When it comes to auditors and your organization’s use of cloud services, there is no “if,” only “when.” If you have not explored what cloud services your people are using, or where your business data are kept in the cloud, you will lose points on your next audit. Or you may fail.
Two years ago when we launched Netskope, CIOs told us “We’re not in the cloud,” and auditors told us “The cloud is not part of our audit.” Today, one-third of our business pipeline is made up of inbound requests and there is a steady stream of cloud access security broker (CASB)-specific RFPs. Many of those are driven by failed (or near-failed) security audits.
What are auditors asking about your cloud security regimen? In other words, what answers do you need to have in your back pocket? Here are five.
- Do you maintain an inventory of cloud services? Where is it and how often is it updated? The average number is 755 per enterprise at last count, and only about one-tenth are known to IT. Getting (and maintaining) this list is critical and foundational to anything else you do.
- Do you have a cloud service vendor assurance process that includes criteria like data center and software certifications as well as inherent audit capabilities, authentication support, and cloud data security? Does the entire organization adh