The Houston, Texas office of cloud services provider Amazon Web Services (AWS). (Tony Webster from Minneapolis, Minnesota, United States, CC BY 2.0 https://creativecommons.org/licenses/by/2.0, via Wikimedia Commons)
If you think you can audit your cloud-based IT infrastructure the exact same way that you assess security and privacy on a traditional on-premises network, you may be due for a reality check.
While the objective may be the same, it’s a very different process that requires its own set of skills and knowledge. With the movement toward cloud growing stronger by the day, organizations are quickly going to have to pick up on those variances. And IT professionals who show they can adjust have a golden opportunity to advance their careers.
So it seems to be opportune timing that ISACA and the Cloud Security Alliance (CSA) on Monday officially announced the launch of their new Certificate of Cloud Auditing Knowledge (CCAK) training and examination program.
The two organizations call it the “first credentials available for industry professionals to demonstrate their expertise in the essential principles of auditing the security of cloud computing systems.” A study guide was already available last year, and by next week practitioners will be able to register for exams and two-day face-to-face training courses (virtual only for now). Online self-paced courses will arrive in April, and question banks for practice purposes will follow in May.
Experts in the field of cloud, IT governance and general cybersecurity believe that this certificate program is a significant addition to the wide spectrum of security training programs available today, filling an important gap in the knowledge-based training market.
According to the Feb 2020 edition of our Cloud and Threat Report from Netskope, the average organization has over 2,400 cloud applications – “emphasizing the dire need for cloud security audit professionals,” said Krishna Narayanaswamy, chief technology officer.
Daniele Catteddu, chief technology officer at the CSA, said the idea behind the CCAK is to “empower” security and data protection professionals, procurement specialists, legal personnel and others “to have a proper evaluation and understanding of a cloud service over time – from the moment in which you’re making the initial evaluation on a cloud service before buying the product [through] the overall lifecycle of the service itself.”
ISACA already has an established program for information systems auditors with the CISA credential, and while it does cover cloud, it is not the primary focus, Donahue noted. “As estimates range that 70 to 90+ percent of organizations are using the cloud, we were hearing more frequently that our CISAs and other members wanted access to more programs focused on cloud,” said Shannon Donahue, vice president of content development and services at ISACA. “Not only so they could learn new skills as the cloud matures, but also to demonstrate their capability in cloud audits.”
Subject matter will include the CSA’s Cloud Controls Matrix (CCM) cybersecurity framework; the Consensus Assessments Initiative Questionnaire (CAIQ), which is a means to document what security controls ar found in infrastructure-, platform-, and software-as-a-service offerings; and the STAR Self-Assessment tool, which helps users assess the security of their current or prospective third-party cloud providers.
“Understanding the technology and the threat analysis methodology for cloud is critical,” said Jim Reavis, co-founder and CEO of the CSA. “We seek to provide professionals the skill to master these various disciplines and understand the mechanics of leveraging CCM and CAIQ in pragmatic audit scenarios.”
“They will understand different cloud services and cloud types, as well as how to test the design and effectiveness of controls in each situation to ensure that data is being processed, stored and transmitted as intended,” said Donahue.
According to Netskope’s Narayanaswamy, in addition to knowledge of cloud controls, cloud audit professionals must also exhibit “the ability to identify critical controls that are important for their organization’s vertical, the ability to understand terms and conditions laid out by cloud service providers, and the ability to map cloud controls with requirements specified in applicable compliance regulations like PCI, HIPAA, GDPR, CCPA, LGPD, etc.”
Tanner, senior security researcher at Barracuda Networks, agreed that there are “many nuances to public cloud specifically that are important to understand,” even though he also thinks certificate programs must take care to not become overly specialized. Important lessons for a training and knowledge program like this one, he said, would be the “many security configurations that need to be understood and utilized properly, such as Control Groups in AWS, as well as “new workflows and tools being used in cloud scenarios – for example, Kubernetes and Docker deployment workflows.”
Proving that you are qualified for and knowledgeable in all of the above areas can help infosec pros distinguish themselves and perhaps even land a prized job.
“The CCAK holder can show that they have knowledge to be an effective auditor no matter where data is stored, processed or transmitted,” said Donahue. “They will also be able to demonstrate knowledge of cloud-focused frameworks, regulations and standards.”
“In recent years, we’ve even seen traditional, well-established companies increase their custom development to address their business needs,” said James Pleger, manager, SpecOps, at Sumo Logic. “Many, if not most, of the new projects will either live completely in the cloud or interact with it in some way. Having this certification and even other certifications like it can create a baseline of cloud knowledge, which should lead to higher quality audit results.”
“This certification is specifically valuable for the governance, risk and compliance job function,” added Narayanaswamy. “With the emergence of cloud applications and services, GRC departments of organizations are creating cloud governance processes and this certification could be the differentiator in making a hiring decision.”
Cloud auditing vs. traditional on-prem auditing
According to CSA’s web page describing the CCAK program, traditional IT audit education and certification programs “were not developed with an understanding of cloud computing and its many nuances.” Moreover, “an audited organization using cloud computing will have a very different approach to satisfying control objectives” versus one that relies on traditional on-prem IT systems, especially as it relates to admin access.
“Cloud represents a game changer for IT audits,” said Reavis – one that affects many aspects of risk management, governance and compliance. And so it’s important to understand why specialized knowledge and skills are required.
One of the biggest reasons is that cloud services are outsourced to third-party providers who are simultaneously contracted with other clients as well. This multi-tenant model means you can’t just go in and assess and audit these third parties in unfettered fashion the same way you’d audit your own internal organization. As a result, there’s less control, which also makes it harder to create an airtight, comprehensive audit trail.
Indeed, “a traditional audit practice, such as vulnerability scanning or penetration testing, may risk harming a production system and will often be disallowed by the cloud service provider,” said Reavis. “Another common scenario is that the auditor will not have direct physical access to public cloud data centers.”
This means auditors will have to lean on alternative forms of assessment and evaluation, including scrutiny of existing provider certifications and virtualized compensatory controls,” Reavis continued.
Donahue said in some cases cloud services users will have to rely on SOC2 attestation reports from their cloud provider to demonstrate that they are securely managing their data. “I think at that point it’s coming down to… trust,” said Donahue, “and that’s going to be through solid vendor management skills, solid contracts and SLAs [service-level agreements], and then the attestation reports.”
In addition, having a third-party data and services host “means that there are additional threats, and those who are auditing the cloud will need to understand the threats and test that the controls in place are designed appropriately and working as intended and have been, consistently, over time,” said Donahue. Not to mention: “New regulatory requirements, frameworks and standards have been released that are specific to cloud computing, so ensuring that a cloud auditor understands the specifications of the framework and how to evaluate compliance in the cloud environment is imperative.”
System access isn’t the only difference. Cloud-based audits may also require familiarity with certain technology that auditors haven’t previously worked with, especially at smaller organizations, said Donahue. “For them to have to understand virtual server images and all of the different things that happen depending on whether you’re using SaaS or PaaS, it’s just a new element for them,” she explained.
“And then if we look into the more mature cloud approach, certainly, DevSecOps, automation and continuous compliance, those are aspects that are completely net new” to many members the auditing community,” added Catteddu. “The idea that you are dealing with servers or services that are ephemeral, that they might be here now, but not in five minutes – [it’s a] different way in which you’re collecting evidence, a different way in which you are understanding the effectiveness of a control within an agile development.”
Pleger at Sumo Logic identified another technology challenge for user organizations, noting that cloud environments“ are constantly evolving with new features and can rapidly change the security posture depending on which features are leveraged.” For that reason, “I think that having a cloud-specific audit can be extremely beneficial. With that said, it also really depends on the certification having a more aggressive continuous learning program and focusing on general concepts and techniques for auditing, rather than specific technologies.”