After all, youre trusting them with highly sensitive data and business critical processes. Your entire business may rest on your ability to evaluate their level of security.
When they make claims about their nearly absolute level of safety, should you just...take their word for it?
Goodness no, say the vendors, weve got a third party certification to back up our claims. Specifically, they point to their SAS 70 certification. SAS 70 is a set of auditing standards used to measure the handling of sensitive information. It was created by the impressively-named American Institute of Certified Public Accountants (those folks know how to fill out forms). SAS 70 was around before cloud computing, and has been shoehorned into use by vendors seeking an impartial third party credential to reassure nervous cloud customers.
Hmmm as a client of a cloud vendor, Im feeling nervous. But SAS 70 really does mean something, doesnt it? Well probably.
More troubling, at this point you might have a moment of déjà vu. Wasnt a similar conflict of interest at the heart of the recent financial meltdown?
In the view of Jay Heiser, a Gartner analyst who specializes in security, the connection is clear. Hes the author of the research report Analyzing the Risk Dimensions of Cloud and SaaS Computing. After reading Michael Lewiss account of the financial debacle, The Big Short, Heiser told me, I found more parallels between what happened in the financial services and cloud computing than I anticipated.
Lets rewind the tape a bit. A distressing fact about the Crash of 2008 is that the major credit rating agencies the very groups tasked with protecting investors were tacitly complicit.
The two biggest ratings agencies, Moody's and Standard & Poor's, failed to send up red flags about subprime mortgage-backed securities. These supposedly impartial watchdogs evaluate the credit worthiness of securities, enabling investors to make informed decisions. Yet instead of labeling junk as junk, they bestowed a top AAA grade on highly risky assets.
Shockingly, virtually all of the AAA-rated subprime-mortgage-backed securities issued in 2006 have now been downgraded to a junk rating.
It was a clear conflict of interest. These ratings agencies are paid by the issuer of the security. So perhaps its not surprising that they labeled some rotting sausage as high-grade beef. If one of the agencies had threatened to give a low (but accurate) rating, the issuer would simply shop at another ratings agency. The system itself was set up to provide false assurance.
Now back to cloud computing and SAS 70. Okay, let me get this straight: So the cloud companies pay accounting firms for SAS 70 certifications just as the financial organizations paid Moodys for an investment-grade rating?
Yes, if you see someone who claims to be SAS 70, they have paid an accounting firm. Not only have they paid an accounting firm to go do the test, but theyve told the accounting firm what processes need to be tested, Heiser says.
And you see a distressing number of providers that are claiming, Well, were secure, or we have availability its proven by the fact that we have a SAS 70.
This statement echoes a key finding that Heiser noted in his report:
Third-party certifications are immature, are unable to address all aspects of cloud- computing risk, and should be relied on only after a thorough evaluation of the written report.
To be fair, a SAS 70 is likely more than a mere piece of paper. It may prove more than the fact that the vendor has the money to hire an accounting firm. Perhaps it should be thought of as a good starting point. Still, the responsibility remains squarely on the client to evaluate the SAS 70s written report and make their own determination. Were the right controls included? Were they evaluated to the appropriate degree?
In other words, buyer beware. You have to do your own digging. From Heisers report:
Do not accept the claimed existence of a certification or other third-party assessment as being adequate proof of security and continuity fitness for purpose. Thoroughly review the assessor's written report to ensure that the scope of evaluation is adequate, and that all necessary processes and technologies were appropriately addressed.
But is it IT?
An additional question bedevils the debate over cloud security: Is SAS 70 even if administered by an impartial third party (which its not) an insightful evaluation of a cloud computing vendors security?
SAS 70 was never designed for this use, though in theory it could address an IT risk scenario. Call me a cynic, but SAS 70 is an auditing standard originally intended to be used against processes relevant to financial statements, secondarily to financial transactions, Heiser says.
So the thing starts very, very far away from anything that would traditionally be considered an information security or a business availability assessment. Its done by accounting firms.
A common perception of the financial evaluators involved with false credit ratings is that they were not the cream of the Wall Street elite. Those brighter talents were pursing vastly more remunerative activities.
In contrast, I would expect that whoever is doing a SAS 70 is a fairly ambitious [staffer] at a CPA firm, Heiser says. Still, are they auditors? IT? Did they go to Purdue and get a Masters degree in Information Security? Whats their background for all this?
The moral of this cautionary tale is best summed up with a last key finding from the Gartner report:
Be skeptical of vendor claims, and demand written or in-person evidence.
Cloud computing security additional resources:
The Many Dangers of Cloud Computing (Interview with Heiser in 2008.)
Cloud Security Alliance
An organization, supported by vendors of all sizes and persuasions, working to promote "The use of best practices for providing security assurance within Cloud Computing.
ENISAs Cloud Computing Risk Assessment
From the EU-based security organization: This is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing.