Part II – Compliance: A cloud services pitfall disguised as the solution

I kicked off this series about compliance and the cloud with a piece about the false comfort of data center audits. In my next two posts, I’m going to drill down into the most common “solution” offered by today’s cloud vendors — a SAS 70 audit from the data center provider.

To start, it’s important to note that cloud vendors typically buy space within a data center that is owned by a third party. As part of the cost, the owner of the datacenter will often provide a “free” SAS 70 audit report. This allows them to lower their cost of entry into the cloud market, focus immediately on selling new business and lobby the for press coverage about their commitment to compliance, as evidenced by their SAS 70 designation.

Unfortunately, a SAS 70 audit that only covers the data center aligns quite poorly with the customer’s needs. It doesn’t fully address ANY of the three areas we defined in my last piece. As a result, my advice is to seek out cloud vendors that offer their own audit report. I also recommend giving strong preference to prescriptive audit standards that are explicitly targeted toward information technology systems and processes, such as SysTrust® and ISO 27000.

Joe’s Sub Shop
I certainly don’t expect you to just take my word for it. I need to make my case. But, it can be difficult to explain the problems customers are typically confronted when selecting a cloud vendor that relies exclusively on a SAS 70 data center audit without devolving into an endless barrage of auditor jargon. So, let’s try using an analogy that we can all relate to… eating at the local sub sandwich shop.

You pull into the parking lot, passing several other storefronts within the strip mall. The best places are always tucked away in the back, and Joe’s Sub Shop is no exception.

You enter the store and walk up to the counter to place your order. The menu is huge, but easily read on the big chalkboard over the counter.

“I’ll take the roast beef sandwich. Ooh. I see that has onions on it. Yuck!! Hold the onions, please!”Your order is placed and your money is taken. You wait anxiously as a second employee prepares your sandwich right in front of you. He wears those plastic gloves, a hairnet and a hat to help ensure that the sandwich is safe to eat, which is reassuring.

In this scenario, the cloud vendor’s audit is sort of like those plastic gloves and hairnets. It ensures the people who are actively handling your data are doing so in a responsible manner based on a set of commonly accepted standards.

Similarly, a prescriptive IT audit standard like SysTrust is kind of like the menu at the sub shop. It allows you to know exactly what your company is receiving from the cloud vendor and allows you to customize your order if needed.

If you have any questions or concerns about what is or is not covered by the vendor’s compliance program, you can go read the audit criteria yourself, and it will tell you exactly what standards the vendor has demonstrated they conform to.

In part three of this series, I’ll expand on my analogy and get into the trouble with SAS 70.

Justin Alexander

... read more about: Justin Alexander