Audit and Security for Cloud-Based Services - ASN305


This course covers the common architecture of cloud computing and examines the security and controls of SaaS, PaaS, and IaaS. It also covers the deficiencies that exist in cloud-based services and how Security-as-a-Service can be helpful.


NASBA Certified CPE

16 Credits


Why you should take this course

You should attend because as organizations continue to leverage cloud computing they are exposed to many risks, and auditors must know about these challenges, how to verify the security of their clients, and the best practices to recommend.

Who should take this course

Operational, Business Application, Information Technology, and External Auditors; Audit Managers and Directors; Information Security professionals.

What You'll learn

You will learn about the current state of cloud computing, its common architecture, and the major services provided in the market. Also, how to use SaaS as a way to protect against security and control deficiencies.


  • A working knowledge of operating system security, networking concepts, and associated logical access controls, Network Security Essentials (ASG203)
  • Intermediate Audit School (ITG241), or equivalent experience.

Understanding Corporate Culture:

  • the SPI Cloud Computing Model
  • cloud network models
  • key drivers for moving towards cloud-based services

Software as a Service (SaaS):

  • key enterprise applications
  • the SaaS transaction model(s)
  • SaaS security and audit concerns

Platform as a Service (PaaS):

  • major development providers/platforms
  • PaaS security and audit concerns

Infrastructure as a Service (IaaS):

  • host security in the cloud
  • network security in the cloud
  • data storage/SAN in a cloud IaaS environment
  • cloud bursting
  • cloud bursting
  • IaaS security and audit concerns

Brokered Cloud Services:

  • cloud aggregators
  • cloud brokers
  • cloud management service portals

Security as a Service:

  • identity management as a service
  • security event monitoring/IDS as a service
  • vulnerability management as a service
  • data leakage prevention as a service/Web filtering, e-mail filtering

Cloud-Based Security Standards and Dependencies:

  • directories and identity management
  • federated identities
  • emerging security Standards: SPML, XACML, OAuth, OpenID, others

Governance in a Cloud Services Environment:

  • key performance indicators
  • audit trails for cloud-based services
  • service level agreements, licensing
  • legal complexities: data privacy, globalization, trans-border constraints
  • third-party assessments and certifications: SAS70, ISO 27001

Disaster Recovery in a Cloud-Based Environment:

  • SPI HA architectures
  • virtualized environments and their impact on disaster recovery
  • updating and testing disaster recovery plans

Cloud Security and Audit:

  • key risks and audit concerns
  • identifying key controls and mitigations
  • cloud-based risk analysis models: ENISA, NIST, CSA
  • security best-practices models for cloud-based services
  • audit techniques and tests in a cloud-based environment

ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: