In this article, I’m going to fly over the most important topics about cloud computing auditing in China.
Introduction
Organizations across a whole range of industries such as e-commerce, insurance, banking, IT, pharma, and automotive are in possession of an increasing amount of personal information and transactional data. As a result, those organizations are now the main targets of cybersecurity attacks, sometimes even with sensitive data being leaked due to organizational system vulnerabilities. In China, cybersecurity has received greater attention having been elevated to the level of national security.
Cloud computing audits have become a standard as organizations are realizing that risks exist since their data is being hosted by other organizations. To counterattack that, they are requesting different forms of cloud computing audits to gain assurance and lower the risk of their information being lost or hacked.
What is Cloud Computing Auditing?
The main purpose of cloud computing auditing is to provide an independent opinion to ensure whether IT operations and governance comply with standards and best practices, as well as with the Chinese laws and regulations, such as the Cybersecurity Law of the People’s Republic of China.
What is the role of a Cloud Auditor?
The role of a cloud auditor is to provide an objective opinion based on facts and evidence that a company has controls in place to meet a certain objective, criteria, or requirement. Additionally, in many cases, the auditor will also provide an opinion on whether or not those controls are operated over a period of time. Auditing the cloud for compliance is no different. In instances where the audit requires cloud compliance to satisfy the criteria, the auditor will ask for evidence that controls are enabled (i.e. security groups, encryption, etc), This will allow the cloud auditor to provide an opinion of whether controls were in place and as applicable if they are operated over a period of time.
Cloud auditors are responsible for developing their expertise in cloud computing on their own and gaining insights by simply doing it.
What are the Cloud Auditing objectives?
During the planning, implementation, and migration stages of a cloud computing audit, it’s important to have a clear understanding of what are the goals of the audit. Companies should strive to align their business objectives with the objectives of the audit. This will ensure that time and resources spent will help achieve a strong internal control environment and lower the risk of a qualified opinion.
Cloud Auditors use objectives as a way of concluding the evidence they obtain. Below is a sample list of cloud computing objectives that can be used by cloud auditors and businesses.
- Define a strategic IT plan: The use of IT resources should align with company business strategies. When defining this objective, some key considerations should include whether IT investments are supported by a strong business case and what education will be required during the rollout of new IT investments.
- Define the cloud architecture: The cloud architecture includes the network, systems, and security requirements needed to safeguard the integrity and security of data.
- Define IT processes, organization, and relationships: Creating processes that are documented, standardized, and repeatable creates a stable IT environment. Businesses should focus on creating policies and procedures that include organization structure, roles and responsibilities, system ownership, risk management, data security, change management, incident management, and disaster recovery.
- Assess and manage IT risks: Management should document those risks that could affect the objectives of the organization. These could include security vulnerabilities, laws, and regulations, access to customers or other sensitive data, etc.
- Identify vendor management security controls: As organizations are relying on other vendors such as AWS, Azure, Tencent Cloud, or Alibaba Cloud to host their infrastructure, organizations need to identify those risks that could affect the reliability, accuracy, and safety of sensitive data.
What is the scope of a Cloud Audit?
Another factor to consider is the scope of cloud auditing. The scope of a cloud computing audit will include the procedures specific to the subject of the audit. Based on the scale and the scope, the complexity of the audit also increases. Cloud auditors should take this complexity into account, allocating more time and resources to the auditing process.
The Cloud Computing Auditor must understand the scope and the objectives of the cloud computing environment. This is the first step and it is crucial to manage and assess risk as cloud services evolve.
What are the Cloud Auditing steps?
In a cloud computing audit, a variation of these steps is completed in order to form an opinion over the design and operational effectiveness of controls identified in the following areas:
- Infrastructure
- Governance
- Access Management
- Data management
- Security, privacy & compliance
- Networking
- Logging and monitoring
What is Cloud Compliance in China?
Cloud compliance is meeting the requirements or criteria needed to meet a certain type of certification or framework. There are a variety of different types of compliance that may be required by industry, request for proposal, client, etc. The type of cloud security and compliance requirements will help determine the cloud compliance that is right for an organization.
In addition, cloud computing makes it possible for a cloud services provider to store an organization’s data and information at its data centers located in multiple countries. These countries apply varying laws and regulations, so the client organization’s compliance requirements are no longer bound to the cloud services provider’s physical location. Therefore, it’s crucial that cloud auditors find out where the cloud services provider stores organizations’ data and information. Colocation due to multi-tenancy also contributes to the importance of the physical data and information storage location.
While there is no specific cloud compliance in China, there are a number of different cloud security and compliance requirements that require the implementation of specific controls at the cloud service provider level such as AWS, Microsoft Azure, Tencent Cloud, or Alibaba Cloud. That is because this is where important information is maintained. This is also true at a number of different platforms in use that also utilize infrastructure at these cloud providers. While these providers are required to have their own security controls in place, there are a number of controls that are the responsibility of the user to implement or enable.
Fortunately, cloud service providers such as AWS, Microsoft Azure, Tencent Cloud, or Alibaba Cloud have helped its customers meet security frameworks, criteria, and certifications by making it easy to enable controls that auditors will be looking for. Additionally, there is a ton of information provided by these companies within white papers so that users can gauge whether their product will meet the need of the security requirement.
Roopu Cloud provides Cloud Auditing services
Roopu Cloud has been providing cloud auditing services in China and the APAC region for the last 2 years and has a deep understanding of the cloud providers in China including AWS, Microsoft Azure, Tencent Cloud, and Alibaba Cloud. Based on organizations’ needs, we provide different auditing services including infrastructure, networking, security, data protection, identity and access management, and more.
Our offering ranges from one-off audits to day-after-day audits when overseeing a third-party implementation.
Do not hesitate to contact us to know more about our offering.
