As cloud computing get increasingly complex and finds use in core enterprise applications, it it time to pay more attention to auditing. Auditing ensures that your cloud installations works per your expecations. The auditing could be done either internally by your IT or business teams, or could be done by a third party service. Regardless of who does the audit, it is important to understand the different considerations in cloud auditing.
Regulatory compliance audit
In many industries such as healthcare and finance, there are strong regulations that mandate how the data should be handled, where they should be stored and how the consumer data are protected. Not complying to the regulations might invite hefty fines and/or legal proceedings.
The regulatory compliance audit lists the all regulations that will affect your data and applications, and will check if each of those regulations are met in your cloud setup. For instance, regulations in some industries would prevent the storing of data offshore. In that case you have to make sure that your cloud service provider has domestic datacenters and uses them to handle your data and applications.
Disaster Recovery/Business Continuity (DR/BC) audit
Disaster can strike an enterprise in many forms. There could be natural disasters such as floods, earthquakes, etc. and there could be manmade disasters that could disrupt your installations. It is the role of DR/BC audit to ensure that the IT infrastructure continues to be operational, at least partially, despite the disaster. Mean time to recovery and amount of data recovered are important metrics in this audit.
Security should be one of the most essential aspects of any enterprise IT system. Security audit must uncover the various vulnerabilities in your cloud solution. Some of the security issues include unauthorized access, intentionally destroying data and Denial of Service (DoS). The audit should make sure the setup is sufficiently protected against the common type of attacks and has the adequate level of security that satisfies the enterprise requirements. Sufficient attention must be paid to data security issues to protect against any information leakage.
Performance and Reliability audit
One of the biggest considerations to move to the cloud involves around reliability. Reliability audit must make sure that your data is available to the employees and customers 24/7. The cost of downtimes can be very high, in terms of lost employee productivity and loss of goodwill from the customers. The audit should also spell out the SLA requirements and find out if all the providers satisfy those requirements.
Performance audits must identify the various metrics (time to save a document, loading time of the website landing page etc.) and verify if the cloud setup satisfies those metrics. The performance and reliability audits could also make use of stress tests to make sure the stack used is robust under severe load conditions.
ROI and business audit
Migration to cloud computing has to make proper business sense and this audit computes the ROI (Return on Investment) for the cloud infrastructure you have spent your time and money. The audit should arrive at the total cost of the solution (including the retraining costs) and find out if it is cheaper than the alternatives.
Business audit must spell out various business metrics and goals against which the cloud services have to be tested.
By Balaji Viswanathan