A new audit standard validates IT-specific controls for cloud service providers

Risk mitigation is one thing when you own all the resources, but when you start moving data and applications into the cloud, it's doubly important to understand what the service provider is doing to protect your assets. Now there is a new audit standard and certification for reporting on controls for data centers and service providers in the cloud.

I'm an old IT audit guy. I spent over a dozen years digging into enterprise data centers and business processes to find the weaknesses in controls and pointing out vulnerabilities so my clients could mitigate the risks before something bad happened. Risk mitigation is one thing when you own all the computing resources, but when you start moving data and applications into the cloud, it's doubly important to understand what the service provider is doing to protect your assets. Understanding what controls are in place is a prudent step in corporate governance.

Audit and assurance of controls get complicated when computing resources and data are in the cloud. The industry needs a standard approach to assess controls in the cloud. For lack of any better means of assessment, they embraced SAS 70 as the default approach to assessing the controls of cloud service providers. However, SAS 70 is better suited to validate the controls over financial processes rather than over IT processes. If nothing else, SAS 70 did help provide a small level of assurance to service subscribers that controls were in place and working to protect their data while in the care of the service provider.

OUTLOOK: Cloud activity to explode in 2012

OPINION: Fail a security audit already -- it's good for you

Last year in an effort to address the SAS 70 shortcomings as an audit standard for service companies, the American Institute of CPAs (AICPA) officially replaced SAS 70 with SSAE 16, the audit standard for "Reporting on Controls at a Service Organization" (including data centers and cloud hosting providers) within the United States.

SSAE offers three Service Organization Controls (SOC) reporting options: SOC 1, SOC 2 and SOC 3. According to the AICPA, the reporting options are "designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. Each type of SOC report is designed to help service organizations meet specific user needs."

With its SOC reporting, the AICPA has delivered a real win for both the service providers and their customers. Both get clarity on control standardization. The service provider receives a certification and the customers get what they've been seeking: a control benchmark to use when comparing data center operators and outsource service providers.

SOC 1 is known as the "Report on Controls at a Service Organization Relevant to User Entities' Internal Controls over Financial Reporting." Hindsight being 20/20, the SOC 1 report is what SAS 70 was supposed to be -- reporting on financial controls at a service organization as an auditor-to-auditor communication tool. It was never designed to be a data center audit.

A SOC 1 report is the basic SSAE 16 report and just like SAS 70, a SOC 1 is issued as either a Type 1 or Type 2 report. With a Type 1 report an auditor issues their opinion on the accuracy and completeness of the service provider's management description of the system and service, including the appropriateness of the provider's controls for a specific date in time. The Type 2 report includes everything from a Type 1 report, plus it verifies the effectiveness of the controls for a specified period of time; for example, a calendar year.

If you are a service provider and just went through an SSAE 16 audit and received a SOC 1 report that shows your IT controls are what you say they are, you're now SSAE 16 or SOC 1 certified, right? No you're not, because service providers do not receive a certification after they have been SSAE16 SOC 1 audited. So, don't call yourself "Certified" (just yet ...).

To address both the need for a certification process and a standard approach to auditing of non-financial controls (e.g. IT centric data center controls), the AICPA created the SOC 2 and SOC 3 reporting standards.

These reports are built upon a set of predefined controls outlined within the AICPA Trust Services Principles and Criteria. The AICPA developed this criterion for evaluating the design and effectiveness of controls at a data center or other service organizations. The AICPA defines the Trust Principles as five attributes of a reliable system, and they are:

1. Security -- The system is protected against unauthorized access (both physical and logical).

2. Availability -- The system is available for operation and use as committed or agreed.

3. Processing integrity -- System processing is complete, accurate, timely and authorized.

4. Confidentiality -- Information designated as confidential is protected as committed or agreed.

5. Privacy -- Personal information is collected, used, retained, disclosed and disposed of in conformity with the commitments in the entity's privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the Canadian Institute of Chartered Accountants.

The SOC 2 report, identified as the "Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy," reports on the accuracy and effectiveness of processes and controls within a data center and other cloud providers.

The SOC 3 report, which is the "Trust Services Report for Service Organizations," examines the same processes and controls as a SOC 2 report but with a SOC 3 report, data center and other cloud providers can say they are certified once an auditor issues the opinion that the service provider has achieved the trust services criteria. Then and only then can the provider display the "SOC 3: SysTrust for Service Organizations" seal.

For more information about the:

• SOC Reports Information for Service Organizations click here.

• AICPA Trust Services Principles and Criteria, click here

• SysTrust for Service Organization seal program, visit www.webtrust.org.

Brian Musthaler is a principal consultant with Essential Solutions Corporation. You can write to him at Bmusthaler@essential-iws.com.


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.