Chapter 7

Auditing in the Cloud

Two thirds of the earth’s surface is covered with water, the other third is covered with auditors from headquarters.

—Norman R. Augustine

Historically, data has been stored behind corporate firewalls in the control of the company that owns the data. It was up to the company to secure the perimeter, harden the infrastructure, and secure the databases. Auditors could come on-site and inspect the processes and controls to make their assessments. If any government agency wanted to seize any data for an investigation, it had to confront the company before doing so. The bottom line was the company that owned the data was in control. That is not the same as saying the data was secure, but responsibility for securing the data was owned by the company.

Storing the data in the cloud is a different story. Now the company has a shared responsibility with the cloud service provider (CSP) and the further up the cloud stack they go, the more responsibility the CSP takes on. In some respects this is a good thing. Why not let the CSP, whose core competencies include security and compliance, handle some of the heavy lifting around securing and encrypting data, hardening the environment, managing backup and recovery processes, and various other infrastructure-related tasks? Off-loading security and compliance to a CSP does not mean that the company is no longer accountable. It simply means the CSP provides secure and compliant cloud services, but it is still up to ...