The Fully Auditable Cloud - Fact or Fiction

Monday, October 12, 2009

Bob Broda


Cloud computing is a rapidly growing phenomena that is being evaluated by companies of all sizes.   Though it has many positives, much of corporate America is not yet ready to accept migrating major applications to the cloud until concerns about security, privacy, and reliability are addressed.

One of the primary ways that cloud providers address these concerns is via a SAS70 audit, where an external third party (CPA) comments on the strengths of internal controls based upon identified objectives. In the past, many Business leaders used a “check the box” mentality when it came to asking if a vendor had a SAS70.  While this may have been an expedient way to proceed, companies need to understand what is addressed in a SAS70, especially if they have any regulatory and compliance issues around things such as PCI, SOX, HIPPA, GLBA, and the Bank Secrecy Act.

Companies need to realize that it is the Service provider who defines the objectives to be covered in the SAS70, with the CPA issuing SAS70 comments on the strength of the internal controls relating to those defined objectives. CPAs examine evidence that the controls defined mitigate the risk of not meeting the objectives adequately and the evidence provides a reasonable assurance that the controls are operating effectively. It is the responsibility of the companies using the Service provider’s cloud offering to ensure that the SAS70 meets their business objectives.

Ray Clinebelle, Audit Partner of Cherry, Bekaert & Holland, L.L.P states “the SAS70 user comments need to be based upon objectives covering general and application areas of services provided.   For most "cloud computing" offerings, the services will be canned and not as selective as we customarily may evaluate   As an external auditor, I’d like to see an objective such as: Ability to prove transactions and data operated in a controlled environment met any regulatory requirements at the time of the transaction, to mitigate risks for my audit clients using "cloud computing”.

When asked about other potential objectives that might be applicable Ray indicated:Controls provide reasonable assurance that fee schedules are established in accordance with customer contracts and that fees applied to customer accounts are in agreement with contract rates.These objectives certainly seem reasonable but may in-fact be a nightmare for some Service providers. Since the cloud is relatively immature, some components do not supply logs that can offer the proof needed to satisfy objectives like those identified above.  

In addition,  there a number of different network, storage, and processing vendors that may be operating in the cloud being used by a company that  have their own format and way of supplying this information. Assuming all the cloud components supply sufficient log information, tying the information back to a specific customer or request for service may ultimately be a challenge for any cloud provider. Add to this the fact that the industry is rapidly changing with new vendors and new services appearing weekly and one can appreciate the challenges being faced by cloud providers and the risks of the customers of these providers.Since many of the companies who are offering cloud services are also Internet Data Center companies who already have achieved SAS70, PCI or ISO27001 accreditation, customers can be reasonably confident that their data centers are secure.

Proving that the cloud services being delivered within the SAS70 data center meets all of a customer’s compliance requirements is a more daunting challenge.   Extra scrutiny on controls and testing may be required by auditors, as will proof that bills accurately reflects actual usage during any month.Microsoft is a good example of a company that has gone the extra mile to meet customers’ concerns.  They have been able to earn the ISO 27001:2005 accreditation and SAS70 Type I and Type II attestations for their cloud infrastructure. The ISO certification is for management processes put in place to address information security concerns, and the SAS70 is for services that Microsoft offers in regard to cloud computing.  It is assumed that their software is included in these certifications, but that is not known for sure.

To date, most of the SAS70 and other regulatory audits have dealt with the infrastructure side of “the cloud”. There is another component of the cloud that must be addressed, however, being software.   Many software providers today are offering solutions such as “Software as a Service” (SaaS). When they do this, they typically depend on an “infrastructure cloud” to handle the storage, network and computing portions of their solution. When these companies claim they have SAS70, they are sometimes referring to the infrastructure partner’s SAS70.

In reality, the SAS70 for the infrastructure partner does not necessarily cover application security, change management, and backup and recovery controls that need to be covered by most regulations. So is Cloud Computing fully auditable and meet compliance requirements? The answer is that it can be depending on your provider’s environment. It will be your responsibility to find out if your “personal cloud” meets your business and compliance requirements.  Make sure your vendor’s SAS70 objectives meet your compliance and business needs. Having the service providers SAS70 identify which regulatory initiatives are included as objectives will make that easier.

Possibly Related Articles:
Cloud Security HIPAA PCI DSS
Information Security Service Provider
Cloud Security SAS70
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.