One of the major players in cloud computing – Amazon, are SAS 70 compliant. A small step forward towards safer environments as many commented but I see it as an important move – well done Amazon! As I stated in previous articles, cloud computing has to proof that that it is getting safer and safer. Ernst & Young carried out Amazon’s SAS 70 Type II audit, quite an assurance that the job was done to high standards. This means that remote online backup providers that use Amazon as their backend have one important layer SAS 70 certified, however, the backup service provider remains responsible and should implement the necessary security measure to protect their customers’ data.

 
So what is SAS 70 (Statement on Auditing Standard 70) Audit? – The AICPA (American Institute of Certified Public Accountants) responsible body defines it as “Report on the Processing of Transactions by Service Organizations” where professional standards are set up for a service auditor that audits and assesses internal controls of a service organization. At the end of the audit, the service auditor issues an important report called the “Service Auditor’s Report”

Now there two types of SAS 70 audits, Type I and Type II. Type I focuses on the validity of the controls in operation and that they according the specified control objectives objectives while Type II enhances Type I by checking that these controls are actually in place and being executed by the service provider.

In other words, a SAS 70 Audit is an in-depth examination of a service provider control objectives and control activities, including IT controls! Briefly, a service provider must have adequate controls and safeguards over their customers’ data in order to be able to achieve this certificate. However, SAS 70 Audit is slightly flexible and service provider/auditor dependant. That is, you may have customers that may agree or disagree with Amazon’s control objectives or operational standards!

 SAS 70 Type II may be seen as the basis for future more rigid certifications. It may lack some important aspects of security but surely it examines operational performance and the service’s ability to safeguard customer data and many hosting organizations are achieving it.

I have read many expert articles stating that SAS 70 is limited to policies and procedures inside data centers and it does not cover major security weaknesses, such as, personnel unintentional errors. This is quite a pro cloud computing statement. Why? Would an organization (with in-house solutions) take their IT staff (individual) to court in the event of data mishandling? They might and if they do, do they will be able to be paid for the lost revenue/damages from an individual? However, an organization being a customer of a service provider would take that service provider to court in case their data is mishandled. With cloud computing providers, you have higher assurance of getting something back when terrible incidents happen.

Last 3 posts by George

• Virtualized Environments' Challenges - September 7th, 2010
• Organizational IT Risks - August 24th, 2010
• How can online criminals steal our credit card information? - August 16th, 2010