Cloud security still needs a set of standards

Clarifying issues surrounding this emerging security architecture

Maybe SAS 70 isn’t the standard needed for insuring cloud security after all.

Not that Statement on Auditing Standards No. 70 has anything wrong with it, it’s just that it wasn’t written with information security in mind. Plus it’s not a standard in the sense that it checks for a constant list of controls.

The problem is that there is no standard written specifically with cloud computing in mind, says Nils Puhlmann, a co-founder of the Cloud Security Alliance. As a result, many customers of cloud computing services are casting about looking for a substitute.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Maybe SAS 70 isn’t the standard needed for insuring cloud security after all.

Not that Statement on Auditing Standards No. 70 has anything wrong with it, it’s just that it wasn’t written with information security in mind. Plus it’s not a standard in the sense that it checks for a constant list of controls.

The problem is that there is no standard written specifically with cloud computing in mind, says Nils Puhlmann, a co-founder of the Cloud Security Alliance. As a result, many customers of cloud computing services are casting about looking for a substitute.

The shortcoming of a SAS 70 audit is that it looks for policies about the handling of data and evaluates whether they work, but not whether they are actually carried out. In information security, a standard would actually look whether the policy is carried out. So shredding hard drives as a way to destroy data is a policy that works, but checks should be made that the hard drives are actually shredded, he says.

SAS 70 also isn’t a comprehensive list of controls that ought to be in place. It might accurately evaluate all the criteria it sets out to evaluate but fail to evaluate others that it should have, he says.

In the absence of a set of security criteria for cloud services, potential customers can look elsewhere for guidance. A better set of evaluation tools exists within the ISO 27001 specification for information security management systems, he says. It is a comprehensive list of controls that are tested, and part of the process is periodic re-testing.

The downside of ISO testing is that it is expensive and smaller cloud service providers just might not be able to afford it. Over time he says he hopes a fee structure attuned to the size of the organization being audited will be developed.

Meanwhile, ISO guidelines can still be useful for customers evaluating a cloud provider. They can ask for the same information an ISO auditor would look for and measure the responses they get from the provider, Puhlmann says.
For its part, the Cloud Security Alliance is working on a set of recommended cloud-security practices, and it hopes will become accepted as industry best practices that can be measured.

Read more about security in Network World's Security section.

Tim Greene is senior editor at Network World.