Most large organizations are using Microsoft’s Azure cloud computing services in one form or another. Indeed, Microsoft claims more than 95% of Fortune 500 companies use Azure. Among other things, Azure supports data analytics, data warehousing, DevOps, storage, virtual desktops, and fully managed infrastructures. Additionally, organizations can integrate the services within Azure into a corporate network in the same way traditional data centers are connected.
Yet, despite Azure’s pervasiveness, many organizations don’t fully understand the effects the platform may have on daily operations and personnel, or the potential security implications. Azure’s services can introduce security and data privacy risks such as inappropriate administrative access, less clarity on role-based access permissions, or inappropriate remote access. For instance, in May 2019, Azure suffered a global outage caused by a domain name system configuration issue, according to Build5Nines.com, which covers cloud technology.
Internal audit can assist the organization in identifying the risks introduced with cloud computing. Partnering with the organization’s business units, understanding the technologies, and providing a systematic approach can help to remedy those risks.
When auditing Azure, internal auditors should begin by obtaining an inventory of all Azure services in use by the organization. If an inventory does not exist, internal audit can help build one. Auditors can use native reports within Azure or custom scripts to export inventory data from the system.
Next, auditors should understand how these services are implemented, as well as IT’s control environment or processes related to cloud services. Are there documented procedures for administering the environment? Is formal change management used in all aspects of the cloud such as networking, storage, maintenance, and provisioning?
For example, with database platform as a service, auditors should understand the database platforms and how they are configured and secured. The organization may set up its own servers in an Azure virtual environment or use Microsoft’s Azure SQL server. Each method poses unique audit considerations that need to be investigated.
A third step is performing a risk analysis to determine the risks associated with each of the services and their pervasiveness. Auditors should be aware of how moving these services out of traditional data centers impacts connectivity, communication requirements, separation of duties, latency, response time, administrative security, and compliance. Whenever possible, auditors should partner with IT to monitor key performance indicators based on risk to assist with ongoing control monitoring and operations.
A Plan for the Cloud
Once internal auditors have completed these three steps, they are ready to build their audit plan. In doing so, auditors need to address several aspects of the Azure platform.
Azure Security Center Internal audit, IT, or management can quickly identify the organization’s Secure Score — which measures its security posture — through the Azure Security Center. The center provides security recommendations based on the organization’s current configurations and monitors system updates, vulnerabilities, network security, and other areas.
In addition, Security Center prioritizes recommendations, so auditors know where to start with their assessment. The dashboard groups the organization’s security hygiene into categories such as compute and apps, networking, data and storage, identity and access, and security solutions. Auditors should note that the dashboard and associated recommendations are alerts rather than enforced security configurations.
Networking and Virtual Machines Cloud environments can be complex with virtual networking, firewalls, and machines configured from a browser or Microsoft’s Azure PowerShell scripting language. Azure administration can be performed via a web browser, and workloads can be administered remotely using many other secure and insecure methods.
Internal audit can help the organization take a strategic approach to risk by validating that remote access to the environment is restricted appropriately and Azure access is secured with multifactor authentication. Simple passwords can be stolen, compromised, or “brute-force” attacked. Once one machine is compromised, it can be used to compromise other Azure resources or attack other networked devices. Multifactor authentication goes beyond passwords by requiring more than one method of authorization for access. In addition to multifactor authorization, all administrative workload access from the internet should be configured for just-in-time security access, which builds secure connections over the internet.
Azure Active Directory With more than one billion user identities hosted, Azure Active Directory is one of the most pervasive organizational risks for businesses using the platform. Services such as SQL databases, data warehouses, and virtual machines all leverage Azure Active Directory, as do Office applications.
Depending on how the organization has implemented Azure Active Directory, it can pose significant administrative access risks. Traditionally, when reviewing administrators for on-premises Active Directory, auditors will evaluate enterprise administrators and domain administrators. However, with Azure Active Directory, there are potentially global administrative accounts. These global accounts could create an account with elevated permissions on the organization’s domain. Moreover, they are unlikely to appear in any traditional audit script outputs.
On top of this, in Azure, administrators can create custom groups that have less visibility in the environment. Auditors need to fully understand the risk and compliance implications of these custom groups.
Database Services Depending on how the organization stores its databases within Azure, it may have access to database security features such as logging, log retention, data encryption, and restricted elevated access. Auditors should understand which features are in place and how they are monitored.
In addition to the security concerns in the previous section, internal auditors should review areas such as data loss prevention, data classification, encryption, and Azure certifications and compliance. Compliance may include the International Organization for Standardization’s ISO 27001, System and Organization Control (SOC) reports, the U.S. Health Insurance Portability and Accountability Act, and Payment Card Industry Data Security Standard.
Because these services are complex, internal audit could perform smaller audits around specific areas one at a time. For example, auditors could separate networking, Azure Active Directory, and Security Center into their own audits and prioritize them based on risk. Auditors can leverage free Azure benchmarks issued by the Center for Internet Security and Azure’s SOC reports when building out audit plans.
Auditing the Azure environment can be challenging because of the platform’s constantly changing and complex design. Internal audit may need to hire outside expertise to evaluate the design and operation of controls in these environments. But by overcoming these challenges and performing audits, internal audit can provide assurance that cloud operations are secure.
KARI ZAHAR is a senior manager at Stinnett & Associates in San Antonio, Texas, and an accounting analytics professor at Trinity University in San Antonio.
JEREMY PRICE, CISA, MCSE, ABCP, is a senior manager at Stinnett & Associates in Tulsa, Oklahoma.
CURTIS GRIFFIN, GICSP, is a manager at Stinnett & Associates in Tulsa, Oklahoma.
“This article was posted with permission from the December 2019 issue Internal Auditor published by The Institute of Internal Auditors, Inc., www.theiia.org”