To be fair, a SAS 70 is likely more than a mere piece of paper. It may prove more than the fact that the vendor has the money to hire an accounting firm. Perhaps it should be thought of as a good starting point. Still, the responsibility remains squarely on the client to evaluate the SAS 70s written report and make their own determination. Were the right controls included? Were they evaluated to the appropriate degree?
In other words, buyer beware. You have to do your own digging. From Heisers report:
Do not accept the claimed existence of a certification or other third-party assessment as being adequate proof of security and continuity fitness for purpose. Thoroughly review the assessor's written report to ensure that the scope of evaluation is adequate, and that all necessary processes and technologies were appropriately addressed.
An additional question bedevils the debate over cloud security: Is SAS 70 even if administered by an impartial third party (which its not) an insightful evaluation of a cloud computing vendors security?
SAS 70 was never designed for this use, though in theory it could address an IT risk scenario. Call me a cynic, but SAS 70 is an auditing standard originally intended to be used against processes relevant to financial statements, secondarily to financial transactions, Heiser says.
So the thing starts very, very far away from anything that would traditionally be considered an information security or a business availability assessment. Its done by accounting firms.
A common perception of the financial evaluators involved with false credit ratings is that they were not the cream of the Wall Street elite. Those brighter talents were pursing vastly more remunerative activities.
In contrast, I would expect that whoever is doing a SAS 70 is a fairly ambitious [staffer] at a CPA firm, Heiser says. Still, are they auditors? IT? Did they go to Purdue and get a Masters degree in Information Security? Whats their background for all this?
The moral of this cautionary tale is best summed up with a last key finding from the Gartner report:
Be skeptical of vendor claims, and demand written or in-person evidence.
The Many Dangers of Cloud Computing (Interview with Heiser in 2008.)
Cloud Security Alliance
An organization, supported by vendors of all sizes and persuasions, working to promote "The use of best practices for providing security assurance within Cloud Computing.
ENISAs Cloud Computing Risk Assessment
From the EU-based security organization: This is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing.