Appendix E: Reporting on Controls at a Cloud Computing Service Organization
This appendix describes cloud computing service organizations and provides an overview of the risks and challenges associated with performing a service organization controls (SOC) 2 engagement for cloud service organizations.1
A cloud computing service organization (cloud service organization) provides user entities with on-demand access to a shared pool of configurable computing resources (for example, networks, servers, storage, and applications). Cloud computing is becoming an important IT strategy for user entities that need varying levels of IT resources and for whom purchasing and maintaining sophisticated and costly IT resources is not an effective strategy.
Definition of Cloud Computing
Although many definitions of the term cloud computing exist, the following definition from the National Institute of Standards and Technology (NIST)2 is widely used:
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
Essential Characteristics:
On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.
Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
Service Models:
Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
Deployment Models:
Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
Risks to User Entities
Although management of a user entity may outsource the IT functions to a cloud service organization, it cannot outsource its responsibility for the operations of those functions. As a result, management of a user entity may need to actively monitor and assess aspects of the cloud service organization’s system that affect the services provided to the user entity. The very characteristics that make cloud computing an attractive solution may also increase certain risks to the user entities. For example:
the increased sharing of system resources among user entities increases the risk that the activities of one user entity will adversely affect the availability, security, processing integrity, confidentiality, and privacy of the other user entities.
the essential characteristics of cloud computing make it difficult to assess whether the cloud service organization is fulfilling certain commitments related to confidentiality and privacy that it has made to user entities, such as in contracts, service level agreements, or statements of privacy practices. For example, a cloud service organization may reallocate online data storage space between user entities to address the changing demands for resources. In these circumstances, the second user entity may be able to access the data of the original user of the storage space, unless the cloud service organization has controls to erase that data from the storage space.
the aggregation of many user entities’ data in a single cloud environment increases the attractiveness of the cloud computing organization as a target for attacks, given the extent of data that can potentially be compromised and misused.
cloud providers spawn and retire virtual servers regularly to respond to changing user-entity demands. The transitory nature of these virtual servers increases the risk that unauthorized system changes are introduced in the respawning processes (bringing the server up again). In addition, this transitory nature increases the risk that traditional audit trails (for example, system logs or configuration reports) will not provide sufficient evidence of the functioning of controls for the cloud-based systems.
the dynamic nature of cloud computing can result in the data being stored on different physical storage devices using different data security controls. As a result, data security controls designed with the assumption that data is stored in a static location may not be effective.
Challenges Faced by the Cloud Service Organization in Meeting Users’ Information Needs
In order for management of a user entity to actively monitor and assess aspects of the cloud service organization’s system that affect the services provided to the user entity, it will need information about the service organization’s system. In providing such information, the cloud service organization faces many of the traditional challenges faced by service organizations, including the following:
Controlling the cost and disruption resulting from inquiries and visits from multiple user entities who wish to obtain information about the system and test system controls that are relevant to those user entities. Adding to such costs and disruption is the time required to train user entity personnel about cloud services, processes, and architecture.
Balancing the need to protect user entities’ information against the need to provide governance, risk, and control information to existing and prospective user entities. For example, providing a user entity with detailed security configuration information regarding the cloud environment increases the risk that personnel at that user entity will use that information to compromise security and gain access to other user entities’ data.
Balancing the need to provide information about the system to user entities in an effective and efficient manner against the need to protect the cloud service organization from risks, such as the disclosure of confidential user-entity information. For example, in a traditional data center setting, a user entity usually has access to all data and system resources for a dedicated e-mail server. If a cloud computing architecture comingles e-mails from multiple users in a single database, providing such access to all data and system resources in a cloud setting would compromise the confidentiality of other user entities’ e-mail.
A service auditor’s SOC 2 report can be an effective tool for communicating information about the cloud service organization’s services and the suitability of the design and operating effectiveness of controls over the systems that provides these services. It can provide assurance to existing and prospective user entities regarding the service organization’s services, including confidence in the security, availability, and processing integrity of the system and controls over data confidentiality and privacy of information. This additional confidence can help the cloud service organization address the concerns of prospective and existing customers in a consistent and comprehensive manner, rather than having to customize a response to specific requirements of different user entities. In a new and developing industry, such confidence can help increase the rate of adoption of a cloud service organization’s services and the extent to which user entities are willing to trust critical operations to the cloud environment.
Risk Considerations When Performing a SOC 2 Engagement for a Cloud Service Organization
Performing a SOC 2 engagement for a cloud service organization is conceptually the same as performing such an engagement for any other service organization that provides IT services. However, when performing these engagements, the service auditor needs to pay particular attention to matters such as the following:
Shared responsibility. The responsibility for controls is shared between the user entities and service organization. One challenge of providing cloud services is that different user entities will often require varying levels of service and related responsibility and accountability on the part of the cloud service organization. In these situations, the service auditor needs to consider the processes and controls that the cloud service organization has in place to address the differing requirements of its user entities.
Information life cycle management when reporting on confidentiality and privacy. Information life cycle management is one of the most challenging aspects of managing a cloud, particularly when addressing privacy requirements. Because cloud service organizations have multiple clients sharing system resources, and these shared resources (for example, servers and storage devices) may be reallocated among the clients depending on needs at a given time, information life cycle management for any particular client may become highly complex and challenging to administer.
Comingling of data when reporting on confidentiality and privacy. Many SaaS environments comingle the data of user entities in a single database. As a result, it may be difficult to completely destroy or return user entity data at the end of its life cycle or at the end of the relationship between a user entity and cloud service provider.
Transnational data processing and storage. Many types of data, including personal information, are subject to specific laws and regulations in the jurisdiction in which the data is created or in which the data subject is a resident of, including restrictions on the transfer of data to other jurisdictions. Cloud service providers may be unaware of the particular requirements for any one user entity, and the multinational architecture of a cloud infrastructure may result in unintended violations of laws and regulations by the user entity.
Availability, continuity of operations, and disaster recovery when reporting on availability. Cloud computing environments are inherently complex due to the need to support multiple clients with varying system requirements (for example, different operating systems and virtual servers) and variations in the demand for resources among clients. Due to this complexity, techniques for maintaining system availability, providing for continuity of operations when a disruption has occurred, and recovering from a disaster vary significantly from traditional techniques. The flexibility provided by cloud architecture usually provides the cloud with the technological ability to recover user entity processing on different hardware operating in the same or a different facility but requires more complex processes and controls to do so.
Virtualization technologies. Although not unique to a cloud, the implementation, configuration, protection, operation, and support of virtualization hypervisors is critical to most cloud computing environments. A hypervisor is a software program that manages multiple operating systems on a single computer system. Hypervisors need to be configured and managed to meet the combined security, availability, and processing integrity needs of customers. A service auditor needs to understand the hypervisor(s) used by the cloud service organization and the unique policies, procedures, and processes used to configure and maintain them. The service auditor also needs to address the same issues with regard to any applications or software infrastructure provided in a multitenancy environment.
Transitory nature of virtual environments. Because of the virtual nature of individual user-entity processing environments and the highly dynamic nature of resource allocation, traditional testing strategies related to system configuration may not provide sufficient evidence about the operating effectiveness of controls. Similarly, audit evidence traditionally used to evaluate the operation of the control may not exist or may not be sufficiently reliable when testing in a cloud environment. The service auditor needs to give consideration to these factors in planning and performing his or her examination.
Encryption and key management.3 Encryption is generally an effective way of protecting information in a cloud computing environment. Encryption of data may be the responsibility of the user entity, cloud service organization, or both and may vary from user entity to user entity within any one cloud computing environment. A cloud service organization needs to have processes and controls in place to meet its responsibilities, in accordance with service level agreements. In addition, processes and controls are needed to protect encryption keys during key generation, storage, use, change, and destruction.
Engagement Acceptance Considerations for the Service Auditor
Prior to accepting an engagement to report on controls at a service organization related to the trust services principles, a practitioner should consider whether he or she has the necessary skills and knowledge to perform the examination or will need to use the work of a specialist with the necessary skills and knowledge.
In performing a SOC 2 engagement for a cloud service organization, a service auditor needs to consider the following:
Whether the cloud environment is private, public, community, or hybrid and the different risks that each deployment model brings to the environment.
Whether the description is sufficient to meet the needs of user entities based on industry and regulatory considerations. The cloud service provider’s description of its system should address unique aspects that cloud computing brings to common processes, including the following:
— Data governance
— Information leakage
— Hardware disposal
— Hypervisor security and change control
— Spawning and retirement of virtual systems
— Encryption
— Incident management
— Use of third parties
Because of the rapidly evolving nature of cloud computing, service auditors should consider consulting the publications and online resources of organizations that address cloud computing, including the NIST, the European Network and Information Security Agency, and the Cloud Security Alliance (CSA).
When reporting on privacy in a cloud environment, how privacy risks are affected by the shared aspects of a cloud environment, including the following:
— Breach notice
— Access
— Regulatory requirements
— The types of personal information in the cloud environment and its sensitivity
— Sharing of information with third parties
Whether the controls identified are sufficiently responsive to the applicable trust services criteria, given the dynamic nature of cloud computing and the particular risks associated with it..
Whether the results of tests of controls will be sufficient to support the auditor’s opinion, given the dynamic nature of infrastructure considerations. For example, security configurations of hypervisors and servers are subject to frequent modification throughout the period. Tests that infer the operating effectiveness of controls through inspection of the results of their operation (for example, inspection of security configuration files) are likely to be less effective, unless performed throughout the report period using a statistical-based sampling approach.
Cloud Security Frameworks
Due to the immaturity and rapid growth of cloud computing, cloud service organizations and their user entities are still refining the security processes and controls that should be in place at the service organization. To aid in this effort, cloud service organizations and user entities have joined together with governmental bodies in several different efforts to develop frameworks for assessing risks, processes, and controls for a cloud environment. Implementation of a framework could be demonstrated by a SOC 2 report in which the description of the system includes descriptions of the framework used, the processes designed to address the framework requirements, and controls implemented in response to the framework requirements.
One leading framework has been developed by the CSA. This framework consists of the following:
Consensus assessment questions that have been developed to help user entities gather information relevant to the security and availability of a cloud service provider’s system
Common controls matrix that provides cloud service providers and user entities with illustrative controls
More information on the CSA framework can be found at https://cloudsecurityalliance.org/.