SAS 70 - the auditing standard used by CPAs to evaluate the processing of transactions - is emerging as one of the key ways to evaluate cloud service provider security.

According to VeriSign, which ran a recent online seminar on cloud security, Statement on Auditing Standard 70 is one of the commonly cited standards that cloud providers offer up when asked for verification of their network protections.

In the absence of any specific cloud security standard – and the difficulty of defining one – both customers and provider seek existing formal means that offer some assurance about specific aspects of security.

According to VeriSign, the concepts of virtualization and resource management that are used in cloud-provider networks has been around for years, as have means of evaluating them. SAS 70 is among them and should be incorporated as part of the evaluation process customers go through, the company says.

Other standards such as PCI and Health Insurance Portability and Accountability Act (HIPAA) don’t directly address requirements for cloud providers yet. But businesses should ask whether providers have undergone third-party evaluation for compliance, VeriSign says. Their results could prove useful in determining which cloud provider to use and how many resources to dedicate to the cloud.

VeriSign also recommends:

•  Understand the architecture of the service provider’s infrastructure. How many Internet connections does it have? What is its physical security like? Where are its data centers?

•  Find out whether your data will shift among the provider’s data centers and how do you know it gets there intact? Always know where your data is and make sure it is located where it can provably meet compliance requirements.

•  Will your data be encrypted in motion? At rest?

•  How long does it take to recover data? Find out by actually doing a full backup using data that isn’t sensitive.

Tim Greene is senior editor at Network World.