The cloud is not necessarily any more or less secure than on-premises technical architecture. The threats in an on-premises and public cloud ecosystem are broadly similar. There are entire application ecosystems running in public cloud that have strong cyber defences with multiple layers of security. Equally, there is a plethora of cloud solutions that are deployed with default configurations and patch management issues.
Questions audit committees could ask:
• Are technical risks covered with clear responsibilities and mitigating actions? Has the organisation put an agreement and action plan in place to cover risks such as resource exhaustion, isolation failure, malicious insider, interface compromise, data interception, data leakage, insecure data deletion, denial of service (DoS) attacks, and loss of encryption keys? Are key personnel aware of the steps they would need to take in the event of different kinds of security breach?
• Are the required legal and policy agreements in place? Do contracts cover data protection risks, licensing risks and changes of jurisdiction? What are the policies covering key issues such as vendor lock-in, governance, compliance, reputation and supply chain failures?
• Have business continuity plans been updated? Is the organisation prepared for a range of scenarios for service outage?
• Are plans in place to cover the event of data loss? Is key data covered by a system of point-in-time backups? Are there plans in place to support on-going business in the event of data being lost?
• Are financial controls fully tested and compliant with best practice? How robust is identity management to ensure that financial controls are not undermined (for example, segregation of duties)?