Most large organizations are using Microsoft's Azure cloud computing services in one form or another. Indeed, Microsoft claims more than 95% of Fortune 500 companies use Azure. Among other things, Azure supports data analytics, data warehousing, DevOps, storage, virtual desktops, and fully managed infrastructures. Additionally, organizations can integrate the services within Azure into a corporate network in the same way traditional data centers are connected.
Yet, despite Azure's pervasiveness, many organizations don't fully understand the effects the platform may have on daily operations and personnel, or the potential security implications. Azure's services can introduce security and data privacy risks such as inappropriate administrative access, less clarity on role-based access permissions, or inappropriate remote access. For instance, in May 2019, Azure suffered a global outage caused by a domain name system configuration issue, according to Build5Nines.com, which covers cloud technology.
Internal audit can assist the organization in identifying the risks introduced with cloud computing. Partnering with the organization's business units, understanding the technologies, and providing a systematic approach can help to remedy those risks.
When auditing Azure, internal auditors should begin by obtaining an inventory of all Azure services in use by the organization. If an inventory does not exist, internal audit can help build one. Auditors can use native reports within Azure or custom scripts to export inventory data from the system.
Next, auditors should understand how these services are implemented, as well as IT's control environment or processes related to cloud services. Are there documented procedures for administering the environment? Is formal change management used in all aspects of the cloud such as networking, storage, maintenance, and provisioning?
For example, with database platform as a service, auditors should understand the database platforms and how they are configured and secured. The organization may set up its own servers in an Azure virtual environment or use Microsoft's Azure SQL server. Each method poses unique audit considerations that need to be investigated.
A third step is performing a risk analysis to determine the risks associated with each of the services and their pervasiveness. Auditors should be aware of how moving these services out of traditional data centers impacts connectivity...