Problem solve Get help with specific problems with your technologies, process and projects.

The skeptical auditor's guide to the cloud

Moving to the cloud may be just the thing to transform an IT auditor from cynic to believer. Ensuring cloud compliance makes auditors seem invaluable.

Change in IT is constant. Yet such change begs an important question: Is cloud computing really as disruptive as vendors would have you believe? Or is it just another evolution in a long string of improvements to get the job done?

Many IT auditors express real concerns about control and verification in the cloud -- an approach whose value is driven by the sharing of resources. Whether rumor or fact, these fears are warranted. Cloud computing represents another step toward a future where fewer people manage more computers. It wasn't too long ago that 25:1 was an acceptable ratio for the number of computers one administrator could support. Automation has compounded this number, and as the ratio rises, the number of administrators required declines.

An argument exists, however, that the opposite holds true for IT auditors. A group of people long (and inappropriately) vilified as standing in the way of new technologies, the auditor's responsibilities actually become more valued as businesses shift services into the cloud.

There's no better time to be an IT auditor.

The assets you own in a private cloud…

Today, three different types of cloud are commonly recognized: private, public and hybrid cloud. While different vendors use different language to describe each, the central theme is that a private cloud is created atop assets you own.

Most enterprises might already have a private cloud, perhaps without even knowing it. Many of private cloud's constituent components already exist in your data center today -- servers and storage, hypervisors and hypervisor management tools, virtual machine load balancing and high availability technologies, even the self-service components that drive private cloud's resource provisioning.

If your data center already contains these resources, it's likely you're auditing their configurations. You have audit plans for operating systems, applications under management and hardware configurations. What your audit program may be missing are the configurations within the virtual platform.

Organizations like the Information Systems Audit and Control Association (ISACA) and even the U.S. federal government have developed template audit plans for the virtualization technologies private cloud relies on. Look there for guidance on what make sense for your line of business.

…And the assets you don't own in a private cloud

Focusing on vendor technologies represents an effective starting point for private cloud. Recognizing that private cloud’s constituent components -- and the guidance to audit them -- likely already exist should be comforting. That content often turns to fear once IT services leave the protected confines of the local area network.

While a private cloud is constructed atop assets your business owns, the public cloud delivers services atop assets you don't. This lack of ownership very obviously introduces complexity into the auditing process. With most public cloud services, you simply can't walk into a facility and demand to verify configurations. That’s not how services work.

Methodologies exist for auditing external services. Take the mystique out of public cloud and you'll quickly find nothing more than an external IT service. Such a service, from an auditing requirements perspective, isn't very different than other business services. There are auditing requirements for accountants, just as there are for finance or even marketing in some industries. In fact, the auditing discipline itself has agreed on the Statement on Auditing Standards No. 70 (SAS 70) and the new Statement on Standards for Attestation Engagements No. 16 (SSAE 16) as AICPA standards for verifying the practices of service organizations.

Ensure your public cloud provider has met a SAS 70 or SSAE 16 audit, and you're well down the road toward verifying practices. Do the same for industry regulation requirements, such as HIPAA and PCI DSS, and you've taken the necessary steps in performing your due diligence.

Converting skeptics to the cloud

The auditor's job is ensuring that ongoing practices remain in compliance. Protecting your business' sensitive data and trusting others to do the same is absolutely important. Whether verifying first-hand the assets you own, or evaluating the verifications of others in the delivery of services, it is the skeptical IT auditor who stands to gain the most.

As the industry continues to embrace the fast-moving cloud, staying ahead of that verification becomes your most important task. And it makes your job that much more valuable.

Greg Shields, Microsoft MVP, is a partner at Concentrated Technology. Get more of Greg's Jack-of-all-trades tips and tricks at

Dig Deeper on Cloud governance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.