Security Control Attestation for Cloud Computing Providers

While working on one of the  initiatives in the working groups, we had an interesting exchange of ideas on relevance of SAS 70 and similar certifications for cloud service providers. There were viewpoints that such certifications may not be sufficient & their usefulness debatable when it comes to cloud environment & various flavours it has to offer.

In this post, I preset my views on the subject

To understand how such certifications can help the Cloud service providers, we can look at the strategies various IT sourcing providers with global delivery models adopted when it came to providing assurance to their customers on Information Security & regulatory compliance.

In the early years of outsourcing, (around 2000 – 2004) there were lot of apprehensions expressed by potential customers around the state of Information Security, Risk Management & Regulatory Compliance when outsourcing to IT service providers, be it HP, IBM, CSC, EDS, HCL etc. The IT service providers knew that to get customers business, they need to provide a reasonable assurance on the state of Information Security to their customers.  In any outsourcing discussion that took place around that time, there used to be a huge focus on such topics.

What these providers then did was,  they adopted industry best practices and standards like ITIL and BS7799 (now ISO27001). Then they got an external body to audit and certify the state of these controls in their delivery centers (certifications like SAS 70 Type I&II to demonstrate the presence and effectiveness of the implemented controls). On top of that, some of these providers also allowed their customers to audit the security controls implemented at the provider’s delivery centers at random either by customer’s internal auditors or by customer external auditors.

Over time, the adoption of the industry standards combined with SAS reports and yes ‘right to audit’ did provide a reasonable assurance to the customers. Many of these providers have been successfully able to demonstrate the state of information security at their delivery centers to the existing and new customers and the business has been good.

Now, is it guaranteed that just because these providers have SAS 70 certifications, all is well at their centers? I don’t think anyone can guarantee a 100% secure environment.

I think the cloud computing market will evolve in a similar manner. It would require cloud computing providers to implement necessary controls, adopt standards, furnish recognized certifications as a proof of effectiveness of the controls. Without these certifications, these providers will find it tough (just like the IT outsource providers) to demonstrate effectiveness of the controls implemented by them.

Having said that, I also think that cloud computing service providers will also be required to let  customers the ‘right to audit’ on top of these certifications.Especially enterprise with enough business potential will be able to muscle their way with the providers.

I recently met a cloud computing provider and asked them about the right to audit and they said – they wont let customers audit their facilities and even refuse to divulge the location of their DC’s. I don’t see them winning too many favors with auditors with such an approach, especially those who are very particular about data sensitivity and regulatory compliance. These providers may continue to get the non-critical portion of the enterprise  IT environment. Unless reasonable and acceptable assurance around Information Security & regulatory compliance  is provided, the critical, sensitive corp apps are likely to stay within the enterprise DC probably in a private cloud kind of setup.

Cloud for IT Continuity

typically a DR site goes live when the main DC goes offline of fails. quite often, the IT infrastructure at the DR site sits idle waiting for an untoward incident to be kicked back into life. in some cases, the infrastructure at DR site is used to host dev & QA environments also. the DR sites are typically activated for a short period of time and when the main site/DC is restored, the DR goes back to idle state. is there an alternative to blocking investments in a DR site using the evolution in the technologies used in DC and still ensure continuity of operations?

can cloud & cloud based services provide enterprise with the desired level of continuity along with financial flexibility? in my opinion, this is a subject worth further exploration.

during a disaster, you either operate at same or reduced business service SLA’s around performance & availability as from the main site.  the requirements from the DR site are “elastic” in nature,  most of the times, the compute requirement around CPU, memory are pretty low except when activated and operations are run from the DR site.  usually it is the storage that has a consistent use. now, one of the major advantages of cloud computing is to meet elastic demands. put two and two together..i feel there has to be a case to use cloud for IT continuity!

one of the possible challenges is the consistency of the virtualization technology within the enterprise with that of the cloud computing provider. i do not think the cloud computing providers fraternity has something of an intera-operable virtualized images across different cloud providers and private cloud platforms..(or maybe they have. this is something i have not tracked in the google-sphere yet!). so basically what that means is you are stuck with those set of cloud computing providers who use the same virtualization technology as you use in-house in your DC’s for the time being. but compared to having idle investment in your dedicated DR sites, this may be a small trade-off.

some points that i can think of while evaluating the cloud platforms for DR & IT service continuity is – licensing of your existing apps..does the licensing allow you to run the apps from a cloud computing setup, connectivity options to allow migration of large amount of data/images to the cloud computing provider’s setup, how are you going to keep the images of your apps etc in the cloud environment up-to-date with necessary patches, security policies of the providers and client access mechanism.

will update as and when i have discussions with more customers on this topic!

IT Outsourcing & Security Issues

the recent news on Word Bank and leading Indian outsourcing firm – Satyam made the news headlines a few days ago.

it was reported in media that Satyam had been banned from all offshoring work following a so called “security breach” in the World Bank IT systems which were being managed by Satyam under a total outsourcing contract between the two.

when i read the news articles and the media hype over security risks involved in outsourcing, there were couple of points that stood out and probably need a serious thought. i admit tho that i am looking at this topic purely from a services provider point of view.

broadly, there are two type of security risks when it comes to outsourcing.

1. state of security and associated risks in the service provider IT environment – usually these are are discussed in detail and evaluated during the rfp stage. a good number of articles have also been written been assessing service providers security policies and controls before and during the term of the contract. a service provider is usually asked to provide proof of the state of information security, answer certain specific questions in the rfp and in some cases provide sas 70 type I & type II reports.

2. state of security and associated risks in the enterprise IT environment now being outsourced to the service provider – this is a relatively overlooked topic by many of the enterprises who have entered or are entering an outsourcing agreement with an IT services provider. in the context of discreet and total outsourcing, this requires an in-depth understanding and a joint strategy development with the service provider.

in many cases, the enterprise, by entering into an agreement for discreet or total outsourcing engagement with the service provider tend to forgo their responsibility of maintaining, tracking the risk in their IT environment (even though it is now oursourced) and are not invited or participate in assessing the risk, formulating and implementing a suitable risk treatment plan.

with reference to point (2) above, i would like to highlight few point which, in my opinion, require attention during contract and legal discussion stages:-

  1. In almost all of the outsourcing contracts, the service provider usually take over the customer IT environment on as-is basis and hence the risk due to any security (technology / process) shortcoming also gets transferred to the service provider. in most contract the ownership and accountability of this risk is not clearly mentioned in the contract.
  2. there is not many engagements where a risk profiling of the enterprise by the service provider is carried out prior to begining of the outsourcing enggement as a result there is usually no coherent strategy to address the risk that is inherited by the service provider in an outsourcing engagement.
  3. many a times an enterprise may not have invested in adequate set of controls (both technical and procedural) which may result in an high risk exposure for the enterprise. depending upon the level of maturity of the enterprise security organization and practices, the management may or may not be aware of this exposure.
  4. even though the risk of not having necessary controls might be acceptable by the customer when the operations were in-house, they suddenly appear as un-acceptable if there is an incident post off-shoring. Again, in my opinion, this needs to have a clear mention in the contract/legal document.
  5. even when additional controls to reduce the risk, usually the recommendations are side-lined either by the customer or sales teams due to due to cost implications. However, the ownership of accepting the residual risk is not clearly and is a vague area. This should, in my opinion be also addressed in the contract document.

the most important fact remains that:-

There is no guarantee that security breach will not take place either due to technology failure or personnel mis-adventure. even without outsourcing, we have seen breaches being reported.

hence a clause, which indemnifies the service provider due to technology failure or absence of a control not stated in the RFP as a mandatory requirement, needs to be incorporated in the contract/legal documents.


there needs to be a stage in the outsourcing project plan where the service provider assesses the information security related risks in the customer’s IT environment for which the service provider is going to manage and then jointly develop a risk treatment plan with the customer to ensure the risk is kept at a level acceptable to both the organizations.