As organizations increasingly migrate to cloud computing they could be putting their data at significant risk. Positioning the internal audit (IA) function at the forefront of cloud implementation and engaging IA to create a cloud risk framework tool can provide organizations a view on the pervasive, evolving and interconnected nature of risks associated with cloud computing. Engaging IA in discussions with the business and IT units early on also is critical to addressing potential risks.
Not Every Cloud Has a Silver Lining
“Cloud computing is changing the technology landscape, and the changes are only likely to intensify,” says Khalid Wasti, a director at Deloitte & Touche LLP. “For many organizations, the question is not whether the cloud should be part of their technology strategy, but when and how.” Under pressure to provide solutions, organizations may be tempted to leverage cloud services quickly, without weighing the associated risks, such as:
Data breaches—Particularly in multi-tenant cloud service databases. A flaw in one client’s application could give an attacker entrance to other clients’ data as well. Breaches could expose email databases, putting email accounts of thousands of end customers at risk of increased spam and phishing scams. Worse yet, data breaches could also reveal customers’ passwords, and even personal and financial information, to hackers.
Data loss—Malicious hackers, natural disasters or lapses in provider services could result in a loss of customer data. For example, bugs in web-based email services could lead to the disappearance of users’ messages, folders, inboxes or entire email accounts. Data loss could be particularly detrimental to organizations that are required to store information in compliance with industry regulations, such as healthcare organizations that must comply with the Health Insurance Portability and Accountability Act.
Downed reservations systems and websites—Whether due to denial of service attacks, severe storms or technical glitches, outages could result in thousands of inconvenienced customers (for example, airline travelers) and the disruption of traffic (and commerce) at client websites.
When a company opts for the speed and convenience of moving to the cloud, it also may relinquish control not only of its own data, but that of its customers.
Internal Audit and the Cloud Risk Framework
“Cloud computing presents a new frontier for many organizations, and IA can help provide the context and risk framework an organization should consider when moving to the cloud,” says Michael Juergens, principal, Deloitte & Touche LLP. “For internal auditors, meeting the challenges of cloud computing may mean stretching beyond their traditional audit roles, adding greater value as they assist the organization in building the required control environment,” he adds.
As an initial step, an organization should work with IA to create a cloud risk framework tool. “The tool can help the organization get to the heart of risks by providing a view on the pervasive, evolving and interconnected nature of risks associated with cloud computing,” adds Mr. Wasti. These include governance, risk management and compliance; delivery strategy and architecture; infrastructure security; identity and access management; data management; business resiliency and availability; and IT operations. Such a tool can also improve efficiency in compliance and risk management efforts and be used to develop risk event scenarios that require integrated responses.
To be more effective, the framework tool should be customized to include regulatory, geographic, industry and other specific issues that impact the organization. As IA modifies its organizational risk framework and guides the risk conversation with IT and the business, the following issues pertaining to infrastructure security, identity and access management and data management should be taken into account:
Infrastructure Security—Companies should verify that cloud providers have acceptable procedures in areas such as key generation, exchange, storage and safeguarding, as flawed security could result in the exposure of infrastructure or data.
Identity and Access Management—Organizations should consider how their authorization and access models will integrate with new cloud services and assess whether they are using appropriate identity and authorization schemes.
Data Management—Because organizations may have to relinquish control over their data to cloud providers, it is crucial that they fully understand how data will be handled in the cloud environment.
Moving Forward
Implementing a cloud strategy changes the risk landscape in profound ways. As some risks are minimized, others spring up in their place. “Recognizing and responding to this shifting organizational risk profile is IA’s purview,” says Charlie Willis, a senior manager at Deloitte & Touche LLP. “Because internal auditors understand the interplay between business processes and risk, they can help business leaders to articulate their appetite for risk and help develop strategies for mitigating it,” he adds. As the organization adopts technology initiatives that involve cloud computing, IA should consider taking proactive steps, including the following:
Engage stakeholders—Encourage IT and business executives to have an informed conversation about the move to the cloud. Help stakeholders understand the potential for rogue IT environments. Explore which applications and data are candidates for transfer to a cloud environment and be prepared to discuss the risk implications of the move.
Review the organizational risk framework—Revise the company’s risk framework, minimizing risks that are no longer a concern. This framework tool should measure the organization’s cloud capability state across the different cloud risk domains.
Evaluate potential cloud vendors—IT will be most familiar with the range of vendors, and the business leaders will be able to articulate the objectives of a move to the cloud. “IA should also be engaged in risk discussions,” notes Mr. Willis, “along with the organization’s security, risk and compliance groups, and help the organization develop an assessment profile for vendors.
Donec ornare, est sed tincidunt placerat, sem mi suscipit mi, at varius enim Mauris ienim id purus ort. Aene auat riss. Proin viverra. enim maurisupn est sed tincidunt placerat, ienim id purus ort