Posted by: Arian Eigen Heald
Adventures in Auditing, cloud computing, Cloud Security, data security
After a nice vacation in the north woods of Maine, I returned to the excitement of my first “cloud computing” audit event.
In doing a SAS 70 for a client, I discovered that they had outsourced a new application. No news there. When data is hosted by the provider, along with the application, all well and good. The AUDIT part has to do with what data the provider is storing.
This often results in my reading a SAS 70 from the third-party provider verifying controls are in place over their general environment. The environment should include the systems (i.e., servers, routers, firewalls) that directly store the data along with the application, of course. I’ve read at least one SAS 70 that only tested the office environment, not the production network. That was a finding…needless to say.
The new issue was that the provider is using a ‘cloud computing” model. OK. I requested policies, procedures, documentation, anything I could get.
I got four documents, all generic. “Your data is secure with us! We use SSL!” I’m trying to dig out the contract for the provider, but that’s not necessarily going to give me anything I need.
If you do a search on google you get over a million results. When I refined it down to “auditing “cloud computing’” (notice how quotes eliminate results for “cloud and or “cloud computing” or “computing.”
The results narrowed to 449,000. Much better.
Problem #1: Every vendor has a slightly different version of what “cloud computing” actually is. That’s marketing; so how do you choose the right vendor? It makes for a tedious review process with no hard parameters.
Problem #2: When they were designing this concept, nobody cared about security. Developers and marketers hate security – it slows down “time to market.” As a result, the concept of securely managing confidential data was never addressed until after the product was released. Thus it became a “client problem” that they could market another product to address, or just ignore it.
Problem #3: What assurances that the data is monitored and secured can be obtained?
In any case, I’ve gotten no solid information yet. The client could always send us out to Texas to do a specific assurance audit, but somehow, I don’t think that’s going to happen.