Cloud Computing II
Overview
Cloud computing provides organizations broad access to computing resources by reducing overhead, improving performance and efficiency, facilitating collaboration, and enhancing productivity. However, cloud computing also creates challenges and introduces risks that must be managed and audited to provide reasonable assurance to key stakeholders. This course covers cloud service and deployment models, key vendor considerations and the impact on strategic and operational practices, software development, business continuity (BC) and disaster recovery (DR), cloud migration, application programming interfaces (APIs), and cloud security. There is ample coverage of key risks, controls, and best practices related to contracts, software development trends, containers, Zero-Trust, and cyber liability. Throughout the course, participants connect concepts, frameworks, regulations, and industry reports from organizations like the Cloud Security Alliance (CSA), the Federal Financial Institutions Examination Council (FFIEC), FedRamp, the Center for Internet Security (CIS) Critical Security Controls, the National Institute of Standards and Technology (NIST), Gartner, Forrester and others to risk management and audit practices, developing tailored audit programs they can use immediately.
Here are the topics we'll cover.
- Cloud Service Models Review
- NIST model of cloud computing
- Forms of service delivery
- SaaS, PaaS, FaaS, IaaS, characteristics, risks, controls, storage, and tools
- Deployment Model Review
- Deployment models
- Deployment strategy and service architecture considerations
- Key Cloud Vendors
- Quadrants for infrastructure and platform services
- Key terminology
- Risk considerations
- Key Technology: Virtualization
- Definitions, capabilities, and key considerations
- Resource aggregation and sharing
- Hypervisor security considerations and management tools
- Risk categories and auditing considerations
- Cloud Operations
- Cloud and cost considerations
- Cloud management, operations and security
- Virtual server and log management considerations
- Elasticity
- Cloud Architecture
- Key considerations, virtual private clouds (VPC), security groups, and access control lists (ACLs)
- Multi-cloud architectures
- Active directory
- Identity and Access Management (IAM)
- Key concepts, practices, and challenges
- Differences between cloud and traditional IAM
- Layers of permissions and configurations
- IAM policies, reports, access analyzers, and best practices
- IAM audit considerations
- Application Programming Interfaces (APIs)
- Characteristics, and uses
- API security and management
- API risks, audit questions and key considerations
- Zero Trust
- The Zero Trust Model, and differences from traditional network security models
- Zero trust goals, threats, and architecture
- Risk management
- Success factors for zero trust implementations
- Audit considerations
- Shared Responsibility Model
- Key considerations and link to vendors
- Security requirements, tasks and ways to build and maintain secure applications
- Business Continuity/Disaster Recovery (BC/DR)
- Important data recovery requirements, practices and controls
- Data back-up and restore strategies
- Recovery and continuity strategy options
- Disaster Recovery as a Service (DRaaS)
- Software Development Environment
- Software release management
- System Development Life Cycle (SDLC): Traditional, Agile,
- Key tasks, roles and responsibilities
- DevSecOps, tools, and automation
- Key risks, controls, and audit considerations
- Key Technology: Microservices and Containers
- Microservice definition, characteristics, and architecture
- Type classification
- Containers: Characteristics, benefits, stacking, and security considerations
- Audit considerations
- Infrastructure as Code (IaC)
- Key concepts and best practices
- Common challenges and tools
- Automation and testing considerations
- Software Trends
- Current trends in software development
- Pipeline: Continuous Integration (CI), Continuous Delivery (CD) and Continuous Deployment (CD)
- Version control, configuration management, and monitoring
- Key risks and controls in the automated process
- Software Development Audit Considerations
- Common audit considerations for software development
- Auditing DevSecOps methodology, access control, and automation
- Key controls and testing practices
- Cloud Enables Digital Transformation in Financial Services
- Digitization vs digital transformation
- Evolution from robotic process automation (RPA) to artificial intelligence (AI)
- AI maturity model
- AI data inputs, challenges, and key audit considerations
- Cloud Security
- Key security concerns and survey results
- Ways to meet security needs and address challenges
- Best practices and pillars of data security
- Vendor offerings: Security as a service (SECaaS) and vulnerability management as a service
- Encryption
- Cloud Access Security Brokers (CASBs)
- Definitions, capabilities, and considerations
- Risk implications while preparing a risk assessment
- Cloud Migration
- Challenges of cloud application deployments
- Cloud readiness assessment and migration strategy evaluation criteria
- Best practices for cloud migration
- Incident Response (IR) in the Cloud
- Policies, roles, communications, and contracted responsibilities
- Chain of custody, response times, legal and forensic implications
- Incident response frameworks and recommended practices
- Audit considerations for various service models
- Cloud Risks
- Analyst’s reports
- Key regulatory requirements
- Threat modeling, risk categories, risk management, and audit considerations
- Cloud Governance
- Goals of IT governance and link to risk management
- Key guidance, requirements and best practices
- Governance challenges
- Due Diligence
- The review of internal processes before a cloud decision
- Essential due diligence resources and steps
- Contracts/Service Level Agreements (SLAs)
- Contractual considerations and key terms
- Best practices for SLAs
- Cyber Liability Insurance
- Market reports and analysis
- Common reasons for cyber liability insurance claim denials
- Audit considerations
- Audit and Assurance
- Objectives and scope of cloud audits
- Common audit challenges, issues, and recommendations
- Top governance and operations controls
- Review of key examination areas
Learning Style
Level
Who this course is for
NASBA Certified CPE
Field of Study
Length of course
Prerequisites
Advanced Preparation
Here are the learning objectives we'll cover
- Examine cloud computing service models, features, and characteristics.
- Evaluate key indicators of effective cloud computing configuration and practices.
- Apply key risks, controls, and audit techniques.