Fully Auditable Cloud - Fact or Fiction

Cloud computing is a rapidly growing phenomena that is being evaluated by companies of all sizes.   Though it has many positives, much of corporate America is not yet ready to accept migrating major applications to the cloud until concerns about security, privacy, and reliability are addressed. One of the primary ways that cloud providers address these concerns is via a SAS70 audit, where an external third party (CPA) comments on the strengths of internal controls based upon identified objectives.

In the past, many Business leaders used a “check the box” mentality when it came to asking if a vendor had a SAS70.  While this may have been an expedient way to proceed, companies need to understand what is addressed in a SAS70, especially if they have any regulatory and compliance issues around things such as PCI, SOX, HIPPA, GLBA, and the Bank Secrecy Act. Companies need to realize that it is the Service provider who defines the objectives to be covered in the SAS70, with the CPA issuing SAS70 comments on the strength of the internal controls relating to those defined objectives. CPAs examine evidence that the controls defined mitigate the risk of not meeting the objectives adequately and the evidence provides a reasonable assurance that the controls are operating effectively. It is the responsibility of the companies using the Service provider’s cloud offering to ensure that the SAS70 meets their business objectives.

Ray Clinebelle, Audit Partner of Cherry, Bekaert & Holland, L.L.P states “the SAS70 user comments need to be based upon objectives covering general and application areas of services provided. For most cloud computing offerings, the services will be canned and potentially not as selective as we customarily may evaluate. As an external auditor, I’d like to see an objective such as: Ability to prove transactions and data operated in a controlled environment met any regulatory requirements at the time of the transaction, to mitigate risks for my audit clients using "cloud computing”. When asked about other potential objectives that might be applicable Ray indicated:Controls provide reasonable assurance that fee schedules are established in accordance with customer contracts and that fees applied to customer accounts are in agreement with contract rates.

These objectives certainly seem reasonable but may in-fact be a nightmare for some Service providers. Since the cloud is relatively immature, some components do not supply logs that can offer the proof needed to satisfy objectives like those identified above.  In addition,  there a number of different network, storage, and processing vendors that may be operating in the cloud being used by a company that  have their own format and way of supplying this information. Assuming all the cloud components supply sufficient log information, tying the information back to a specific customer or request for service may ultimately be a challenge for any cloud provider. Add to this the fact that the industry is rapidly changing with new vendors and new services appearing weekly and one can appreciate the challenges being faced by cloud providers and the risks of the customers of these providers.

Since many of the companies who are offering cloud services are also Internet Data Center companies who already have achieved SAS70, PCI or ISO27001 accreditation, customers can be reasonably confident that their data centers are secure. Proving that the cloud services being delivered within the SAS70 data center meets all of a customer’s compliance requirements is a more daunting challenge.   Extra scrutiny on controls and testing may be required by auditors, as will proof that bills accurately reflects actual usage during any month.

Microsoft is a good example of a company that has gone the extra mile to meet customers’ concerns.  They have been able to earn the ISO 27001:2005 accreditation and SAS70 Type I and Type II attestations for their cloud infrastructure. The ISO certification is for management processes put in place to address information security concerns, and the SAS70 is for services that Microsoft offers in regard to cloud computing.  It is assumed that their software is included in these certifications, but that is not known for sure.

To date, most of the SAS70 and other regulatory audits have dealt with the infrastructure side of “the cloud”. There is another component of the cloud that must be addressed, however, being software.   Many software providers today are offering solutions such as “Software as a Service” (SaaS). When they do this, they typically depend on an “infrastructure cloud” to handle the storage, network and computing portions of their solution. When these companies claim they have SAS70, they are sometimes referring to the infrastructure partner’s SAS70. In reality, the SAS70 for the infrastructure partner does not necessarily cover application security, change management, and backup and recovery controls that need to be covered by most regulations.

So is Cloud Computing fully auditable and meet compliance requirements? The answer is that it can be depending on your provider’s environment. It will be your responsibility to find out if your “personal cloud” meets your business and compliance requirements.  Make sure your vendor’s SAS70 objectives meet your compliance and business needs. Having the service providers SAS70 identify which regulatory initiatives are included as objectives will make that easier.

About Visage Solutions – www.VisageSolutions.com

Visage Solutions is a consulting company operating in the areas of regulatory compliance, risk assessment, information security, risk management and compliance processes. Utilizing our proprietary SingleVue™ and OpsAudit™ methodologies, the company focuses on assisting business entities in mitigating operational risk. Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals. Our team is comprised of experienced executives, managers and consultants who can assist clients with the development, implementation and execution of their risk management and compliance strategy.

About our guest co Author - Don Clow

formerly COO & CTO with Hosted Solutions, Don is currently working as an independent consultant delivering data center infrastructure and IT solutions to include data center planning and assessments, data center design, infrastructure hardware procurement (cooling, emergency power – UPS, & generator, electrical systems – automatic transfer switches, power distribution systems, switchgear, switchboards, raised floor, physical security systems), construction management and owners representation, and data center commissioning.
 


"The Visage Risk assessment tool and methodology allowed us to respond the risk assessment requirements of the FFIEC in a timely and cost effective manner ".
   Robert Kernodle, SVP and Risk Officer of Cornerstone Bank
 
"Although there is always a degree of subjectivity in any risk assessment, the Visage Risk Assessment tool and methodology is one of the best I've seen in removing subjectivity and providing the underlying support for the scoring system".
   Patrick Camblin Senior Partner in Camblin CPA, PLLC

if you would no longer like to receive periodic updates from VisageSolutions, please follow the unsubscription instructions at the bottom of the email.
Copyright © 2009 Visage Solutions, LLC.