Public and private cloud service providers have many providers to choose from. The cloud offers low-cost data storage solutions and infrastructure to host web applications and processes. The company can remove applications from client-side devices and they don’t need skilled IT professionals to manage the infrastructure.
In a September Forbes article, "How to Avoid a Cloud Strategy Fail," Gartner’s Thomas Bittman notes cloud computing means many things, depending on how you look at it. Below are Bittman's "three rationales for doing cloud computing" and warnings.
- Save money — "Cloud computing can save money, but only for the right services."
- Renovate enterprise IT — "Enterprise IT can learn from cloud computing, and private cloud, when applied to the right services (that can't be deployed to a public cloud provider), can drive the organization to more efficient and effective standards."
- Innovation and experimentation — "Cloud computing enables new forms of computing and can enable experimentation and short-running services like never before — but there is a balance between innovation anarchy, and long-term operational effectiveness and efficiency that need to be managed, just right."
John Linkous recently described how availability, accessibility, and affordability lead the decision-making tree in "A Cloud is Still a Cloud: The Private Cloud and Security." Security and compliance follow behind as an afterthought. Because of that the affordability portion of the equation becomes moot when the cloud environment is breached.
What can a company do to understand the security mindset and implementation of security protocols by the cloud provider? One way is to request and review the SSAE-16 and SOC-1 documents.
Understanding the SSAE-16
Public cloud providers offer their customers SSAE-16 attestations (Statement on Standards for Attestation Engagements), which is a good first step in determining if the cloud vendor being reviewed is thinking about security. One must remember, however, that the SSAE-16 attestation is just that: an attestation made by the service provider. No audits or checks against the SSAE-16 are offered. Cloud service providers that share with their customers are following the attestation standard issued by the American Institute of Certified Public Accountants (AICPA).
Ask for the SOC-1
Look for the SOC-1 (Service Organization Control Report), which is an audit report normally conducted by an independent auditing firm. The SOC-1 includes an outline of controls design and implementation testing. The audit team can be expected to provide results as to the reliability and measurement against a set of standardized metrics. An important question to ask when reviewing the SOC-1 is whether or not the SOC-1 was "inclusive." When the SOC-1 is inclusive, the auditors included the third-party service partners in their review. Thus the SOC-1 audit and report digs into your vendor's vendors.
The SSAE-16 and SOC-1 permit apples to apples comparisons of cloud service providers, which allows the intertwining of security and compliance with the discussion of availability, accessibility and affordability. The documents also provides the answer to "How secure is your cloud?," regardless of whether it's private or public.
Companies don’t have a lot of control over what the cloud provider does in terms of security, so it’s essential they ask. Ask questions, verify the responses match with internal policies, and request security assessments. In the end, the businesses are the ones liable in case of a data breach.