The cloud is constantly changing and moves faster than traditional periodic auditing can cover. The solution to this problem is continuous auditing. To make this happen, EU Horizon 2020 funded the innovation program Medina to develop a novel solution hitting the market in 2023. Medina comprises of 8 partners – Fraunhofer, Tecnalia, Bosch, Fabasoft, Consiglio Nationale delle Ricerche (CNR), Hewlett-Packard, XLAB, and Nixu. With continuous audits, we can ensure better overall security than with point-in-time audits. Why and how is that? Let's find out!
The undesired yet sometimes seen alternative to the continuous method can be described as the "Work hard before the audit, forget after completion" method.
With the above approach, auditees do get the certificate, but from the end customer perspective, this does not always provide the best assurance that the information is secured with consistent and maintained measures.
After completing the initial audit, the auditor's ability to get relevant information, i.e., information that possibly affects the certification status, is limited to getting notifications from auditees (Cloud Service Customer and Cloud Service Provider) or receiving complaints from the market.
Point-in-time audits are therefore characterized by the fact that there is low visibility to any non-conformities in-between the audits.
With continuous auditing, auditors gain better visibility of the auditee's conformity during the certification cycle.
Utilizing the output of sophisticated Cloud Security Posture Management tools in the audit context as evidence provides new methods to conduct a thorough analysis of the auditee's environment more quickly.
One such advantage is the up-to-date situational awareness compared to annual audit meetings to review significant changes and to identify potential non-conformities and associated security risks.
Furthermore, continuous monitoring systems enable more effective evidence collection for surveillance audits – nonconformities are easier to discover, so security improvement actions can be focused on correct areas.
All this motivates auditors to make the extra effort of taking new technologies and tools into use to improve the auditors' catalog of verification methods.
The audit projects are shifting to a continuous service model due to the need for more interaction between the auditee and auditor. Initial audits and annual surveillance audits are conducted as before in the continuous auditing workflow, while continuous auditing methods provide better visibility to conformity between these audits.
The auditors will be busy as ever also in this new model. In case nonconformities are found, the auditor's opinion could be needed to evaluate the level of nonconformity and feasibility of corrective actions. This is especially true in the case of a major nonconformity where the certificate's status could be changed.
Who are the Target Customers for the Service?
The target customers for continuous audits are Cloud Service Providers (CSP) and Cloud services customers (CSC). For CSPs, the audit can be the initial platform audit followed by continuous monitoring.
The CSC can ask for this certified service to verify that the cloud-based service and the cloud service components are secure and the CSC's own environment can be built on top of it.
The table below shows an example of a CSP Continuous Platform Audit Service:
The table below shows an example of a CSC Continuous Service Audit Service:
The main benefits for the auditees (both for CSP and CSC) from the services above can be summarized as follows:
- Positive effect on the auditee brand, continuous compliance status can be used in product/service marketing
- Timely detection of nonconformities
- Timely implementation of corrective actions
- Auditee can trust that corrective actions are in line with the requirements
- Auditee's improved security posture and possibility to have continuous improvements implemented.
Tatu Suhonen, Business Manager, Nixu Certification
Jarkko Majava, Senior Auditor, Nixu Certification
Mika Leskinen, Project Manager, Nixu Corporation