There is a very important factor to consider when it is time for a business to start evaluating service providers against its needs: transparency. Cloud computing is much more than just purchasing hardware or software from IT. It is about engaging in a service that can be entrusted with the management of critical assets and services, and there may be little daily visibility of how this happens. But a level of transparency can and should be ensured by businesses.
Gaining visibility is usually a case of commissioning an audit with a traditional IT model (either on-site or for many outsource arrangements), either by internal auditors or by an outside party. But this option is much less likely to be available or even practical for cloud services, as the processing of the cloud service provider can be distributed worldwide.
Alternative methods of gaining security and control visibility are therefore often needed. There are several methods available, and cloud providers are increasingly investing in providing the information their customers need, recognizing the need to build trust. This is an area likely to grow and evolve, and perhaps one day there will be a single common standard. Meanwhile, however, here are some typical methods used to provide transparency by cloud providers. Everyone has advantages and disadvantages; therefore, the best approach is often to seek a combination of these:
Non-disclosure agreements — Incomprehensibly, many cloud providers protect their architecture, security, and control information. But, recognizing the legitimate need for a prospective customer to know these details, they will share limited information when signing a contract for non-disclosure. This is definitely worth taking if offered, as it will most likely shed valuable light on the services provided by the provider. It is important to remember, however, that this information may or may not have been verified independently.
Independent auditor reports— Many service providers are now hiring independent auditors to evaluate their control design and operation and make these assessments available to their customers as an independent audit report. A range of reports are available, sometimes generally referred to as “SAS 70 reports.” These include the Statement on Auditing Standard (SAS) No. 70, Service Organization Control (SOC) 1, SOC-2 or SOC-3 reports, based on the standards of the American Institute of Certified Public Accountants (AICPA). Other parts of the world have equivalent standards.
Certifications — While independent audit reports are valuable, controls can vary in scope and nature from provider to provider. One way to compare providers more easily is to look for certifications from the industry. Some of the most frequently searched and relevant certifications are:
- ISO 27001 and 27002 certifications provide assurance that a set of security checks and management practices have been implemented by the provider to supervise the checks.
- ISO 31000 certification means that the provider has set up a framework and practices to manage its operational risks around the provision of its key services.
- Compliance with the Payment Card Industry Data Security Standard (PCI DSS) means that the provider has put in place sufficient security checks to allow credit card data to be stored, processed and transmitted using their systems. This requirement is very stringent and valuable for a business that seeks to use a service to manage its sensitive information.
A note of caution: without examining its details, it is important not to take any audit report or certification at face value. It is important to review its purpose, scope and any major exceptions and evaluate them against the critical needs of the business for compliance, risk management and control.