As companies consider adopting cloud computing services, they often seek to understand the cloud provider’s internal IT and security controls. This is particularly relevant when the applicable systems or applications handle sensitive data or are subject to contractual, regulatory or other compliance commitments. Unfortunately, companies often place too much trust into the mere existence of the cloud provider’s SAS 70 report.
Gartner released a report titled SAS 70 Is Not Proof of Security, Continuity or Privacy Compliance. According to its summary,
"The SAS 70 auditing report is widely misused by service providers that find it convenient to mischaracterize the program as being a form of security certification. Gartner considers this to be a deceptive and harmful practice."
The major finding of the report, as described by Chris Schellman of SAS 70 Solutions Inc, is that “the SAS 70 audit is not a security or compliance audit and does not result in a certification.”
Why is that? Statement on Auditing Standards (SAS) number 70 was established by the American Institute of Certified Public Accountants (AICPA) to describe how Certified Public Accountants (CPAs) should conduct audits. Its intended use was to review financial systems, for instance in the context of Sarbanes-Oxley Act (SOX) reporting. As Gartner’s French Caldwell put it, “SAS 70 is not a security, continuity or privacy compliance standard.” Gartner’s Jay Heiser further clarifies,
"The only thing that can conclusively be said about having a SAS 70 Type II attestation is that an auditing firm has agreed that the service provider is effectively performing those controls that they paid the auditing firm to evaluate."
This implies that the mere existence of a SAS 70 Type II attestation is useful, but not sufficient to provide an assurance of the cloud provider’s security controls relevant to a particular customer. The provider’s customer needs to understand what controls were included in the audit’s scope, and should confirm that these controls match the customer’s needs.
Unfortunately, AICPA’s guidelines state that the provider’s SAS 70 report can only be shared with existing customers, according to a blog posting by Justin Alexander. This makes its contents unavailable to prospective customers.
What options besides—or, rather, in addition to—SAS 70 might be useful to prospective cloud customers?
- One possibility is AICPA-sponsored SysTrust, which prescribes a specific set of controls that must be evaluated by the auditor. They are called “Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy” and can be downloaded in a PDF form.
- Another option is the familiar ISO/IEC 27001 certification. However, recognize that 27001 provides some flexibility regarding which specific controls—many of which are listed in ISO/IEC 27002—to define as part of the information security management system (ISMS).
- AICPA recommends that auditors use “AT section 101, Attest Engagements (AICPA, Professional Standards, vol. 1),” for reporting on controls over subject matter other than financial reporting, instead of SAS 70. However, like SAS 70, AT section 101 does not offer prescriptive security advice, nor does it define a set of expected controls; instead, it defines audit guidelines for CPAs.
- If you are not in a position to use a formal framework beyond SAS 70, presenting the cloud provider with specific questions about controls may be sufficient. Your organization might have already developed such questionnaires. If not, one option is the Standardized Information Gathering (SIG) Questionnaire, made freely available by the BITS Shared Assessments program. According to BITS, “Outsourcers use the SIG as a default questionnaire to streamline vendor assessments. For vendors, the SIG provides a repeatable response to proprietary questionnaires from clients.”
Cloud security attestation is an area that will probably see much discussion as more companies consider adopting cloud computing.