The SAS 70 Emperor Has No Clothes

A commonly cited auditing standard has little use for cybersecurity.

When you put your data into the cloud, you turn over control. Operational responsibility moves to your cloud provider and you also lose visibility. You no longer do the work, you can’t even watch the work being done.

However, you are still responsible for its protection. Regulatory compliance requires evidence for this protection — cybersecurity audit results, access and activity logs, and documentation for system configuration management and change management.

With Iaas (e.g., Amazon EC2, Rackspace), the situation is much like your present in-house situation. The difference is that the cloud provider is doing the physical support and protection (and for most customers, they can do a far better job).

However, with PaaS and SaaS you must rely entirely on your provider. Lack of physical control and visibility means that the needed security metrics, standards, and documentation must be built into the SLA and contracts.

Now, as for that proof…

Cloud providers announce their completion of various audits as marketing advantages. The first generation of these announcements has focused on the SAS 70, an audit with which managers are familiar and comfortable. The problem? SAS 70 really doesn’t mean anything as far as cybersecurity goes.  It wasn’t meant to.

SAS 70, the “Statement on Auditing Standards Number 70: Service Organizations”, is a document issued by the Auditing Standards Board of the American Institute of Certified Public Accounts. It assesses the internal controls of a service organization. The Type I auditor’s report addresses controls that are in place at one time. The more meaningful Type II covers a period of time, typically six months. Type I shows that it can happen, Type II shows that it does happen.

SAS 70 has been evolving into SSAE 16, or the Services Auditors’ Statements on Standards for Attestation Engagements Number 16. That’s a mouthful, but it doesn’t change the fact that this evolving guidance was designed by and for accountants.

There is no specific cybersecurity content to SAS 70 or SSAE 16. These documents provide guidance for an auditor’s assessment of whether or not the organization has well-defined carefully followed internal controls. They do not assess whether those controls are useful for security.

The ISO/IEC 27000 standards series is much better, specifically addressing information security management, although it is still no guarantee. A CA Technologies study found IT managers claiming ISO 27001 compliance while admitting to bad practices including routinely granting broader privileges than needed and sharing administrator accounts between users.

This situation has to improve, the market imposes powerful pressure.

Learning Tree’s Cloud Security Essentials course discusses the difficulty of meeting regulatory compliance with the limited available proof.

Bob Cromwell

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.