As organizations expand their cloud posture, knowing what cloud auditing is and how to do it effectively second cloud provider because their original provider just isn’t as good at new workloads.
Multi-cloud set-ups, where cloud computing services come from at least two providers are a perfectly fine strategy. As Gartner puts it, “A well-governed multi-cloud strategy can improve access to a breadth of technology choices and innovative best-of-breed capabilities.”
Over time the waters can get muddied. Organizations must know what’s going on with each of their cloud providers, and that they are only getting the services they need. A regular audit, in which outgoings and benefits associated with cloud services are interrogated, is vital. Audits often lead to a systematic clearout of unwanted services and can reduce costs and paperwork, cut wasted staff time, and help leaders assess their cloud strategy.
What are the different types of cloud auditing?
There are several different types of cloud auditing and each comes with separate follow-through actions. Some of these are ongoing, others more formally timetabled. Perhaps the most straightforward audit is a cost review. “It tends to involve a three to four-week desk-based review of architecture and consumption patterns,” says Adrian Bradley, head of the cloud transformation at KPMG, who tells ITPro that this is the most common review to identify savings opportunities. Actions coming out of this kind of audit include finding ways to mitigate overspending with the existing provider, looking for an alternative provider, or engaging in cloud repatriation.
Another common option for performing a cloud audit is focused on cloud security controls, and this should be an ongoing process using a recognized framework. The audit may require little human interaction. “In mature cloud organizations, these are highly automated and operate as continuous compliance, where estates are constantly monitored for workloads going out of compliance,” Bradley adds.
“But many estates lack this level of automation, and ‘manual’ reviews that enable the development of automation are the fallback.” The actions coming out of any such audit must focus on ensuring security compliance.
The broadest form of auditing involves looking at an organization’s entire cloud environment across all providers to ensure cloud as a whole is performing optimally. It will be for each organization to identify the scope of an audit of this kind, and to understand which responsibilities lie internally versus with any third parties. Sander Barens, chief product officer at Expereo tells ITProthat the audit process should mimic everyday user experience as closely as possible.
Discover how Zscaler Cloud DLP protects against the loss of sensitive data across all users and branches
DOWNLOAD NOW
“There will be no one size fits all approach to improving cloud performance, however, and each audit should unveil different challenges, and solutions to them, for businesses to address,” Barens notes. A thorough audit of this kind will facilitate the collection of actionable insights. While the ultimate responsibility for all of this will lie at the board level, the chief information officer (CIO) and chief information security officer (CISO) won’t be able to do the auditing. This could be the responsibility of internal staff, but there are solid arguments for turning to external specialists for a formal auditing process. They should be free of organizational baggage and loyalties, and will ideally make constructive suggestions for action based on the insights they gain.
Oversight and strategy for cloud auditing
It is important to remain vigilant for telltale signs outside of any formalized auditing regime, which may trigger immediate remedial action. This could include a spike in cloud computing costs noted by accounting teams with no associated notification. If so, an audit will be necessary to determine if one’s cloud provider has suddenly raised its fees and whether competitor services are a viable alternative. Technology teams and financial teams must work together to get to the bottom of these concerns.
“FinOps-style services and solutions are fast becoming a vital requirement to ensure that cloud workloads are being deployed most cost-effectively for optimal performance and latency concerns,” Bola Rotibi, chief of enterprise research at CCS Insight tells ITPro. Any breakdown, outage, slowdown, or other performance issue ought to also trigger some sort of scrutiny. IT leaders should know the most likely reasons for a cloud outage and there are specific steps to be taken so that those firms more dependent on the public cloud such as SMBs can prepare for the cloud going down. But if outages are regular it may be worth considering changing one’s provider altogether. “Too many outages should also trigger an audit,” Rotibi adds.
Any issue with a service level agreement (SLA) is another cause for concern. Depending on the nature of the issue an audit of services may or may not be necessary, but the organization’s own risk profile should identify the trigger point for that.
When it comes to the frequency of cloud auditing, this will depend on many factors including workload, maturity of the cloud provision, complexity of the organization’s work, and its multi-cloud set-up. A formal audit might be triggered by something as serious as a financial anomaly, but outside of any triggering audits should be scheduled into the regular risk work of any board.
Without paying serious and ongoing attention to auditing cloud provision, an organization can fall into bad habits, and even the dreaded siloed datasets, duplication of processes, and muddled policy and actions that are generated by these can occur. In the end, achieving a sleek cloud estate, whether through a multi-cloud architecture or alternative, will rely on formal auditing carried out on a rigorous schedule.
