraints as defined by a governing set of laws. There are many different regulations that exist today. In order for a company to determine which regulations apply to it, the company must have a firm understanding of its industry’s standards, business processes,
and data requirements. When dealing with IT systems, auditors validate the process and controls in the following areas (when necessary):
• Physical environment. Perimeter security, data center controls, and so on.
• Systems and applications. Security and controls of network, databases, software, and the like.
• Software development life cycle (SDLC). Deployments, change management, and so forth. • Personnel. Background checks, drug testing, security
clearance, and more.
Before cloud computing, an auditor could sit down with a client and map personnel and physical infrastructure to the different controls and processes that were to be audited. Auditors had access to physical data centers whether they were located at a client’s property or at a third-party facility. In either case, the auditors could point to a physical machine and inspect the physical security of the data center. In the cloud, this is not the case. Now, certain controls and processes map to a CSP instead of to an individual. When that occurs, the auditor must rely on the auditing information produced by that CSP, hence the reason why compliance is such a high priority in the cloud. Without proof of compliance, a CSP could cause a customer to fail its audit. This is one major reason why some companies prefer to build private clouds. They want to be in total control of the data, the processes, and the controls and not rely on another entity when it comes to security, privacy, and regulation. The irony of that decision is that in many cases, it would be easier and more cost effective to rely on CSPs if certain functions of the application were managed by certified CSPs.
A public Infrastructure as a Service (IaaS) environment is a multitenant environment, meaning multiple customers share compute resources. The IaaS provider will not allow an auditor of one of its tenants to access the infrastructure because it has an obligation to protect the rights of all of the other tenants. The IaaS provider will have its own auditors audit its perimeter security, processes, and controls, but no tenant’s auditor will be able to physically access the actual infrastructure (the tenant has no idea what infrastructure it is running on, anyway). Auditors will be forced to inspect the white papers and published audit reports that the IaaS providers produce and will have no access to public IaaS data centers. For private IaaS data centers, auditors may have access to inspect the actual infrastructure to access the physical perimeter security unless the private cloud is hosted by a CSP.
With Platform as a Service (PaaS) CSPs, the physical aspects of auditing are even more complex. Not only is the infrastructure abstracted and managed by the CSP, the application stack is, too. Tasks like monthly patching, locking down the operating system, intrusion detecting, and others are all managed by the CSP. In some instances, even the database is controlled and managed by the CSP, and the customer only controls the database access and administration of users. Even more responsibility is outsourced to the CSP with Software as a Service (SaaS) applications. In addition to being responsible for the infrastructure and application stack, SaaS providers also have responsibility for the entire application. Consumers of SaaS solutions have very limited responsibilities in this case. In Chapter 9, “Security Design in the Cloud,” we will discuss this in great detail.
Why is all of this important? There are a number of regulations that must be adhered to if a company wishes to operate certain business processes in the cloud. Many customers will not do business with a company that offers cloud services that are not in compliance with various regulations. For example, a U.S.-based company offering cloud-based services for automating health records processing on behalf of health care providers will have a very hard time finding a customer if it is not HIPAA compliant. HIPAA is the Health Insurance Portability and Accountability Act put in place by the United States federal government that requires health care providers to apply appropriate levels of administrative, technical, and physical controls to ensure the privacy of consumers’ protected health information (PHI). Health care providers are very unlikely to engage with a CSP that is not HIPAA compliant because by doing so, the health care provider may fall out of compliance, which could lead to unpleasant consequences for its business, such as fines, legal issues, lost business, and bad publicity.
It is important that architects and product managers understand who is responsible for the data within each service model and how that responsibility is accessed in the audit process so the appropriate processes and controls can be put in place. It is equally important to understand when certain regulatory requirements are in scope, which leads us to our next section.