After all, you’re trusting them with highly sensitive data and business critical processes. Your entire business may rest on your ability to evaluate their level of security.
When they make claims about their nearly absolute level of safety, should you just…take their word for it?
Goodness no, say the vendors, we’ve got a third party certification to back up our claims. Specifically, they point to their SAS 70 certification. SAS 70 is a set of auditing standards used to measure the handling of sensitive information. It was created by the impressively-named American Institute of Certified Public Accountants (those folks know how to fill out forms). SAS 70 was around before cloud computing, and has been shoehorned into use by vendors seeking an impartial third party credential to reassure nervous cloud customers.
But here’s where it gets dubious. Guess who writes a check to the SAS 70 certifiers? Believe it or not, it’s the vendors themselves. If you were a cynical, non-trusting type (which you should be if your company’s data is at stake) you might wonder…isn’t that a conflict of interest? Don’t accounting firms have a vested interest in granting SAS 70 certifications to those cloud computing vendors who can pay for them?
Hmmm…as a client of a cloud vendor, I’m feeling nervous. But SAS 70 really does mean something, doesn’t it? Well…probably.
More troubling, at this point you might have a moment of déjà vu. Wasn’t a similar conflict of interest at the heart of the recent financial meltdown?
In the view of Jay Heiser, a Gartner analyst who specializes in security, the connection is clear. He’s the author of the research report Analyzing the Risk Dimensions of Cloud and SaaS Computing. After reading Michael Lewis’s account of the financial debacle, The Big Short, Heiser told me, “I found more parallels between what happened in the financial services and cloud computing than I anticipated.”
Let’s rewind the tape a bit. A distressing fact about the Crash of 2008 is that the major credit rating agencies – the very groups tasked with protecting investors – were tacitly complicit.
The two biggest ratings agencies, Moody’s and Standard & Poor’s, failed to send up red flags about subprime mortgage-backed securities. These supposedly impartial watchdogs evaluate the credit worthiness of securities, enabling investors to make informed decisions. Yet instead of labeling junk as junk, they bestowed a top AAA grade on highly risky assets.
Shockingly, virtually all of the AAA-rated subprime-mortgage-backed securities issued in 2006 have now been downgraded to a junk rating.
It was a clear conflict of interest. These ratings agencies are paid by the issuer of the security. So perhaps it’s not surprising that they labeled some rotting sausage as high-grade beef. If one of the agencies had threatened to give a low (but accurate) rating, the issuer would simply shop at another ratings agency. The system itself was set up to provide false assurance.
Now back to cloud computing and SAS 70. Okay, let me get this straight: So the cloud companies pay accounting firms for SAS 70 certifications just as the financial organizations paid Moody’s for an investment-grade rating?
“Yes, if you see someone who claims to be SAS 70, they have paid an accounting firm. Not only have they paid an accounting firm to go do the test, but they’ve told the accounting firm what processes need to be tested,” Heiser says.
“And you see a distressing number of providers that are claiming, ‘Well, we’re secure, or we have availability – it’s proven by the fact that we have a SAS 70.’”
This statement echoes a key finding that Heiser noted in his report:
Third-party certifications are immature, are unable to address all aspects of cloud- computing risk, and should be relied on only after a thorough evaluation of the written report.
To be fair, a SAS 70 is likely more than a mere piece of paper. It may prove more than the fact that the vendor has the money to hire an accounting firm. Perhaps it should be thought of as a good starting point. Still, the responsibility remains squarely on the client to evaluate the SAS 70’s written report and make their own determination. Were the right controls included? Were they evaluated to the appropriate degree?
In other words, buyer beware. You have to do your own digging. From Heiser’s report:
Do not accept the claimed existence of a certification or other third-party assessment as being adequate proof of security and continuity fitness for purpose. Thoroughly review the assessor’s written report to ensure that the scope of evaluation is adequate, and that all necessary processes and technologies were appropriately addressed.
An additional question bedevils the debate over cloud security: Is SAS 70 – even if administered by an impartial third party (which it’s not) – an insightful evaluation of a cloud computing vendor’s security?
SAS 70 was never designed for this use, though in theory it could address an IT risk scenario. “Call me a cynic, but SAS 70 is an auditing standard originally intended to be used against processes relevant to financial statements, secondarily to financial transactions,” Heiser says.
“So the thing starts very, very far away from anything that would traditionally be considered an information security or a business availability assessment. It’s done by accounting firms.”
A common perception of the financial evaluators involved with false credit ratings is that they were not the cream of the Wall Street elite. Those brighter talents were pursing vastly more remunerative activities.
In contrast, “I would expect that whoever is doing a SAS 70 is a fairly ambitious [staffer] at a CPA firm,” Heiser says. “Still, are they auditors? IT? Did they go to Purdue and get a Master’s degree in Information Security? What’s their background for all this?”
The moral of this cautionary tale is best summed up with a last key finding from the Gartner report:
Be skeptical of vendor claims, and demand written or in-person evidence.
Jay Heiser’s Blog, featuring the post The Emperor’s New Cloud .
The Many Dangers of Cloud Computing (Interview with Heiser in 2008.)
Cloud Security Alliance
An organization, supported by vendors of all sizes and persuasions, working to promote “The use of best practices for providing security assurance within Cloud Computing.”
ENISA’s Cloud Computing Risk Assessment
From the EU-based security organization: “This is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing.”
Ethics and Artificial Intelligence: Driving Greater Equality
FEATURE | By James Maguire,
December 16, 2020
AI vs. Machine Learning vs. Deep Learning
FEATURE | By Cynthia Harvey,
December 11, 2020
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2021
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.
