Cloud Computing — What IT Auditors Should Really Know

Cloud Computing — What IT Auditors Should Really Know

This article originally appeared on the ISACA Blog.

Organizations of every size can benefit from cloud computing as it provides a highly scalable solution that can drive down costs, maximize performance, and allow a business to focus on its core competencies. This article will cover cloud computing essentials, including the benefits of cloud computing, a brief overview of the deployment and service models, and the role of the internal audit department in cloud computing initiatives.

Cloud Computing Essentials: How to Deploy Cloud Services

Cloud computing is the on-demand delivery of IT resources, including servers, databases, storage, software, analytics, and intelligence, over the internet. Instead of investing in on-premises software and infrastructure, organizations have the flexibility to only pay for the cloud computing services they use, resulting in cost reductions. Furthermore, operating in the cloud provides customers with access to the latest technology, with the ability to scale as the needs of the organization grow. There are three different ways to deploy cloud services: on a public cloud, private cloud, or hybrid cloud.

1. Public Cloud

Much like a taxi car service, the public cloud is owned and operated by a third-party cloud service provider, including all hardware, software, and other supporting infrastructure. This means that services are accessed and managed through the internet, and hardware, storage, and network devices are shared with other organizations. The advantages of choosing to use the public cloud include lower costs as you only pay for the services you use, no maintenance, the ability to easily scale as demand increases, and high reliability. 

2. Private Cloud

Similar to a personal car not shared with others, with a private cloud all services and infrastructure are maintained on a private network and used exclusively by a single business or organization. The private cloud can be physically located onsite or by a third-party service provider. Notable advantages of a private cloud include greater flexibility as organizations can customize the cloud environment to better meet their needs, higher levels of control and privacy, and typically the ability to scale more easily, especially when compared to on-premise infrastructure. 

3. Hybrid Cloud

The third option, which includes private and public clouds, is similar to a rideshare service company where you have the option to book a private or shared ride, depending on your needs. Typically, the most sensitive data resides on the private cloud, while the public cloud allows the organization to scale as needed. Organizations may choose a hybrid cloud model because it offers greater flexibility and control over deployment options, security, and compliance since you can switch between a public and private cloud environment as needed.

Cloud Computing Essentials: Service Models

Operating in a cloud environment can also differ depending on the service model selected. In a traditional IT environment, you are responsible for everything from purchasing the equipment to managing the infrastructure, development, and maintenance. With cloud computing, there are three different service models, each with varying degrees of customer responsibility: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).  

1. Infrastructure as a Service (IaaS)

Customers rent IT infrastructure from a cloud vendor (ex. Rackspace Technology), such as servers, virtual machines (VMs), storage, networks, and operating systems. However, they’re still responsible for managing the application, data, runtime, and middleware. This requires customers to still maintain a large portion of their own technical staff, such as developers, database admins, etc. To use the analogy of the pizza industry, this would be equivalent to buying a pre-made pizza from the store. The vendor is responsible for sourcing all the ingredients and making the pizza, however, you’re responsible for buying and maintaining any equipment needed to bake and serve the pizza at home.

2. Platform as a Service (PaaS)

Customers are only responsible for managing the data and applications, with all other services managed by the vendor (ex. Amazon Web Services). This service model is typically used for developing, testing, delivering, and managing software applications since it facilitates the deployment of applications while reducing the cost of purchasing and managing the underlying infrastructure. In the pizza industry, this would be equivalent to getting pizza delivered — the vendor is responsible for doing all the work except for providing a space with tables and silverware needed for you to eat the pizza. 

3. Software as a Service (SaaS)

In this model, the cloud vendor is responsible for delivering all aspects of a software application over the internet (ex. Office 365). This eliminates the customer’s need to maintain and support the application as the responsibility is completely transferred to the vendor with the customer essentially becoming an end user accessing an interface. In our pizza analogy, this would be equivalent to eating pizza at a dine-in restaurant where all responsibility for sourcing the ingredients, cooking, and serving the pizza is passed onto the restaurant.  

The InfoSec Survival Guide: Achieving Continuous Compliance

Cloud Computing Initiatives and IT Audit

Given the growing reliance on cloud computing, IT auditors should adopt a proactive approach to cloud initiatives and position the department as a trusted advisor. This includes participating in the procurement process early to validate business use cases, ensure that right to audit clauses are included in contracts, and provide objective insights. Internal audit can also help uncover and mitigate risk and provide guidance on the impact of regulations on data security in the cloud. Other assurance services can also be provided, such as a data migration audit, system implementation audits, control testing, and reviews of service organization control (SOC) reports.

To assist with auditing in a cloud environment, leverage available tools such as the Cloud Security Alliance Controls Matrix, Consensus Assessment Initiative Questionnaire (CAIQ), or a compliance software solution to help account for the controls needed to mitigate against risks. By doing so, your organization can focus on the control environment proactively versus reactively.


Kim Pham, CIA, is a Market Advisor, SOX & Compliance at AuditBoard, with 10 years of experience in external and internal audit. She started her career in at Deloitte & Touche LLP., and continued to grow her experience in internal audit focusing on SOX compliance and operational audits at Quiksilver, the California State University Chancellor’s Office, and CKE Restaurants.