How Cloud Computing Security Resembles the Financial Meltdown: Page 2

(Page 2 of 2)

To be fair, a SAS 70 is likely more than a mere piece of paper. It may prove more than the fact that the vendor has the money to hire an accounting firm. Perhaps it should be thought of as a good starting point. Still, the responsibility remains squarely on the client to evaluate the SAS 70’s written report and make their own determination. Were the right controls included? Were they evaluated to the appropriate degree?

In other words, buyer beware. You have to do your own digging. From Heiser’s report:

Do not accept the claimed existence of a certification or other third-party assessment as being adequate proof of security and continuity fitness for purpose. Thoroughly review the assessor's written report to ensure that the scope of evaluation is adequate, and that all necessary processes and technologies were appropriately addressed.

But is it IT?

An additional question bedevils the debate over cloud security: Is SAS 70 – even if administered by an impartial third party (which it’s not) – an insightful evaluation of a cloud computing vendor’s security?

SAS 70 was never designed for this use, though in theory it could address an IT risk scenario. “Call me a cynic, but SAS 70 is an auditing standard originally intended to be used against processes relevant to financial statements, secondarily to financial transactions,” Heiser says.

“So the thing starts very, very far away from anything that would traditionally be considered an information security or a business availability assessment. It’s done by accounting firms.”

A common perception of the financial evaluators involved with false credit ratings is that they were not the cream of the Wall Street elite. Those brighter talents were pursing vastly more remunerative activities.

In contrast, “I would expect that whoever is doing a SAS 70 is a fairly ambitious [staffer] at a CPA firm,” Heiser says. “Still, are they auditors? IT? Did they go to Purdue and get a Master’s degree in Information Security? What’s their background for all this?”

The moral of this cautionary tale is best summed up with a last key finding from the Gartner report:

Be skeptical of vendor claims, and demand written or in-person evidence.

Cloud computing security additional resources:

Jay Heiser’s Blog, featuring the post The Emperor’s New Cloud .

The Many Dangers of Cloud Computing (Interview with Heiser in 2008.)

Cloud Security Alliance
An organization, supported by vendors of all sizes and persuasions, working to promote "The use of best practices for providing security assurance within Cloud Computing.”

ENISA’s Cloud Computing Risk Assessment
From the EU-based security organization: “This is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing.”

Page 2 of 2

Previous Page
1 2

Tags: cloud computing, security, SaaS, cloud security, cloud computing contract

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.