After all, youre trusting them with highly sensitive data and business critical processes. Your entire business may rest on your ability to evaluate their level of security.
When they make claims about their nearly absolute level of safety, should you just...take their word for it?
Goodness no, say the vendors, weve got a third party certification to back up our claims. Specifically, they point to their SAS 70 certification. SAS 70 is a set of auditing standards used to measure the handling of sensitive information. It was created by the impressively-named American Institute of Certified Public Accountants (those folks know how to fill out forms). SAS 70 was around before cloud computing, and has been shoehorned into use by vendors seeking an impartial third party credential to reassure nervous cloud customers.
But heres where it gets dubious. Guess who writes a check to the SAS 70 certifiers? Believe it or not, its the vendors themselves. If you were a cynical, non-trusting type (which you should be if your companys data is at stake) you might wonder isnt that a conflict of interest? Dont accounting firms have a vested interest in granting SAS 70 certifications to those cloud computing vendors who can pay for them?
Hmmm as a client of a cloud vendor, Im feeling nervous. But SAS 70 really does mean something, doesnt it? Well probably.
More troubling, at this point you might have a moment of déjà vu. Wasnt a similar conflict of interest at the heart of the recent financial meltdown?
In the view of Jay Heiser, a Gartner analyst who specializes in security, the connection is clear. Hes the author of the research report Analyzing the Risk Dimensions of Cloud and SaaS Computing. After reading Michael Lewiss account of the financial debacle, The Big Short, Heiser told me, I found more parallels between what happened in the financial services and cloud computing than I anticipated.
Lets rewind the tape a bit. A distressing fact about the Crash of 2008 is that the major credit rating agencies the very groups tasked with protecting investors were tacitly complicit.
The two biggest ratings agencies, Moody's and Standard & Poor's, failed to send up red flags about subprime mortgage-backed securities. These supposedly impartial watchdogs evaluate the credit worthiness of securities, enabling investors to make informed decisions. Yet instead of labeling junk as junk, they bestowed a top AAA grade on highly risky assets.
Shockingly, virtually all of the AAA-rated subprime-mortgage-backed securities issued in 2006 have now been downgraded to a junk rating.
It was a clear conflict of interest. These ratings agencies are paid by the issuer of the security. So perhaps its not surprising that they labeled some rotting sausage as high-grade beef. If one of the agencies had threatened to give a low (but accurate) rating, the issuer would simply shop at another ratings agency. The system itself was set up to provide false assurance.
Now back to cloud computing and SAS 70. Okay, let me get this straight: So the cloud companies pay accounting firms for SAS 70 certifications just as the financial organizations paid Moodys for an investment-grade rating?
Yes, if you see someone who claims to be SAS 70, they have paid an accounting firm. Not only have they paid an accounting firm to go do the test, but theyve told the accounting firm what processes need to be tested, Heiser says.
And you see a distressing number of providers that are claiming, Well, were secure, or we have availability its proven by the fact that we have a SAS 70.
This statement echoes a key finding that Heiser noted in his report:
Third-party certifications are immature, are unable to address all aspects of cloud- computing risk, and should be relied on only after a thorough evaluation of the written report.