A cloud audit is when an organization assesses the performance of its cloud vendor. Auditors can survey aspects of cloud use, including compliance with regulatory standards.
Authors of Cloud Auditing Best Practices Shinesa Cambric and Michael Ratemo acknowledge the complexity of cloud audit and cloud compliance, but they have created a set of practices to aid IT auditors. In this Q&A, Cambric and Ratemo discuss the relationship between cloud audit and cloud compliance as well as how both relate to governance.
Editor's note: The following interview was edited for length and clarity.
How does cloud audit fold into compliance?
Shinesa Cambric: There are a lot of resources for auditors and compliance when it comes to on premises, but for those companies that are transitioning to the cloud, how do you relate that to an on-premises experience? How do you navigate step by step through each of the cloud providers to check for compliance within those systems?
Michael Ratemo: When we came up with the idea to write this book, one of the things we had in mind was how we can accommodate the different compliance regulations that are out there. One of the gaps we had seen was that there was no particular documentation or prescriptive guidelines for how you can audit the cloud. Part of auditing the cloud is looking at the different compliance regulatory standards. We wrote the book from the perspective of auditing these different components and including compliance as part of that. For example, with some of the different platforms, like AWS, they have a compliance module where you can check a box that can look for all the attributes for something like PCI. With that, you can assess the maturity of the organization from a compliance perspective as well as look at the security of it.
What is the importance of compliance?
Cambric: There is a two-fold type of experience. Compliance is not security, and security is not compliance -- but they need to work hand in hand. If you don't have that checklist or prescriptive guidance, then how do you know your security controls are being implemented effectively?
Ratemo: Compliance regulations have been set up for you to have a minimum standard of security. It does help to ensure that all organizations are at a baseline. If they have to adhere to certain compliance standards, at least they will have the minimum security baseline that they need to have. Compliance does not equal security, but, if you at least have the compliance standards in place, you have something which is better than having nothing.
How does auditing play a role in compliance and governance?
Cambric: Some companies have an internal compliance or auditing organization. The importance of this book helps them understand what the questions are that they should be asking. What are the areas within the environment they should be looking at? And then they can come together with other partners like cloud engineers, developers and their security teams to make sure that there is a comprehensive program that's in place.
Ratemo: Auditing is having an evaluation of your program. It's a third party looking at your program with independent eyes. Whenever organizations implement compliance and governance programs, the function of auditing is to come in and give an unbiased review of how this program has been implemented. That is what the role of auditing is, we come in there and give you recommendations based on best practices or framework on how you've implemented your governance or compliance.
Do you have advice for any IT auditors who are just starting out?
Cambric: Make sure you continue to invest in yourself and in learning. Look at the trends. Where is the industry going? Where are companies going? Keep up with trends like ChatGPT. What do these trends mean for auditing in the future? Make sure you have a foundational understanding of those types of technologies with cloud.
Ratemo: Have an open and inquiring mind when you're performing audits. When you're performing audits, you have to review business processes and interact with a lot of stakeholders. You need to have an open mind and listen without bias to every piece of information that you get. You will have to be able to make decisions based on the framework that you will be using. Read up on what the different auditing standards are, the auditing process, how you plan to audit, how you get into field work and how you do the reporting.
What is one thing you want your readers to know or take away from your book?
Cambric: Cloud is not going away; it will get more and more prevalent. If a company is not there yet they will be eventually so just keep those skill sets up.
Ratemo: The cloud is the future. Technology changes and knowledge is evolving very rapidly. One thing we want the readers to know is to keep up with these changes and invest in yourself, like Shinesa said. Read up on the latest technologies so you can stay up to pace to enable your organization to be secure. If you don't, it's going to be a challenge to secure based on the rate of change of technology.
About the authors
Shinesa Cambric (CCSP, CISSP, CISA, CISM, CDPSE) is contributing author to the book 97 Things Every Information Security Professional Should Know and eBook Shifting Security Left. Her work has been included in global IT industry forums such as SANS, ITSPMagazine podcast, RSAC, Secure Software Summit and DevOps.com and she presented at the RSAC 2023 conference.
Michael Ratemo (CISSP, CISA, CISM, GCSA, CCSK, CIA) is principal consultant at Cyber Security Simplified. Michael is the author of the LinkedIn Learning Course, Building and Auditing a Cyber Security Program. In addition, Michael is co-author of the book Cloud Auditing Best Practices.