The cloud services market is confusing. SAS70, SOC2, FedRAMP, ISO27001/2. What do all those abbreviations stand for, and more importantly, what do they mean for government agencies looking to reap the benefits of the cloud while protecting their IT assets?
A lot of vendors are aware that cloud security and auditing designations are confusing, but rather than making things simpler, some seem to use the confusion to their advantage, according to Gartner Research Vice President Jay Heiser. But there are a few tips prospective cloud services customers can arm themselves with to ensure they’re getting the right solution for their organization.
First of all, Heiser said, there’s no replacement for due diligence and thorough research. “The basic underlying problem is that people who want to buy cloud computing, they want just a simple stamp of approval that makes it possible to buy those things and nothing like that exists,” he said.
Instead, there are a handful of standards commonly used to demonstrate that a system is secure. But they're not certifications -- they’re more like endorsements, Heiser said. There’s ISO27001, which is an international standard for information security that may or may not specifically consider cloud computing. There’s SSAE16, which is a standard that contains SOC1, SOC2, and SOC3, three separate reporting frameworks that don’t all relate to security. And there’s FedRAMP, which is the first cloud-specific security standard, created to streamline security auditing across multiple federal agencies in the U.S.
Before SSAE16 was created, there was something called SAS70, which has nothing to do with security. Instead, SAS70 relates to financial reporting. While financial standards are important, the problem, Heiser said, is that many vendors know that there’s a misconception about what SAS70 means and they do little to correct the misconception. “The information security profession is wise to this and quite cynical about it,” he said. “The world at large has not fully understood this. I’ve had people talking to me this week about SAS70 that misunderstand it.”
According to Heiser, it’s not uncommon for a cloud service provider’s marketing materials to reference SAS70 and security, even though the two are not related. Likewise, SOC1, which is the replacement for SAS70, has nothing to do with security and yet it is sometimes misrepresented as a security designation.
But SOC2 and SOC3, however, are valid security designations. The two are the same with just one important difference, Heiser said. SOC3 allows an organization to share the results of the audit with prospective customers. This distinction is crucial, Heiser said, because in order to know if a cloud solution is the right choice, someone must read the auditing report to ensure that the security controls apply to what their organization needs. And, Heiser added, there’s some more trickery that can occur when organizations don't share their audit reports.
Sometimes, Heiser said, an organization will say it has some designation, say SOC2, but it doesn't run services out of its own data centers. In this instance, the SOC2 designation was not applied to their company or to their services -- it was given instead to the data center they are housed in. “Especially with software as a service, you’re not concerned with somebody walking in the door and stealing a hard drive,” Heiser said. “You’re concerned about somebody hacking in over the network. The fact that whoever’s site you’re sitting in has had this evaluation has nothing to do with your company at all, let alone the integrity of the software. That’s carrying the deception one step farther. I’m just flabbergasted and amazed that a company could do that.”
But this type of deception does happen, he said, and much of it stems from the fact that many people don’t understand security standards and don’t bother to look beyond a vendor's marketing materials.
Ed Ferrara, principal security analyst at Forrester, agreed that buyers need to be careful when choosing a cloud service provider. Buyers can be misled by security designations that don’t necessarily apply to an entire organization. For instance, a company that offers cloud services, he said, may have attained an ISO27001 designation for another part of their business, but that company will advertise in a vague way that they have ISO27001, when that designation may have nothing to do with the services their buyers are interested in. “That’s an approach that a lot of firms are doing,” he said.
Security standards are called “standards” for a reason, but they may not all be created equal, Ferrara said, which is why it’s so important to look at the audit report. “How credible is the auditor actually doing the assessment?” he asked. “Is it ‘Harry and Joe Screendoor CPA’ or is it Pricewaterhouse Coopers?” A security designation can turn out to be less impressive after a bit of investigating.
Although security designations are intended to simplify the evaluation process, a security assessment document is a starting place, not the end of the discussion, Ferrara said. “That should be only a first step in the due diligence process,” he said. “You should be willing to ensure that those security controls are closely aligned with your own expectations for security controls, that you also have the ability to audit those controls.”
Technology consultant Rob Enderle defended cloud service providers to an extent, pointing out that while security designations do get misrepresented, the intention may not be to mislead potential customers. Cloud customers may not understand all the intricacies of cloud security, but the many people who work for cloud service providers themselves may not fully understand them either, he said.
“Often, and this is true of old-style technology companies as well as new-style companies, the folks that are putting together the marketing collateral and the folks that actually understand the technology are two very different groups,” he said, echoing the cautionary advice of Heiser and Ferrara.
“And often the marketing guys are just trying to get people interested in the service. It’s always been the case with a product where folks are throwing around this acronym and that acronym that it’s best to do your homework and understand what levels of compliance you have to have and certainly understand what they mean, then of course audit to that because if you don’t audit to it, somebody else probably will and if it’s wrong, you’ll be held accountable.”
Photo from Shutterstock.
NEW ON THE PODCAST