Cloud Computing II

Cloud computing provides organizations broad access to computing resources by reducing overhead, improving performance and efficiency, facilitating collaboration, and enhancing productivity. However, cloud computing also creates challenges and introduces risks that must be managed and audited to provide reasonable assurance to key stakeholders. This course covers cloud service and deployment models, key vendor considerations and the impact on strategic and operational practices, software development, business continuity (BC) and disaster recovery (DR), cloud migration, application programming interfaces (APIs), and cloud security. There is ample coverage of key risks, controls, and best practices related to contracts, software development trends, containers, Zero-Trust, and cyber liability. Throughout the course, participants connect concepts, frameworks, regulations, and industry reports from organizations like the Cloud Security Alliance (CSA), the Federal Financial Institutions Examination Council (FFIEC), FedRamp, the Center for Internet Security (CIS) Critical Security Controls, the National Institute of Standards and Technology (NIST), Gartner, Forrester and others to risk management and audit practices, developing tailored audit programs they can use immediately.

Here are the topics we'll cover.

1. Cloud Service Models Review 
   • NIST model of cloud computing 
   • Forms of service delivery 
   • SaaS, PaaS, FaaS, IaaS, characteristics, risks, controls, storage, and tools  
2. Deployment Model Review 
   • Deployment models 
   • Deployment strategy and service architecture considerations  
3. Key Cloud Vendors 
   • Quadrants for infrastructure and platform services 
   • Key terminology 
   • Risk considerations 
4. Key Technology: Virtualization 
   • Definitions, capabilities, and key considerations 
   • Resource aggregation and sharing 
   • Hypervisor security considerations and management tools 
   • Risk categories and auditing considerations 
5. Cloud Operations 
   • Cloud and cost considerations 
   • Cloud management, operations and security 
   • Virtual server and log management considerations 
   • Elasticity 
6. Cloud Architecture 
   • Key considerations, virtual private clouds (VPC), security groups, and access control lists (ACLs)  
   • Multi-cloud architectures 
   • Active directory 
7. Identity and Access Management (IAM) 
   • Key concepts, practices, and challenges 
   • Differences between cloud and traditional IAM 
   • Layers of permissions and configurations 
   • IAM policies, reports, access analyzers, and best practices 
   • IAM audit considerations 
8. Application Programming Interfaces (APIs) 
   • Characteristics, and uses 
   • API security and management 
   • API risks, audit questions and key considerations 
9. Zero Trust 
   • The Zero Trust Model, and differences from traditional network security models  
   • Zero trust goals, threats, and architecture 
   • Risk management  
   • Success factors for zero trust implementations 
   • Audit considerations 
10. Shared Responsibility Model 
    • Key considerations and link to vendors 
    • Security requirements, tasks and ways to build and maintain secure applications 
11. Business Continuity/Disaster Recovery (BC/DR) 
    • Important data recovery requirements, practices and controls 
    • Data back-up and restore strategies 
    • Recovery and continuity strategy options 
    • Disaster Recovery as a Service (DRaaS) 
12. Software Development Environment 
    • Software release management 
    • System Development Life Cycle (SDLC): Traditional, Agile,  
    • Key tasks, roles and responsibilities 
    • DevSecOps, tools, and automation 
    • Key risks, controls, and audit considerations 
13. Key Technology: Microservices and Containers 
    • Microservice definition, characteristics, and architecture 
    • Type classification 
    • Containers: Characteristics, benefits, stacking, and security considerations  
    • Audit considerations 
14. Infrastructure as Code (IaC) 
    • Key concepts and best practices 
    • Common challenges and tools  
    • Automation and testing considerations 
15. Software Trends 
    • Current trends in software development 
    • Pipeline: Continuous Integration (CI), Continuous Delivery (CD) and Continuous Deployment (CD) 
    • Version control, configuration management, and monitoring 
    • Key risks and controls in the automated process 
16. Software Development Audit Considerations 
    • Common audit considerations for software development 
    • Auditing DevSecOps methodology, access control, and automation 
    • Key controls and testing practices 
17. Cloud Enables Digital Transformation in Financial Services 
    • Digitization vs digital transformation 
    • Evolution from robotic process automation (RPA) to artificial intelligence (AI) 
    • AI maturity model 
    • AI data inputs, challenges, and key audit considerations 
18. Cloud Security 
    • Key security concerns and survey results 
    • Ways to meet security needs and address challenges 
    • Best practices and pillars of data security 
    • Vendor offerings: Security as a service (SECaaS) and vulnerability management as a service 
    • Encryption 
19. Cloud Access Security Brokers (CASBs) 
    • Definitions, capabilities, and considerations 
    • Risk implications while preparing a risk assessment 
20. Cloud Migration 
    • Challenges of cloud application deployments 
    • Cloud readiness assessment and migration strategy evaluation criteria 
    • Best practices for cloud migration 
21. Incident Response (IR) in the Cloud 
    • Policies, roles, communications, and contracted responsibilities 
    • Chain of custody, response times, legal and forensic implications 
    • Incident response frameworks and recommended practices 
    • Audit considerations for various service models 
22. Cloud Risks 
    • Analyst’s reports 
    • Key regulatory requirements 
    • Threat modeling, risk categories, risk management, and audit considerations 
23. Cloud Governance 
    • Goals of IT governance and link to risk management 
    • Key guidance, requirements and best practices 
    • Governance challenges 
24. Due Diligence 
    • The review of internal processes before a cloud decision 
    • Essential due diligence resources and steps 
25. Contracts/Service Level Agreements (SLAs) 
    • Contractual considerations and key terms 
    • Best practices for SLAs 
26. Cyber Liability Insurance 
    • Market reports and analysis 
    • Common reasons for cyber liability insurance claim denials 
    • Audit considerations 
27. Audit and Assurance 
    • Objectives and scope of cloud audits 
    • Common audit challenges, issues, and recommendations 
    • Top governance and operations controls 
    • Review of key examination areas