The cloud customer may wish to audit the cloud provider to verify the service provided. However, it is not usually practical for the provider to allow every customer to perform their own audit. Auditing and certification of providers by a trusted third party is a way to satisfy this need. Therefore, it is important to understand what these certifications mean. Here are three examples:
SOC Reports - The auditing standard SSAE no. 16 (Statement on Standards for Attestation Engagements) is intended to satisfy the need for independent checking of service organizations. This is based on International Standard on Assurance Engagements no. 3402, Assurance Reports on Controls at a Service Organization.
Using these standards, an auditor can examine a service and produce a report. This report is based on the statement of the service that the organization claims to provide. Note: They are not an assessment against best practice. The auditor examines how the service is performed and the controls the organization has in place. The auditor is able to produce two types of reports (often referred to as SOC 1 and SOC 2 reports):
Type 1 report provides the auditor’s opinion on whether or not the description of the service is fair (does it exist) and whether or not the controls are appropriate.
Type 2 report is similar to a type 1 report but includes further information on whether or not the controls were actually working effectively.
An example of a cloud provider that offers such a report is Amazon Web Services.
WebTrust/SysTrust: As mentioned above, one kind of auditor’s report on service organizations is based on what the service provider states that they offer and not an assessment against best practice. It is also possible for a service organization to obtain an auditor’s report based on established criteria (e.g., Trust Services). Trust Services (including WebTrust and SysTrust) are a set of professional assurance and advisory services based on a common framework to address the risks and opportunities of IT. The Trust Services Principles and Criteria were established by the AICPA for use when providing attestation services on systems in the areas of:
- Processing integrity
ISO/IEC 27001 certification: ISO/IEC 27001 sets out standards that require management to examine the information security risks associated with a specific part of the organization’s assets. (Note: Certification is limited to the specified area within the organization). The objectives of this process are to ensure confidentiality, integrity and availability of information. The process must consider the vulnerabilities, threats and their potential impact, and plan a response to the identified risks. This response may be to avoid the risk, to transfer the risk or to implement a set of controls to manage the risks. The standard identifies 134 controls and provides detailed advice on this subject These controls cover the following areas:
- Organization and Information Security
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information Systems Acquisition, Maintenance and Control
- Information Security Incident Management
- Business Continuity Management.
Trust in the cloud depends upon an enterprise’s needs, the provider’s processes and independent auditing. Choose the right cloud service and delivery model based on business need and risk appetite. It is vital to understand the value and sensitivity of data moved to the cloud. Make sure that the service is clearly specified together with the controls. Remember to monitor the controls and understand what independent certifications and audit reports mean. Finally, “Trust but verify.”