This article lists some considerations for a cloud security and access audit which can be further expanded to create a more comprehensive and detailed audit checklist.
Cloud computing offers an on-demand service that provides a shared pool of configurable computing resources which is typically considered to be more secure than a traditional IT infrastructure.
There are many benefits to using cloud services in your business. You can access your information from anywhere, as long as you have an internet connection. But with this great convenience also comes the need for more security and better access management practices.
Cloud Security and Access Audit Checklist
One of the critical areas of identity and access management is system security and access audit. More importantly, the audit must be frequent or at best continuous in some areas and automated as much as possible to ensure system security is consistently maintained. Below is a list of cloud security and access audit checklist which can be expanded to meet your needs and also applied to other systems outside of cloud environments.
Have a Cloud Security and Access Policy
Having a cloud security policy communicates to employees, contractors, and customers that your company takes cloud security seriously and also lays out the expectations for everyone to collectively ensure secure cloud and access.
Choose Your Cloud Provider Carefully
There are many cloud service providers in the market, and some may be more suitable for your needs than others depending on what you intent to use the cloud services for or what your budget looks like. Consider asking for customer references, product demo, and system documentation. And don’t hesitate to ask your IT audit team for help in selecting a cloud service provider by assessing the provided information.
Maintain an Access Control Matrix
Maintaining an access control matrix, access control list, and access capability table helps with keeping an up-to-date inventory of users and their access permission to applications, data and other devices. This characterizes the rights of each subject with respect to every object in the system. The access control matrix is a table of subjects and objects showing what actions subjects can take vis-à-vis objects. A subject’s access rights are called capabilities and access to an object is called ACL.
Provide Awareness Training
Considering that system users are often the cause of data breach cases, it makes sense to spend some time and resources to educate end-users about why they are considered the weakest link in the cybersecurity chain, what company expectations are, and how they can help secure the cloud applications and data.
Require Strong Passwords
While passwords are still in use, your company security standards must require the selection and use of strong passwords. Some system security features such as passwords are commonly configurable in many systems which can be deigned to force end-users to comply with strong password requirements.
Use MFA When Possible
When two-factor authentication was introduced, many users resisted the extra effort to access systems which is why user awareness and education is important for user collaboration specially from the executives. Multi-factor authentication provides an added layer of security when a password is compromised.
Seek Executive Support
Before cloud security requirements can be imposed on the general population, the executives must be educated to support any cyber-security initiative whether it is a policy for cloud security or system access audit. Often, the first people who complain about the extra security steps or efforts are the executives which does not lead to end-user support for cybersecurity.
Avoid Being Identity Obese
The term “Identity Obese” was coined by Henry Bagdasarian in his Identity Diet book which introduced the KAOS framework with 8 principles for identity theft protection. When collecting, storing and sharing information, it is important to be mindful of the amount and type of data we unnecessarily collect, process or store in the cloud. Just like eating too much of the wrong foods can lead to health issues, collecting and storing an excessive amount of data that can lead to increased cyber attacks, higher cost of security with lower ROI, and lawsuits can lead to an unmanaged and chaotic business environment.
Review Connected Applications and Devices
Be aware of the connected resources in your cloud environment. Often unused apps and devices continue to be inter-connected within cloud platforms for months and years exposing the company to real threats. The same goes for data. “If the benefits of collected data do not outweigh the cost of maintaining, securing, or losing the data, then it may be time to forgo that data” says Henry Bagdasarian.
Track Changes in Real-Time
When a security setting is changed, new access is established, or an existing access is changed, it is important to be notified of these changes in real-time in order to review high risk changes immediately.
This will make sure that you are actively aware of every activity related to your cloud access, system security configurations, and safety of your files and data.
Another benefit of real-time activity tracking is the awareness of newly connected devices and apps in the cloud to ensure every resource is authorized.
When we discuss regulatory compliance, we need to focus on two key areas. We need to ask ourselves the following questions: does the platform offer features to allow my company to fully comply with local and international regulations? And, is the cloud provider compliant with regulations?
To ensure systems cover all major regulatory requirements, we need to audit the platform features against our unique requirements and ask vendors to provide third party audit reports regarding their compliance level.
Establish Monitoring and Reporting
Having an audit function within cloud operations with monitoring and reporting capabilities is important to identify gaps and suspicious activities as soon as possible in order to address them before they become a liability for the company.
Block Unauthorized Users
There are many ways for companies to automate user access approval and provisioning including IP tracking and user validation. In addition to cross-referencing users against a validated identity directory, in some cases, unauthorized users may be blocked to access a cloud system if they try to access from an unknown device, or suspicious location and time of the day depending on the user’s role and location.
Keep Secured Logs
Keeping system logs are important for periodic reviews and even more important following a security incident for investigation purposes. There are many types of logs that can be considered. The most common types of audit-related logs include but are not limited to system configuration logs, access logs, and file logs. Log security and access control is also extremely important to prevent unauthorized edits to log data which might occur to cover tracks and avoid detection of unauthorized activities. Log retention period must also be considered depending on your industry and regulatory environment. Consult with your Legal team about the required log retention period.
Audit, Report, and Monitor
Monitoring system access can prove to be very valuable when you notice an increase in a particular type of attack or a sudden spike in failed logins.
Internal audits are also important to discover and address vulnerabilities before they cause any serious damage. This includes audits of systems and applications as well as any activity that doesn’t seem normal. IT audit and security teams can help assess the security and access controls and identify any major gaps that need to be addressed.
Often, cloud and SaaS providers offer independent audit reports which may save time and cost on internal audits which are important before an external audit is requested by a large customer or regulatory body.
Auditing and reporting is further covered in the Certified Identity and Access Manager (CIAM) scope for certification.
Have the Right Tools
Having the right tools in place is necessary to automate and address issues efficiently and cost effectively. Some of these may include artificial intelligence to quickly detect suspicious access and activities as well as anti-malware software, firewalls, and an intrusion detection system. The extent of tools depends largely on your budget and risk appetite. Not every company can afford all the sophisticated tools which makes it even more important to have a discussion with your executives to collectively make the investment decision and accept the risks.
Limit Administrative Privileges
Hackers often target administrator access credential because they offer the highest level of access to all systems. Having a Privileged Access Management (PAM) system is extremely important to closely monitor high risk activities and detect or block suspicious activities.
Ensure All the Sensitive Data Is Encrypted
Ensure your sensitive data is encrypted while in transit or at rest. Consider file encryption to complement whatever encryption service the cloud service already provides. The most common types of information that may need encryption include but are not limited to credit cards, social security numbers (or other identifiers), medical records, financial records and other sensitive The type of data being stored or transmitted as well as regulatory requirements will determine which level of encryption should be used.
Backup System and Data
We need to keep in mind that regardless of our efforts, incidents happen and sometimes system and data files are lost or damaged which need to be quickly restored to continue business operations in a secure fashion. Backup and recovery policies help define the requirements and the process must be tested to make sure it works.
Manage Shared Files
Often users share cloud files with other users by sending a link to the file. If the file contains sensitive data and the link continues to be unnecessarily active, it can present a security risk that can be exploited. Having a shared file management process helps reduce the risk by deactivating the file link when it is no longer needed. Many cloud service providers offer file management features which can assist you with shared file management.
There are many access and security risks that can be mitigated with periodic cloud security and access audits. In essence, a cloud security and access audit can help discover issues before they cause any damage or help detect issues quickly to contain the damage.
A cloud security and access audit can be performed before a cloud service provider is selected and thereafter periodically to make sure the cloud platform, applications and data remain secure at all times.
This high level cloud security and access audit checklist should be a starting point and expanded to meet your special security needs.