Cloud Computing: Security and Risk Management

In today’s technology-dependent business world, finance professionals are constantly looking to develop lower-cost alternatives for the information technology (IT) infrastructures of their companies. For years, they managed very costly on-site servers, equipment, and software, along with sufficient IT staff to maintain a seamless operation. Now, many companies are shifting some or all of the on-site functionality to “the cloud.”

For auditors and finance professionals a switch to the cloud has implications, particularly in maintaining the security and privacy of confidential and sensitive corporate records, and those of our customers. This article examines how to ensure viability and controls when working with cloud service providers.

What Is the Cloud?

In computing terms, the cloud can be defined as the process of using network access to ubiquitous, readily available, interconnected remote servers in order to process information rather than using dedicated, on-site, physical servers or computers. Some erroneously consider the cloud to encompass anything that is accessed outside of one’s own computer or network; but this is typically just Internet access, not the cloud. There is a difference between what is the cloud and what is simply remote information.

There are, according to cloud computing terms, a variety of cloud infrastructures, including private cloud infrastructures, public cloud services, and hybrid cloud services. Private cloud infrastructures distinguish themselves through the establishment of processes dedicated and controlled for a single organization. Conversely, public cloud services have multiple clients accessing and processing information through a shared pool of servers across a common public network. A third type of deployment model, hybrid cloud services, are composed of a combination of private and public or multiple public cloud providers bound together through technology that enables mixed security-model applications and cloud data transport between the numerous cloud infrastructures. An example of this could be storage of higher-level sensitive data in a private cloud setting, while the Web front end sits in a public cloud-hosted infrastructure.

Beyond the “accessibility” of private and public cloud deployments, there should be a consideration of the scope of services being delivered. For the most direct control, infrastructure as a service (IaaS) is a delivery model whereby a cloud service supplier provides the infrastructure of servers for computing, storage, and network access for the client. The client has control over the development of applications, processes, and security within the servers. By comparison, platform as a service (PaaS) offers both the infrastructure and the development and deployment environment for applications. The client maintains the development, testing, and change-control process, but the mechanisms for both development and deployment are controlled within the PaaS delivery structure. This simplifies the client’s responsibility to developing and deploying their applications while infrastructure-support activities, such as patching and monitoring, are provided as an outsourced service. The least client-controlled model is the software as a service (SaaS) delivery model. This option consists of all underlying solutions of infrastructure and the development and operation platform provided within the offering, leaving the client to simply administer the configuration of the software they are operating, without concern regarding the underlying support structures.

As with any emerging technology solution, benefits may also come with inherent, perceived, and real risks. Among the largest benefits are reduced capital expenditures for in-house infrastructure, scalability of solutions and costs based on a “per drink” basis, and the accessibility of information based on far-reaching network access. On the flip side, the main risks inherent in this infrastructure are the large target assumed by grouped data and shared client responsibilities (breach of one customer’s data allows access for further data incursion attempts); reduced visibility on operations, security controls, and information security processes; and a lack of control regarding information transferability under issues of vendor resilience or proprietary software usage. There are process steps that can be taken to mitigate these risks, but awareness and risk assessment are crucial to any consideration of outsourcing in-house processes to the cloud, and should be conducted prior to any implementation.

What Are the Implications?

Say you have been tasked by your board of directors and senior management with assessing the risks and benefits of transferring your company’s IT infrastructure from the server room to the cloud. What are the key risks that you must be aware of and be prepared to mitigate? First, to the extent your company manages personally identifiable information (PII), you must be aware of, and abide by, state laws governing the management of such information. You need to know where the servers reside, as not all states are consistent with how PII is to be managed. Second, will your service provider use a subcontractor (also known as a subservice provider)? If so, where will that provider’s servers be located? What technologies are the providers and subservice providers using, and is this technology consistent with yours and up to date? It is absolutely critical that you and your IT teams work closely with the service providers to ensure a seamless transfer of all data from your in-house servers to the provider’s cloud-based servers. Given you are introducing new technologies (cloud), architecture, and systems, you will want to consider the possible need to reorganize or restructure your in-house company data prior to transfer to the cloud. Since the underlying controls at the service provider’s facilities have relevance over the internal controls over your financial reporting, an audit of these controls is required.

Alternatively, if you are performing this assessment for your accounting firm, you have other rules and regulations to follow as promulgated by the AICPA Code of Professional Conduct and the Internal Revenue Code (IRC). Rule 301 of the AICPA Code of Professional Conduct and IRC Section 7216 require CPAs to protect their clients’ confidential information and prohibit the unauthorized release and/or disclosure of client information. If confidential information is breached, there are federal and state regulations that may apply, as well as state board of accountancy rules to abide by. If a CPA outsources the IT function to a cloud service provider, he or she is not relieved of the responsibility to safeguard the confidential information.

Whether you are a CPA protecting your clients’ data and information or you’re a CFO safeguarding your company’s and clients’ data, there are steps you need to take in assessing the viability of the cloud service providers you are considering. Note that if you use a cloud service provider, the services are classified as a data center; therefore, their services are subject to Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Reporting on Controls at a Service Organization. The first step you need to take is obtaining an annual SSAE 16 report from the service provider, and possibly from any and all subservice providers as well. Also, perform an assessment of whether the provider has reasonable controls in place to prevent an unauthorized release of confidential information, and assess the financial viability of the provider. Does it have knowledge of applicable regulations and laws, such as the FTC Safeguards Rule, the Red Flags Rule, and the privacy requirements of the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act? Also, obtain a copy of their service organization control (SOC) reports issued under the guidance of SSAE 16 or other similar framework, such as ISO/IEC 27001:2013 and ISO/IEC 27002:2013.

There are three types of SOC reports: SOC 1, SOC 2, and SOC 3. SOC 1 (Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting) is specifically intended to meet the needs of user entities’ management and their auditors as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. SOC 2 is the Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy, and SOC 3 is the Trust Services Report for Service Organization. The SOC 3 report is designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy, but do not need the level of detail provided in a SOC 2 report. These reports are general-use reports and can be freely distributed or posted on a website as a seal.

A checklist of considerations when selecting a cloud vendor is provided in the article “Professional Liability Risks Related to Cloud Computing,” published by the AICPA Professional Liability Insurance program. It is strongly recommended that you retain documentation of the diligence procedures performed, the results obtained, and the CPA’s evaluation of the vendor. You should also perform initial and subsequent periodic evaluations to confirm the initial assessment, such as obtaining and reviewing SOC reports annually.

Another major consideration is cost. While you may save significant costs in eliminating or reducing in-house servers, a data room, and staff to manage and maintain such systems, you will incur SSAE 16 audit fees that can be anywhere from $15,000 to several hundred thousand dollars, depending on the number of service centers used and the number and complexity of the controls you stipulate for audit.

Mitigation Strategies

As mentioned, there are risks and responsibilities associated with your use or your supplier’s use of cloud technologies. There are, however, mitigation strategies related to this technology, including considerations before any cloud services are in place. First, related to the risks of unauthorized procurement and operation of cloud activity within your organization, you should establish cloud usage policies and information on the procedures related to cloud service infrastructures (such as what sensitivity level of information can be stored in cloud architectures). Having a policy in place provides risk management against rogue entities from engaging in cloud services outside of authorized channels, and establishes minimum criteria involved in the infrastructure of authorized services.

Second, with cloud service providers limiting the visibility of their internal control and security structure, clients need to assess the suppliers’ security controls and score it against their own risk appetite and security standards. For instance, clients that use SaaS cloud services are not in control of the software development change-control process that a supplier implements, and so clients should evaluate the supplier’s software development life cycle processes to ensure that key security gates are in place. Controls related to incident management, systems availability, monitoring, and resilience also should be considered as the service contract, service-level agreements, or third-party audit (see SOC reports above) provide the only assurance to these critical availability controls being in place and effective. The best time for this assessment process is before implementing services with any supplier, and clients should ensure that a right to audit or an ongoing assessment during the provisions of services exists, at least annually.

Since a cloud provider operates through virtual, remotely located systems, two aspects of data storage are relevant: the laws and regulations applicable to the information based on the data location, as well as the contractual requirements that the participating organization has with their own clients. Some cloud providers are able to either delineate at a country level where their customers’ data resides, or can identify the laws and regulations that apply to the data they house. This provides a manner to confirm that an organization is not at contract-risk based on commitments in their own client contracts. Alternatively, an organization can limit the information that they distribute to the cloud provider, especially if limitations are delineated based on the sensitivity level of the information, such as restricted information that must remain in local country systems.

Conclusion

Whether you are a CPA looking to the cloud to support the storage needs of your clients’ data or you are the CFO of a company, significant consideration needs to be given to the myriad issues inherent in any conversion to a cloud-based system. While significant benefits can be realized by shifting your in-house database to the cloud, there are also significant risks that must be understood and remediated effectively. Understanding who your service provider is, where the data will be housed, and having all SSAE 16 reports in hand will help you ensure that you are mitigating these risks as effectively as possible. Since the underlying controls at the service provider’s facilities have relevance over the internal controls over your financial reporting, it is critical that we, as CPAs, do our homework to ensure data integrity through the conversion and thereafter.

Peter J. Kaye, CPA, most recently was a senior manager in corporate finance and operations for Accenture in King of Prussia and is a member of the Pennsylvania CPA Journal Editorial Board. He can be reached at peter.j.kaye@verizon.net.