Hello All,
For organizations that only use a private cloud, how should auditors be thinking about the shared responsibility model? Obviously the services that are being offered are important to consider, but does the scope change between private cloud and on-prem?
The CCM and the CAIQ do not appear to directly consider cloud service deployment models (e.g., public, private, hybrid, community). For public, hybrid, and community models this doesn't seem to have much impact, however for the private cloud service deployment model (with no third party cloud service provider) is it reasonable to consider private cloud and on-prem as the same thing?
In a private cloud, the organization likely owns/controls all of the infrastructure much like on-prem. Does this mean the scope of auditing activities should include all questions from the CAIQ, or does a truly private cloud essentially create an environment of on-prem infrastructure that could be audited using a traditional scoping method? I realize the focus on cloud controls in the CAIQ is based firmly in traditional auditing, however I wonder if having a private cloud is really all that different from being on-prem? If it's different, how is it it different? How does the difference impact the scope of an audit?
I'm also interested in the CSA's scoping guidance for private clouds when a STAR assessment is performed.
Thoughts?
------------------------------
Daniel Downs
------------------------------