How Cloud Computing Security Resembles the Financial Meltdown

Just as financial organizations paid rating agencies for an investment grade credit rating (on what later turned out to be junk), cloud computing vendors pay accounting firms for a SAS 70 security rating. Should customers be worried?
(Page 1 of 2)

How do you know if a cloud computing vendor is secure?

After all, you’re trusting them with highly sensitive data and business critical processes. Your entire business may rest on your ability to evaluate their level of security.

When they make claims about their nearly absolute level of safety, should you just...take their word for it?

Goodness no, say the vendors, we’ve got a third party certification to back up our claims. Specifically, they point to their SAS 70 certification. SAS 70 is a set of auditing standards used to measure the handling of sensitive information. It was created by the impressively-named American Institute of Certified Public Accountants (those folks know how to fill out forms). SAS 70 was around before cloud computing, and has been shoehorned into use by vendors seeking an impartial third party credential to reassure nervous cloud customers.

But here’s where it gets dubious. Guess who writes a check to the SAS 70 certifiers? Believe it or not, it’s the vendors themselves. If you were a cynical, non-trusting type (which you should be if your company’s data is at stake) you might wonder…isn’t that a conflict of interest? Don’t accounting firms have a vested interest in granting SAS 70 certifications to those cloud computing vendors who can pay for them?

Hmmm…as a client of a cloud vendor, I’m feeling nervous. But SAS 70 really does mean something, doesn’t it? Well…probably.

More troubling, at this point you might have a moment of déjà vu. Wasn’t a similar conflict of interest at the heart of the recent financial meltdown?

In the view of Jay Heiser, a Gartner analyst who specializes in security, the connection is clear. He’s the author of the research report Analyzing the Risk Dimensions of Cloud and SaaS Computing. After reading Michael Lewis’s account of the financial debacle, The Big Short, Heiser told me, “I found more parallels between what happened in the financial services and cloud computing than I anticipated.”

Let’s rewind the tape a bit. A distressing fact about the Crash of 2008 is that the major credit rating agencies – the very groups tasked with protecting investors – were tacitly complicit.

The two biggest ratings agencies, Moody's and Standard & Poor's, failed to send up red flags about subprime mortgage-backed securities. These supposedly impartial watchdogs evaluate the credit worthiness of securities, enabling investors to make informed decisions. Yet instead of labeling junk as junk, they bestowed a top AAA grade on highly risky assets.

Shockingly, virtually all of the AAA-rated subprime-mortgage-backed securities issued in 2006 have now been downgraded to a junk rating.

It was a clear conflict of interest. These ratings agencies are paid by the issuer of the security. So perhaps it’s not surprising that they labeled some rotting sausage as high-grade beef. If one of the agencies had threatened to give a low (but accurate) rating, the issuer would simply shop at another ratings agency. The system itself was set up to provide false assurance.

Now back to cloud computing and SAS 70. Okay, let me get this straight: So the cloud companies pay accounting firms for SAS 70 certifications just as the financial organizations paid Moody’s for an investment-grade rating?

“Yes, if you see someone who claims to be SAS 70, they have paid an accounting firm. Not only have they paid an accounting firm to go do the test, but they’ve told the accounting firm what processes need to be tested,” Heiser says.

“And you see a distressing number of providers that are claiming, ‘Well, we’re secure, or we have availability – it’s proven by the fact that we have a SAS 70.’”

This statement echoes a key finding that Heiser noted in his report:

Third-party certifications are immature, are unable to address all aspects of cloud- computing risk, and should be relied on only after a thorough evaluation of the written report.

Next Page: "Call me a cynic..."

Page 1 of 2

1 2
Next Page

Tags: cloud computing, security, SaaS, cloud security, cloud computing contract

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.