Common pitfalls
With the scale, speed, and flexibility of the cloud comes complexity. This complexity leads to inherent pitfalls. We will review two broad areas that are common pitfalls for organizations that the IT auditor should be aware of. The first area involves administrative pitfalls that include not managing resource usage, an inability to control shadow IT, and a lack of automation. The second area concerns technical pitfalls that include misconfiguration, providing overly permissive access to users, and the inadvertent exposure of data, such as credentials.
Let’s look at the most common pitfalls IT auditors should focus on during an audit, and recommendations they may consider providing to a cloud customer.
Inability to forecast resource usage and costs
Cloud service providers such as Amazon Web Services (AWS), Azure, and GCP have hundreds of services to choose from. Many cloud customers usually choose services not suited to their business needs due to poor planning including not understanding the requirements of the business.
Cloud service providers have complex pricing models with rates that change according to service, region, and many other parameters. If an organization doesn’t fully understand a cloud service provider’s pricing model, or how it will progress with the cloud customer usage of service, the organization may incur unexpected costs.
Unused resources left running can easily cause cloud costs to spiral out of control. Organizations need to know the type of resources their applications consume, their quantity, and their corresponding price dimension. In addition, organizations should automate resource provisioning with the various cloud-respective auto-scaling features.
An IT auditor should look to examine if the organization is utilizing tools for tracking and licensing their cost. Such tools include third-party tools, such as CloudCheckr and CloudHealth.
In addition, an IT auditor should evaluate if the organization is leveraging tags as a means of identification for forecasting. Tags can be defined as applying metadata to help describe and identify the resources running across an organization’s cloud environments. Therefore, utilizing tags is an essential tool for gaining visibility into an organization’s cloud consumption and expenditure.
The impact of shadow IT
Cloud computing has made it easier for users to bypass organizational procurement processes in order to access the cloud solutions they want. For instance, it’s very easy to spin up accounts in AWS, Azure, or GCP without the knowledge of the organization. This is also referred to as shadow IT.
Shadow IT is the practice of bypassing organizational processes and installing IT solutions without the knowledge or approval of the organization. The risk with shadow IT is that it creates a situation in which corporate data is placed outside of the protection provided by the organization’s security controls. As a result, shadow IT increases the risk of a data breach.
An IT auditor should evaluate whether an organization leverages tools to track which cloud services are being accessed, to ensure there are no cloud services being used that aren’t authorized or supported.