Cloud Auditing Knowledge (CCAK) Essentia

Cheatsheet Content

1. Cloud Governance Fundamentals Definition: Process ensuring stakeholder needs are met, based on policies, procedures, controls for transparency & accountability. Importance to Security: Establishes accountability, oversight, aligns security goals with business objectives via risk-based approach. Governance Standards: ISO/IEC 38500 , COBIT 2019 , ISO/IEC 27014 , The Open Group Cloud Computing Governance Framework . Cloud Use Models Impact: IaaS: Minimal adjustments to traditional governance. Customer has significant responsibility. PaaS: Thin boundaries, careful contractual consideration for harmonized policy. DevOps practices impact governance. SaaS: Least visibility/control. Reliance on assessments, contracts, SLAs, monitoring. Business departments involvement crucial. Deployment Models Impact: Public Cloud: Standardized services, multi-tenancy challenges (segmentation, isolation), limited visibility. Reliance on vendor risk management, SLAs, 3rd-party audits. Private Cloud: Closest to traditional IT governance. Addresses cloud platform attack vectors, organizational multi-tenancy. Hybrid Cloud: Spans private/public. Complex policy guidelines, aligning SLAs, protecting internal perimeter. Community Cloud: Shared platform among specific community. Identifying stakeholders, shared responsibility model. Accountability Models (RACI): R esponsible: Does the work. A ccountable: Ultimately answerable. C onsulted: Opinions sought (two-way comms). I nformed: Kept updated (one-way comms). Cloud Governance Scope: Beyond security to cost management, compliance, resilience, portability, interoperability, SLAs. Cloud Trust: Function of Transparency, Assurance, Accountability. Trust Categories: Reputation-based, SLA verification-based, Policy-based, Evidence-based, Societal trust. Transparency: Disclosing security practices/controls. Proactive (voluntary), Reactive (request-based), Contractual (statutory). Assurance: Confidence that controls operate as stated (design review, operational check, deep audit). Accountability: Accepting responsibilities, explaining compliance, remedying failures. Cloud Governance Requirements: Operational: Define migration goals, provider evaluation criteria, internal SLAs, specific requirements (backup, DR). Security: Provider evaluation criteria (certifications), controls framework (CCM, ISO27001), specific requirements (encryption key location). Legal/Regulatory: Understand applicable laws (GDPR, HIPAA), classify data, establish negotiation guidelines. Cloud Risk Management: New Inherent Risks: Isolation failure, interface compromise, incomplete data deletion, shadow IT, supply chain, configuration risks. Risk Treatment: Avoidance, Reduction, Mitigation, Transfer, Acceptance. Best Practices: NIST 800-30, ISO/IEC 27005, FAIR, OCTAVE, EBIOS, CSA Cloud Octagon. Cloud Compliance: Conforming to requirements (policy, standard, regulation). Impact: Shared responsibilities, but accountability remains with customer. Complexity of legal/regulatory frameworks. Compliance Inheritance: CSC taking advantage of CSP compliance efforts (e.g., certifications). Cloud Governance Tools: Contracts, Security Assessments, Auditing. 2. Cloud Compliance Program Design Fundamental Criteria: Comprehensive understanding of cloud ecosystem, risk appetite, critical systems. Key Actors: Cloud strategy owners, service sponsors, data owners, compliance managers, internal/external auditors. Business/Organizational Perspective: Nature of business, HQ/subsidiary location, market geolocation, IT dependency. Governance Perspective: Alignment of cloud & governance requirements, financial reporting, internal policies, applicable laws (GDPR, CCPA), technical standards. Cloud Perspective: Differences from legacy IT (third-party reliance, dynamic environment, shared responsibility). Risk Perspective: Risk Appetite: Determines management style (risk-taker vs. risk-averse). Risk Assessment: Identify scope, assets, threats, vulnerabilities; compute & evaluate risk. Risk Treatment: Control objectives (preventive, detective, corrective), design, implementation (shared responsibility), monitoring, reporting. Components: High-level framework (ISO/IEC 27001, NIST CSF), audit types (governance, configuration, access review, compliance), policies/procedures, risk register, auditing/assessment tools, training, dedicated team. Legal & Regulatory: HIPAA, GLBA, GDPR, SOX, PCI DSS, FedRAMP. Standards & Frameworks: CSA CCM, ISO/IEC 27017/27018, NIST SP 800-53, BSI C5. Controls: Measures to modify risk. Preventive, Detective, Corrective. Technical, Administrative, Physical. Control Frameworks: Hierarchical, grouping controls into domains (e.g., ISO/IEC 27002, NIST SP 800-53, CSA CCM). Mapping Controls: Across frameworks (CCM to ISO, NIST, etc.) and to architectural implementations (CSA EA). Technical Controls (Operationalization): Adapting generic controls to specific cloud platforms. Impacted by shared responsibility, inherent tech differences (SDN vs. firewall), need for automation. Evaluating Technical Controls: Sources (SANS, CIS Benchmarks, OWASP, CSA STAR, Vendor Docs), Baseline Configurations, CSP Product Comparisons. Measuring Effectiveness: Metrics (relevant, quantifiable, understandable, evidenced, timely, actionable, accurate, ownership). Goal-Question-Metric approach. Certifications & Attestations: Certification: Independent body assurance product/service meets specific requirements (e.g., ISO/IEC 27001, CSA STAR Cert). Attestation: Statement conveying assurance requirements evaluated/fulfilled (e.g., SOC 1/2/3, CSA STAR Attest, BSI C5). Authorization/Validation: Purposeful assessments (FedRAMP, MTCS, PCI DSS). 3. Cloud Controls Matrix (CCM) & CAIQ CCM Purpose: Security control framework for cloud risk management. Guides CSPs (best practices) & customers (evaluation). Creation: Vendor-independent, consensus-driven by experts, open peer review. Versions: V3.0.1 (standing), V4 (upcoming, merging CCM & CAIQ). Key Features: Mappings to 35+ industry standards, regulations, frameworks. Connection with CSA Enterprise Architecture Model. Foundation for CSA STAR Program. Clear control ownership (CSP/Customer). Cloud service model applicability (IaaS, PaaS, SaaS). Standardized language for cloud supply chain. CCM Domains (V3.0.1): AIS, AAC, BCR, CCC, DSI, DCS, EKM, GRM, HRS, IAM, IVS, IPY, MOS, SEF, STA, TVM. Consensus Assessment Initiative Questionnaire (CAIQ): Companion to CCM. Yes/No questions with explanations to verify CCM control implementation. Purpose: Streamlines CSP responses to customer security inquiries, publicly available on STAR Registry. Relationship with CCM: Many-to-one mapping (multiple CAIQ questions for one CCM control). CCM & CAIQ Structure: Control Domain, Control ID, Control Specification, Architectural Relevance, Corporate Governance Relevance, Cloud Service Delivery Model Applicability, Supplier Relationship, Scope Applicability. Mapping & Gap Analysis: Mapping: CCM to other frameworks (e.g., ISO, NIST) to show equivalency. Reverse Mapping: Other framework to CCM. Gap Identification: No Gap, Partial Gap, Full Gap. 4. Cloud Auditing Process Definition: Independent assessment of conformity of internal/external cloud processes to applicable requirements. Characteristics & Criteria: Requester, Scope, Purpose/Objectives, Type (internal/external), Access/Vantage Point, Resourcing, Sequencing, Standards, Constraints, Reporting. Core Principles: Independence, Integrity/Objectivity, Due Professional Care, Confidentiality, Skills/Competence, Risk-Based Audit, System/Process Focus, Avoiding Operational Decision-Making, Sensitivity to Stakeholder Interests, Quality/Continuous Improvement. Internal vs. External Auditing: Internal: Ongoing, within organization, broader scope (compliance & business improvement). External: Independent firm, specific laws/rules, focuses on compliance & effectiveness of controls. Auditing Standards: ISO/IEC (17021, 27006, 19011, 27007, 27701, 27018, 27017), IIA Standards, ISAE (3000, 3402), SSAE 18 (SOC reports). Auditor Competency: Auditing skills, Cloud security skills (CCSK, CCSP), Cloud technology skills (vendor certs). On-Premises vs. Cloud Auditing: Technical Differences: Ownership, location, operations, personnel, DR, application/infra/GRC management. Key Audit Aspects: Planning, Timing, Approach, Execution, Reporting/Monitoring are impacted by shared responsibility & third-party reliance in cloud. Assessing Cloud Services: Shared Responsibility Model Impact: Varies by IaaS, PaaS, SaaS. Requires unique test plans. Compliance Inheritance: Leveraging CSP certifications (e.g., STAR, ISO) for customer compliance. Audit Context: Understand organization's current state, cloud audit plan fit into existing approach (shadow IT, geographical data location). Audit Building/Planning: Scope: Tailored to business needs, structure, assets. Define boundaries (internal controls, CSP, third-parties). Shared Responsibility Model & SLAs: Critical for defining who does what, interpreting events. Data Flow & Architecture Analysis: Understand how data moves, customer interaction, back-end processes. Assessment/Audit Criteria: Based on regulations (PCI, FedRAMP, ISO), auditor judgment. Roles & Responsibilities: Identify logical/physical access, security control, third-party interaction. Competence: Auditor needs cloud concepts, specific qualifications. Audit Execution: Opening Meeting: Outline plan, introduce players, identify scope/stakeholders, risks. Communication: Continuous updates, preparation time for auditees. Sampling: Nonstatistical (judgment-based for critical systems), Statistical (e.g., 25 components). Fieldwork/Data Collection: Visual observation, records, walk-throughs, reperformance, interviews. Verify evidence, maintain chain of custody. Generating Findings: Draft findings, impersonal language, validate with stakeholders. Continuous Auditing: Ongoing assessment, often automated, for near real-time assurance. Reporting & Distribution: Inform decision-makers. Scope, SMEs, methodology, observations, recommendations. Internal, limited, public reports. 5. Security Trust Assurance and Risk (STAR) Program Components: Technical standards (CCM, CSA GDPR CoC), accepted certification/attestation frameworks, public registry. OCF Structure (Levels): Level 1 (Self-Assessment): Good-to-moderate assurance, good transparency. Security: Voluntary publication of CAIQ on STAR Registry. Privacy: Based on CSA CoC for GDPR Compliance (using PLA template). Level 2 (Certifications/Attestations): High assurance, low-to-high transparency. STAR Certification: ISO/IEC 27001 + CCM. Maturity model (Bronze, Silver, Gold). STAR Attestation: SOC 2 Type 1/2 + CCM. C-STAR Assessment: For China market (GB/T standards + CCM). CSA GDPR CoC Cert: Third-party audit of CoC adherence (available 2021). Level 3 (Continuous): Very high assurance, very high transparency. STAR Continuous: Ongoing evaluation (monthly/daily/hourly) via automated means. Continuous Auditing: Select attributes, use metrics, compare results to SLOs/SQOs. Certification Process: Initialization phase (traditional audit + define continuous certification target/tools), Continuous audit phase (third-party checks, tools report results to CSA API). STAR Registry: Publicly accessible, searchable repository of security/privacy posture data. Goals: Customer visibility, CSP compliance commitments, understanding shared responsibilities. API: Machine-readable access to CAIQ responses. Recognizing Audit Scope: Must be fit for purpose (customer-focused, SLA-driven), defines functions, sites, activities covered.