Trust in the Cloud – What matters in audits of cloud services

Cloud computing is now an integral part of the modern IT and business world. An important success factor for the cloud is to create trust in cloud systems and their providers - for example, through audits of cloud providers. Therefore, the focus is on innovative approaches to ensure cloud compliance in an economical, effective and future-oriented manner - thereby increasing trust in the cloud. PwC outlines in detail how such an approach could look like in a technical paper.

"The cloud has already become a reality in modern IT departments and it is impossible to imagine life without it. This makes it all the more important to ensure transparency and trust in cloud-based applications and services through appropriate compliance confirmations. This is the only way for companies to take advantage of new IT trends in the future".

Markus Vehlow,responsible partner for Cloud Assurance at PwC Germany

Your expert for questions

Markus Vehlow

Markus Vehlow
Partner responsible for Cloud Assurance
PwC Germany

Why Cloud Compliance is so important

Cloud services offer numerous advantages - from greater agility and flexibility to greater cost-effectiveness, scalability and possible added security. The cloud also forms the basis for digital business models and new IT trends such as artificial intelligence (AI), the Internet of Things (IoT) or block chain.

By outsourcing IT systems to third parties, the cloud user gives up some of the direct control over the provided infrastructure and data to the cloud provider. This makes the issue of cloud compliance all the more important when selecting a suitable provider. Audits by independent, trustworthy third parties are almost the only way to establish this trust today based on reporting and certificates. Especially for large infrastructure providers and when using so-called hyperscalers, it is important to know the current challenges of compliance and to find solutions for them.

Audit and verification of compliance in the Hyperscale cloud

Self-disclosure and third-party audits have become established as common tools for demonstrating cloud compliance. In the case of self-disclosure, the cloud provider makes a statement about cloud compliance themself - for example as a result of a request from the cloud user. Common forms are structured questionnaires or publicly accessible criteria catalogs.

In the case of third-party audits, there is a distinction between voluntary and legally required audits, with voluntary audits being the most common procedure for proving compliance with hyperscalers. They follow generally accepted testing schemes, such as ISO standards or the specifications of the German Federal Office for Information Security (Bundesamtes für Sicherheit in der Informationstechnik (BSI)) and the International Auditing and Assurance Standards Board (IAASB).

Third party audits may also result from regulatory requirements. However, statutory audits are only suitable to a limited extent as proof of compliance for cloud users. This is because the results are primarily sent confidentially to the government agencies and supervisory bodies that have commissioned them.

Established tools and approaches soon reach their limits

The audit methods in use today share the difficulty of reflecting the increasing complexity, dynamics and diversity of cloud services. The usual methods rely heavily on manual audit approaches, such as interviewing staff and reviewing written and electronic evidence. Commonly used audit schemes are also based on a point in time or period of time in the past. Hyperscalers however, regularly adapt their cloud services to pass on innovations to users. As a result, test results from the past are only partially transferable to the present and future. New approaches must therefore be found in order to establish Cloud Compliance in an economical, effective and future-oriented manner and thus create trust and transparency in the cloud.

Continuous testing as an innovative solution approach

An innovative approach is the continuous and up-to-date review of requirements or criteria based on continuous data collection and analysis. On one hand, this is based on the standardization and automation of processes and associated controls at the cloud provider. On the other hand, the continuous review also includes ongoing data collection, automated review procedures and the up-to-date presentation of the results of the review to the auditor.

Four process steps can be distinguished:

(1) Data collection and storage: The cloud provider collects the data required for the analysis and stores it in evaluable formats.

(2) Data analysis: The data is analyzed using test cases. This allows deviations from the target state to be detected and controls that are not functioning correctly to be identified.

(3) Provision of the analysis results: In the next step, the results can be made available to various stakeholders via a graphical interface to increase transparency. In the same way, a correction can be made automatically to correct identified deviations.

(4) Reporting: The auditor can create cloud compliance confirmations based on the results of the data analysis.

"I am strongly convinced that fully automated testing will be accepted in principle. This is because it ensures a high level of transparency and audit reliability and strengthens the validity of the audit results and reports.”

Markus Vehlow,Partner responsible for Cloud Assurance at PwC Germany

All Stakeholders are Involved

In order to continue to benefit from the advantages of cloud computing in the future, a number of further developments are therefore needed in the area of cloud compliance, for example in terms of technical and organizational requirements, but also in terms of audit execution and reporting.

"Regulators, cloud providers, standardization organizations, auditors and cloud users in particular are now called upon to work together to develop new approaches and drive forward the further development of cloud audits and ensure that they are widely recognized."

Markus Vehlow,Partner responsible for Cloud Assurance at PwC Germany

This is what the various stakeholders can do

  • Regulators: Accept reports and results from automated tests.
  • Cloud providers: Implement measures for continuous testing.
  • Standardization authorities: Create combination possibilities for testing and more mutual recognition.
  • Auditors: Further implement greater digitization and automation of their testing methods.
  • Cloud users: Work towards further individualization and professionalization and automation of their compliance management.

"Both the proof of cloud compliance and the auditing methods themselves are on the verge of a radical change. Now it is important to further automate the processes of cloud providers and auditors in order to enable a universally recognized, targeted, customizable and continuous audit.“

Markus Vehlow,responsible partner for Cloud Assurance at PwC Germany

Contact us

Markus Vehlow

Markus Vehlow

Partner, Cloud Assurance, PwC Germany

Follow us