One of the major players in cloud computing – Amazon, are SAS 70 compliant. A small step forward towards safer environments as many commented but I see it as an important move – well done Amazon! As I stated in previous articles, cloud computing has to proof that that it is getting safer and safer. Ernst & Young carried out Amazon’s SAS 70 Type II audit, quite an assurance that the job was done to high standards. This means that remote online backup providers that use Amazon as their backend have one important layer SAS 70 certified, however, the backup service provider remains responsible and should implement the necessary security measure to protect their customers’ data.

 
So what is SAS 70 (Statement on Auditing Standard 70) Audit? – The AICPA (American Institute of Certified Public Accountants) responsible body defines it as “Report on the Processing of Transactions by Service Organizations” where professional standards are set up for a service auditor that audits and assesses internal controls of a service organization. At the end of the audit, the service auditor issues an important report called the “Service Auditor’s Report”

Now there two types of SAS 70 audits, Type I and Type II. Type I focuses on the validity of the controls in operation and that they according the specified control objectives objectives while Type II enhances Type I by checking that these controls are actually in place and being executed by the service provider.

Custom Search

In other words, a SAS 70 Audit is an in-depth examination of a service provider control objectives and control activities, including IT controls! Briefly, a service provider must have adequate controls and safeguards over their customers’ data in order to be able to achieve this certificate. However, SAS 70 Audit is slightly flexible and service provider/auditor dependant. That is, you may have customers that may agree or disagree with Amazon’s control objectives or operational standards!

 SAS 70 Type II may be seen as the basis for future more rigid certifications. It may lack some important aspects of security but surely it examines operational performance and the service’s ability to safeguard customer data and many hosting organizations are achieving it.

I have read many expert articles stating that SAS 70 is limited to policies and procedures inside data centers and it does not cover major security weaknesses, such as, personnel unintentional errors. This is quite a pro cloud computing statement. Why? Would an organization (with in-house solutions) take their IT staff (individual) to court in the event of data mishandling? They might and if they do, do they will be able to be paid for the lost revenue/damages from an individual? However, an organization being a customer of a service provider would take that service provider to court in case their data is mishandled. With cloud computing providers, you have higher assurance of getting something back when terrible incidents happen.

Last 3 posts by George

• Backup considerations for Microsoft SharePoint - July 26th, 2010
• What is Cloud Computing? - July 19th, 2010
• How to save IE Favorite sites or Firefox Bookmarks - June 21st, 2010

The best way to turn any policy into practice is by defining every single step required to achieve the statement goals. The main entities mentioned in the above statement are data requirements (RTO and RT elements), data owners and users, off-site storage and security. Such statement does not define specific technical details such as, data integrity checks and jobs schedules, however, it is important to include these steps without details in your procedure. Another procedure or document would be needed to show such details. Remember, that policy statements are initiated by a member of senior management and need to be implemented by lower levels in the hierarchy of the organization. Furthermore, such procedure in the form of a flow-chart should be understandable by senior management, otherwise they would be reluctant to approve.

The procedure is divided into three main parts: the data requirements build-up, the backup strategy and checks, and the off-site backup process.

Data owners request their data to be backed up whenever they deem necessary while a backup operator (IT Technician) checks with data owners the validity of the their requirements on regular basis,  depending on the business environment. The IT’s backup operator defines the backup strategy such as, job schedules and destination media for local backups and recoveries. Each and every backup job is checked for errors upon completion and the respective owner informed about the missed job. Each failed job should be recorded for auditing and problem escalation purposes. If the off-site backup media is tapes, then it is extremely important to restore some files from the previous tapes on regular basis and the same applies if the off-site media is a remote storage location such as, cloud or on-line backups providers. The backup strategy and off-site schedules vary with data criticality and with the business requirements and hence, intervals shown in the flow-chart are typical examples.

Last 3 posts by George

• Backup considerations for Microsoft SharePoint - July 26th, 2010
• What is Cloud Computing? - July 19th, 2010
• Is Cloud computing getting safer? - July 13th, 2010

Nevertheless, SMBs and households should not forget to backup their data locally first and then use a remote storage location as a second means of protection - my advice is:

1. To perform regular Data backups locally, on some reliable and inexpensive media but most importantly is to use a different storage media other than the local drive.
2. Then move/archive this data off-site – again using a reliable, secure and economical solution

I have come across a couple of online backup providers that lack comprehensive management tools. When I say comprehensive I mean ample features that allow end users to monitor the backup/restore process and check for errors, costs and edit account details.

Such as, a user-friendly Web-based GUI (graphical user interface) that provides the following information:

1. That shows and logs the successful completion of backup and restore jobs
2. For failed jobs one should be able to view a brief but complete explanation of what went wrong in plain English and not a series of error codes
3. That shows the storage space consumed and the remaining space if the account is limited by space quota. Graphical statistics would give a good overview such as, usage per day, month, etc
4. Timestamps for the backed up data that will help the end user identify the right data in case a data recovery is needed
5. A section (tab) with all the billing and payment details without disclosing any critical information
6. A personal account section where one can change passwords, email address, quota settings if any and other account related settings.

Last 3 posts by George

• Backup considerations for Microsoft SharePoint - July 26th, 2010
• What is Cloud Computing? - July 19th, 2010
• Is Cloud computing getting safer? - July 13th, 2010

1. The application or wizard allows you to set verification of a backup job – tick the verify check box
2. Enable logging features – make sure you know the log files location
3. The application allows you to encrypt backed up data with a password if your destination location is a remote storage host or removable media such as, pen drives – dual password entry text box
4. Enable job status features such as, completion reports – check for failures or warnings

If these options are not presented to you in the application wizard then go and look for them before you start the job. Although, the verification mechanism was more intended to verify data integrity when backing up to tape media, it is still a useful check for all kind of media.

Another important task that I recommend you to perform from time to time is a restore test operation. Select a previous backup set and perform a restore operation to an alternate location (if you restore to the original location, remember you would overwrite your recent files with older ones). After a test restore operation check that the restored files are not corrupted such as, opening a word document or spreadsheet and verify that the data is complete and accessible.

Last 3 posts by George

• Backup considerations for Microsoft SharePoint - July 26th, 2010
• What is Cloud Computing? - July 19th, 2010
• Is Cloud computing getting safer? - July 13th, 2010