In Brief

Many organizations are moving some or all of the technology operations to the cloud to reap the various benefits such a relationship can provide, such as flexibility, scalability, and affordability. But along with those benefits come certain risks, such as control and security, which organizations must also consider. To fully benefit from the opportunities cloud computing presents, organizations must adopt appropriate risk management strategies and delineate responsibilities clearly so that their relationship with the cloud remains a friendly one.

***

Be slow to fall into friendship; but when thou art in, continue firm and constant.

—Socrates

The cloud computing relationship should positively impact most organizations’ ability to achieve strategic objectives effectively and efficiently. Recently, Deloitte determined: “Companies across industries are modernizing their data platforms to leverage new-age applications and advanced analytics at the same time as they are moving their data to the cloud.” That same Deloitte study suggested that cloud and data modernization are highly interrelated and actually reinforce each other (https://bit.ly/3cxFhzU). The cloud allows organizations to rapidly adopt technological solutions, scaling up or down as organizational needs dictate to provide executives the flexibility needed to respond to changes in the marketplace and the economy. To benefit from the cloud service provider (CSP) relationship, an organization must nurture it by implementing effective controls and other risk mitigation strategies. As organizations continue to enhance their vendor management relationship maturity, they continue to face challenges in managing their CSP. Perhaps it is due to the inherent technical complexity of the solutions provided by the cloud, the new technology with a vocabulary all its own, or the understatement of responsibilities expected of organizations in cloud vendor promotional materials.

No matter how well a particular organization discharges its responsibilities, it will face challenges. Organizations that increase their use of the cloud accept that the cloud’s benefits exceed the potential risks. These risks can include societal concerns about consolidating computer processes into a small number of mega-vendors, which could result in a catastrophic attack from threat agents. Unique organizational concerns can include transferring physical control of data entrusted to them, or relying on a vendor ecosystem with a questionable history of disclosing information to facilitate governance and oversight. Assurance services, such as the AICPA’s “SOC for Service Organizations” reports performed by CPAs, can mitigate some concerns. Other assessment reports provided by the information security community (i.e., non-CPAs) potentially raise questions about the profession’s ability to respond to the latest attacks and other risks of cloud technologies.

To take advantage of the strategic opportunities cloud solutions can deliver, the accompanying risk management strategies that the organization must take are different from those portrayed in the popular trade press or vendor sales materials. For many organizations, the good news is that, just as they do with other business risks, understanding and effectively governing cloud computing threats by managing cloud activities within their acceptable risk tolerances will drive enterprise value.

Enabling Opportunities

Digital transformation requires cloud computing and the need to manage the various enterprise risks associated with cloud computing. Ten years ago, COSO highlighted the opportunities and threats of cloud computing and corresponding impacts to driving enterprise value through its “Enterprise Risks for Cloud Computing” thought paper (https://bit.ly/3cxY5z0).

The cost of obtaining the potential benefits of the cloud is losing complete control over the organization’s data and associated technology resources to the CSP. The more the organization uses “as a service” (see the Sidebar, “What is ‘as a Service?’”), the less the organization can directly control and manage its technology assets. Many CSPs offer a “take it or leave it” approach to their contracts. Minimizing customization reduces cost and leads to risk mitigation gaps or the inability to differentiate provided services in a competitive market.

What is “as a Service?”

The National Institute of Standards and Technology (NIST) defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model comprises five essential characteristics, three service models, and four deployment models (Special Publication 800-145, “The NIST Definition of Cloud Computing,” https://bit.ly/3czQkbP, p. 2). When planning any cloud solution to a business challenge, executives should understand how the considered solution fits into service and which unique risks need attention. On-demand self-service, broad network access, resource pooling, rapid elasticity, and measure service comprise the essential characteristics of the NIST cloud model. As a result, executives should consider measuring the CSP’s capability and performance in these areas when considering service-level agreements.

Deployment cloud models specified in the NIST document include private, community, public, and hybrid. At first, a remote cloud deployment sounds low-risk, as a single organization uses it. While this does lower risk, executives need to consider who owns and operates this deployment, as it can be by the organization itself, a CSP, or a combination. Executives will also need to determine the deployment location, which may be either on- or off-premises. Community deployments reflect the needs of organizations having similar concerns. It provides the same choices in deployment as private. A public cloud is for general use by the public and is deployed at the CSP only. A hybrid cloud is a combination of the above.

Although the NIST identifies the three well-known service models: Infrastructure, Platform, and Software, some vendors leverage the term “X as a Service (XaaS)” as part of their marketing strategy. Typical uses include Banking as a Service, Disaster Recovery as a Service, and Security as a Service. Although used in business, the NIST definition of cloud computing does not encompass these variations.

Understanding the Responsibilities

Moving to the cloud involves more than just signing a contract. Organizations may need to consider the impact of software licenses, the ability to respond to and investigate security incidents, the training involved in learning new security tools and using them effectively, the maintenance of backups, and the reduced visibility into your data and other processed resources. One feature, application programming interfaces (API), enables organizations to manage interactions with their CSP. A blog from the prestigious Software Engineering Institute at Carnegie Mellon University, Pittsburgh, warns: “These APIs can contain the same software vulnerabilities as an API for an operating system, library, etc. Unlike management APIs for on-premises computing, CSP APIs are accessible via the Internet, exposing them more broadly to potential exploitation. Threat actors look for vulnerabilities in management APIs [https://bit.ly/3cAr5pz].” Responding to the API threat, the Open Web Application Security Project (OWASP) created a dedicated API security project (OWASP API Security—Top 10, https://bit.ly/3xraa0X). Last year, The CPA Journal provided a basic introduction to cloud computing opportunities, operationalizing cloud activities, defining the roles and using the cloud’s shared responsibility model, and managing the disruption caused by adopting cloud computing (“Managing the Impact of Cloud Computing: Perspectives on Vulnerabilities, ERM, and Audit Services,” Meredith Stein, Vincent Campitelli, and Steven Mezzio, June 2020). The article informed readers about the National Institute of Standards and Technology (NIST) Cloud Computing Services Deployment Models, the three primary models of Cloud Services, the Cloud Security Alliance (CSA) Top 11 Threats to Cloud Computing, and the types of AICPA SOC Reports.

Many organizations recognize applicable cybersecurity threats and the role that effective third-party oversight can play in helping to manage these threats.

In designing controls, organizations should consider at least three “as-a-service” (XaaS) models. These service models range from the cloud provider providing minimalist support focused on physical needs (infrastructure, or IaaS) to a more fully supported offering that provides business functions (software, or SaaS). A middle-of-the-road (platform, or PaaS) provides a platform to develop applications (see the Sidebar, What is “as a Service”?). For many, their view of the cloud most resembles the SaaS model, where cloud vendors provide applications and supporting infrastructure while the organization focuses on its “consumer” role.

A business always remains accountable (whether directly or through some oversight) for the confidentiality, integrity, and availability of its customers’ information and depending on the business and its corporate fiduciary obligations, protection of trade secrets, and intellectual property. A company’s accountabilities also include ensuring that the applications function with completeness and accuracy, and adhere to organizational rules and expectations. As described in the Sidebar, “Regulatory Perspectives,” this is especially true for regulated industries or those companies needing to adhere to technical standards reinforcing organizational accountability over entrusted data despite using a cloud solution. Despite the emerging technology, traditional governance strategies with enhanced vendor oversight processes can help address various regulations and requirements.

Regulatory Perspectives

Given security concerns–including confidentiality, integrity, and availability–CPAs involved with regulated industries should be familiar with the guidance related to cloud services that have been issued by their regulatory bodies.

The Federal Financial Institutions Examination Council (FFIEC) issued “Security in a Cloud Computing Environment” in April 2020. According to the press release, “The statement does not contain new regulatory expectations, though it highlights that management should not assume that adequate security and resilience controls exist simply because the technology systems are operating in a cloud computing environment [https://bit.ly/2RQfUCc].” In providing guidance, the FFIEC reiterated core risk management issues, such as governance, cloud security management, change management, resiliency and recovery, and audit and controls assessment. Although geared to financial institutions, the guidance and recommendations apply to all organizations. Organizations use these as a high-level benchmark for executives seeking reputable advice on managing common cloud challenges.

The U.S. Department of Health and Human Services (HHS) has also issued guidance for the Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates so that “they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information [ePHI]” (https://bit.ly/3pQyg2n). HHS reiterated that “covered entities and business associates must comply with the applicable provisions of the HIPAA Rules.” With regard to CSPs, “when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.”

Although not a regulator per se, the Payment Card Industry Security Standards Council (PCI-SSC) issues guidance for organizations accepting and processing payment card data, such as “PCI-SSC Cloud Computing Guidelines” (https://bit.ly/3cxfCaw). Even if an organization does not need to follow any of these guidelines, CPAs will find in them reputable advice and recommendations for managing various cloud-related security risks.

Managing the Relationship

Considering the significant potential opportunities, some organizations have adopted a cloud-first strategy. The idea is to consider, or even give preference, to a cloud-based solution over traditional in-house data center strategies. Given internal political pressure and the ease of signing up for cloud services, this trend should be expected. A publication survey of technical professionals conducted by O’Reilly, a leading publisher of technology media, revealed that a “surprising number of respondents—approximately 25%—said that their companies plan to move all of their applications to a cloud context in the next year. This includes 17% of respondents from large organizations [over 10,000 employees] that have already moved 100% of their applications to the cloud” (“Cloud Adoption in 2020,” O’Reilly, https://bit.ly/2TTvJZj).

With so many opportunities, these survey results are not surprising. Many organizations recognize applicable cybersecurity threats and the role that effective third-party oversight can play in helping to manage these threats. Key cloud providers, such as Amazon (https://aws.amazon.com/security/) and Microsoft (https://azure.microsoft.com/en-us/overview/security/) provide extensive information tools, training, and third-party reports to facilitate the adoption of their services. By doing so, other CSPs such as SaaS providers leverage the reputations of these providers in selling their services. Unfortunately, some SaaS buyers do not realize that the security provided by Amazon or Microsoft may not carry through to the SaaS or its customers.

Avoiding cloud headaches requires knowing what type of relationship the organization has entered into, understanding how entrusted data flows between CSPs, and appreciating contractual responsibilities. The accounting profession has always appreciated the need to understand the background and what needs to be protected. AU-C 315, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,” codifies that expectation for an audit of financial statements. Executives can apply the spirit of the standard to developing a process to manage cloud computing risks.

The first challenge is understanding the type of cloud computing used by the organization. This should be easily determined in a smaller centralized environment or a company with solid technology governance. Unfortunately, the short-term lower cost of a cloud solution, compared with a more expensive in-house investment, can lead business units to circumvent organizational control. The organization may need a cloud access security broker (CASB) to determine its users’ type of cloud services. Of course, a review of the accounts payable file, when practical, can also reveal recurring payments to vendors that could signify cloud contracts.

Those cloud computing payments could also identify a source of conflict between organizations and their CSPs. CSPs typically bill on a metered, or pay-as-use, method rather than a fixed cost, although some CSPs do charge a fixed monthly minimum fee. As variable pricing prevails, the CSP should substantiate the charges. Sometimes, the substantiation may be difficult for the organization to understand; other times, even if the CSP provides pertinent details, the organization may not have records of activities to reconcile invoice charges. Often, the organization’s sole control in this area is to analyze budget variances and trend analysis. Training employees in using cloud resources and organizational expectations, supplemented with an appropriate cloud policy, can mitigate risk. Organizations should take advantage of limit alerts and other pricing warnings when provided by the CSP.

Once the organization has developed a complete list of cloud relationships, it should understand how and where its data gets transmitted or stored. It is not uncommon for executives to believe that vendors whose software they are using—typically a SaaS provider’s—may use other CSPs to process and store data. Those entities subjected to regulation frequently use data flow diagrams or maps to understand better and identify how their entrusted data is transmitted, processed, and stored. Even if these requirements do not apply to their organization or client, they need these answers to mitigate risks that might involve insurance claim recoveries in case of a data breach, computer forensic requests, local laws, and—in some cases—data ownership rights. An organization may not have contractual relationships regarding data storage that demand a certain level of compliance or data protection. In those cases, it is critical to understand this risk, and ensure the inclusion of contractual obligations to reduce the risk at the provider and their vendors.

CSP contract terms can cause service delivery disadvantages. Unfortunately, some CSPs provide the contracts as a take-it-or-leave proposal, with minimal discussion over contract terms. An organization must ensure that its rights are protected, which requires consultation with an appropriately qualified attorney. Contract issues to consider should include data ownership rights, responsibilities in case of a breach, protocols relating to transferring data, applications, and related technology resources to another CSP. Clearly defining the responsibilities of all parties increases transparency about how the CSP, as well as third parties that share data with the CSP, will use the organization’s data. Contracts should specify right to audit clauses and the availability of third-party review reports. Service-level agreements should include details related to operations and service delivery, including periodic reporting on critical commitments and indicators.

When introduced to a cloud computing relationship, an executive will also learn about the shared responsibility model. Numerous vendors provide similar pictures, models, and white papers to illustrate and describe the model. For example, the Center for Internet Security (https://bit.ly/2TTAHVX), a well-respected independent, nonprofit security organization, provides the model shown in the Exhibit. (The illustration provides an additional “as a service,” Function as a Service, as well as references to its publications that provide best practices for reducing cybersecurity-related risks.) Generally, cloud customer responsibilities decrease as the CSP delivers additional services. Before entering into a contract, and when continuing to perform oversight diligence, an executive should ensure the itemization of all responsibilities and accountabilities defined and performance monitored. It is the organization’s responsibility to know, confirm, and—where needed—test that all parties are adhering to their obligations to protect and accurately process data.

Exhibit

Center for Internet Security—Cloud Shared Responsibility

It is critical to understand this risk and ensure the inclusion of contractual obligations to reduce the risk at the provider and their vendors.

As with traditional on-premises technology operations, security is a critical component of the cloud relationship. For some, delegating security responsibilities to a competent third party is a primary reason for embracing the cloud. These actions demonstrate the intense focus that CSPs have placed on security offerings given that security was why organizations initially avoided the cloud. Cloud providers and their consumers use Cloud Security Alliance (CSA) guidance to enhance their security posture.

Depending on the sensitivity of the data and the importance of the CSP to an organization’s mission, executives should understand how their CSP addresses the controls identified in the CSA’s Cloud Security Guidance Document and related Cloud Computing Matrix. According to the CSA, the document provides guidance and inspiration to support business goals while managing and mitigating the risks associated with adopting cloud computing technology (https://cloudsecurityalliance.org/research/guidance/). Of note is the CSA’s identification of which controls apply to specific cloud models. Organizations should understand how well their CSPs address these cloud industry–recommended risk mitigation strategies.

Another essential CSA-related publication is the “Top Threats to Cloud Computing: Egregious Eleven Deep Dive.” CSA created this “survey report to help the industry stay up to date on the latest threats, risks, and vulnerabilities in the cloud” (https://cloudsecurityalliance.org/research/working-groups/top-threats/). How the organization and its CSPs think through these threats as part of their continuous risk assessment is a critical factor in helping to determine the capacity of both parties to protect, identify, and hopefully minimize the occurrence of these cloud-related threats. Ironically, half of the threats could be considered unique to the cloud; the other half (misconfigurations and insider threats) contain issues also common in traditional IT environments.

Using the System and Organization Controls (SOC) suite of service reports, CSPs can demonstrate that they provide customers with the capability to implement generally recognized controls to manage security responsibilities. Organizations should determine how well they include these provided controls into their overall control environment. These controls typically include organizational responsibility for configuration management (including utilizing features of the CSP service relating to compliance with corporate policies), access privilege management, application controls (e.g., edits and validations to support business policies), and logging requirements (audit trail) and preferences.

A Friend, if Properly Nurtured

Despite all the fear, concern, and discussion related to cloud computing technology in the wake of high-profile security breaches, a recent Wall Street Journal article highlights that the cause of a breach often results from human errors made by organizations, rather than cloud technology: “In Capital One’s case, for instance, a flawed firewall implementation allowed the attacker to gain access to a server hosted on Amazon’s AWS service, and the company said in its disclosure that AWS wasn’t to blame” (James Rundle, “Human Error Often the Culprit in Cloud Data Breaches,” https://on.wsj.com/3xeLrwI). So, yes, cloud computing can be the friend that can enable organizations to achieve their missions and dreams—if proper relationship controls function. A CSP should comply with, and provide independent assurance with, established cloud security principles, especially those focusing on security, availability, and integrity. From the customer perspective, the organization should educate personnel on effectively using the CSP’s services, monitoring activities, and implementing end user controls recommended by the CSP or its SOC report provider. If organizations do not fulfill their relationship responsibilities, the cloud could quickly become an enemy that could destroy the organization.

Joel Lanz, CPA, CISA, CISM, CISSP, CFE is a visiting assistant professor at SUNY–Old Westbury and provides infosec management and IT audit services through Joel Lanz, CPA, P.C., Jericho, N.Y. He is a member of The CPA Journal Editorial Advisory Board.