Tag Archives: cloudcomputing

SAS 70 and Cloud Computing

The Statement on Auditing Standards No. 70 (SAS 70) has become the ubiquitous auditing report by which all cloud computing service providers are judged.  So how did this financial auditing report become the standard by which we examine cloud service providers?  How much can we trust this report as a true representation of the security controls in place?

SAS 70 was originally titled “Reports on the Processing of Transactions by Service Organizations” but was changed by Statement on Auditing Standards No. 88 to “Service Organizations”. The guidance contained in SAS 70 is effective for all service auditors’ reports dated after March 31, 1993.

There are two types of service auditor reports.

Type I Type II
v      Reports on controls placed in operation (as of a point in time)v      Looks at the design of controls- not operating effectivenessv      Considered for information purposes onlyv      Not considered a significant use for purposes of reliance by user auditors/organizationsv      Most often performed only in the first year a client has a SAS 70 v      Reports on controls placed in operation and tests of operating effectiveness(for a period of time, generally not less than 6 months)v      Differentiating factor: Includes Tests of Operating Effectivenessv      More comprehensivev      Requires more internal and external effortv      Identifies instances of non-compliancev      More emphasis on evidential matter

The rise of cloud computing pushed companies to search for a method to validate these new types of services.  Publicly traded companies that had to be compliant with SOX were already familiar with the SAS 70.  It was a natural evolution to adapt the report to auditing cloud computing service providers even though it was not originally intended for this purpose. Amazon Web Services & SAS70 Type II audit procedures

Amazon Web Services’ controls are evaluated every six months by an independent auditor in accordance with Statement on Auditing Standards No. 70 (SAS70) Type II audit procedures. The report includes the firm’s opinion and results of their evaluation of the design and operational effectiveness of our most important internal control areas, which are operational performance and security to safeguard customer data. The SAS70 Type II report as well as the processes explained in this document, applies to all geographic regions within the AWS infrastructure.

AWS’ SAS70 Type II Control Objectives

Security Organization Controls provide reasonable assurance that there is a clear information security policy that is communicated throughout the organization to users.
Amazon Employee Lifecycle Controls provide reasonable assurance that procedures have been established so that Amazon employee user accounts are added, modified and deleted in a timely manner and reviewed on a periodic basis to reduce the risk of unauthorized / inappropriate access.
Logical Security Controls provide reasonable assurance that unauthorized internal and external access to data is appropriately restricted and access to customer data is appropriately segregated from other customers.
Secure Data Handling Controls provide reasonable assurance that data handling between the customer’s point of initiation to an AWS storage location is secured and mapped accurately
Physical Security Controls provide reasonable assurance that physical access to Amazon’s operations building and the data centers is restricted to authorized personnel.
Environmental Safeguards Controls provide reasonable assurance that procedures exist to minimize the effect of a malfunction or physical disaster to the computer and data center facilities.
Change Management Controls provide reasonable assurance that changes (including emergency / non-routine and configuration) to existing IT resources are logged, authorized, tested, approved and documented.
Data Integrity, Availability and Redundancy Controls provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing.
Incident Handling Controls provide reasonable assurance that system incidents are recorded, analyzed, and resolved in a timely manner.

Limitations of SAS 70 Ø      It is not as robust as other security frameworks, such as ISO 27000 or the NIST 800 series. Ø      ISO 27000 or the NIST 800 series take a broader approach to information security by reviewing the entire program from a risk management perspective.  In contrast, the SAS 70 is focused primarily on security controls and procedures surrounding the data center and financial implications. Ø      The SAS 70 report can be misleading to the casual observer as it only focuses on controls and procedures that are agreed upon before the audit by the auditor and the company being audited. Cloud & SAS 70 The Type I report only requires the auditor to make an opinion on the effectiveness of the controls in place at the time of the audit.  The Type II report takes this a step further by requiring the auditor to test the controls as well as document his opinion on their effectiveness. The SAS 70 report is focused on accurate financial reporting so the auditors involved are typically from CPA firms.  A CPA firm possesses the education, training and experience to audit financial controls and may even have insight into other types of controls.  However, the question becomes should a CPA be validating information security controls?  If the auditor does not possess expertise in information security, it will be very difficult to provide much insight into the effectiveness of the controls.  There will be technical areas that will get overlooked just as a CISSP would not recognize inaccuracies in a financial audit. Of the many regulations touching upon information technology with which organizations must comply, few were written with Cloud Computing in mind. Auditors and assessors may not be familiar with Cloud Computing generally or with a given cloud service in particular. That being the case, it falls upon the cloud customer to recognize:

Ø      Regulatory applicability for the use of a given cloud service Ø      Division of compliance responsibilities between cloud provider and cloud customer Ø      Cloud provider’s ability to produce evidence needed for compliance Ø      Cloud customer’s role in bridging the gap between cloud provider and auditor/assessor

Should an organization interested in purchasing cloud related services even bother requesting this report from a prospective provider?  The SAS 70 can still be useful if the provider has tested more than the minimum number of controls; however, a vendor that provides a SAS 70 will most likely only be focused on areas of strength.  A vendor that does not provide a SAS 70 may or may not be serious about information security and protecting your data. Recommendations are Right to Audit clause, involvement of Legal Personnel and Cloud Aware Auditors, Compliance to ISO/IEC 27001/27002,SAS 70 Type II, Evidence of Compliance, Identification of impact of Regulations on Infrastructure, Policy & Procedures, Information Security Reference: http://en.wikipedia.org/wiki/Statement_on_Auditing_Standards_No._70:_Service_Organizations http://searchcloudsecurity.techtarget.com/tip/The-SAS-70-report-and-cloud-service-providers?asrc=EM_EDA_13410271 http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf Related articles

Free WhitePaper – Cloud Computing: It’s all about the Service

Cloud: It's all about the Service

Click on the Image to Download Whitepaper

Key takeaways

Cloud implementation requires IT leaders to become the builder AND the broker of IT services.

• Effective delivery of cloud-based services requires end-to-end visibility of the service needs.

• An optimal mix of traditional IT, private, and public cloud (hybrid delivery) environments is necessary to support a diverse workload.

• Identify core applications and context applications before determining how to deliver those applications (internally or externally).




Cloud Governance

Cloud Governance

Governance • Governance is about deciding and prioritizing what things to do, while Management is about how to do them in an optimal manner. • Corporate governance: set of processes, customs, policies, laws, and institutions affecting the way a corporation is directed, administered or controlled. • IT Governance: Subset discipline of Corporate Governance focused on information technology • Cloud governance: Subset discipline of IT Governance which involves applying policies to the use of cloud services.

IT Governance of Cloud Computing• For Cloud Computing to be effectively used by enterprises, Convergence, Governance and Standardization are required in the following areas and for the reasons described below: – Security – Interoperability: DMTF – Interoperable Clouds – Portability – Metering and Billing – Provisioning , Performance and Scalability

Use Cases & Cloud Governance Hosted HR module in ERP capability to Support Expanded Sales and Marketing Efforts PaaS to Build Custom Business Application / Service Utilization of Datacenter Resources and Server Consolidation Basic IT Infrastructure to drive Business ModelScaling a Custom-built Application for universal use by the Industry To Integrate Internal Private Cloud With Public CSPs / Private Data Cloud Supported by a Public Cloud Resources Distributed Data Model for a Real-time, Event-driven Architecture Business Model Integrate Business Offices to Enable Sharing and Collaboration

Tutorial- Application Development on Force.com from 30 day Free Trial

Force.com is a cloud computing platform as a service offering from Salesforce, the first of its kind allowing developers to build multi-tenant applications that are hosted on their servers as a service.

Features of force.com

The multitenant architecture of Force.com consists of the following features:

•Shared infrastructure. Every customer (or tenant) of Force.com shares the same infrastructure. You are assigned a logical environment within the Force.com infrastructure.

•Single version There is only one version of the Force.com platform in production. The same platform is used to deliver applications of all sizes and shapes, used by 1 to 100,000 users.

•Continuous, zero-cost improvements When Force.com is upgraded to include new features or bug fixes, the upgrade is enabled in every customer’s logical environment with zero to minimal effort required.

•Infrastructure Explosure Force.com is targeted toward corporate application developers and independent software vendors. Unlike the other PaaS offerings, it does not expose developers directly to its own infrastructure

•Integration with other Technologies: FORCE.com integrates with other technologies using open standards such as SOAP and REST, the programming languages and metadata representations used to build applications are proprietary to Force.com.

•Relational Database
–To store and manage the business data. Data is stores in the objects.
•Application Services
–logging, transaction processing, validation
•Declarative Meta-Data
–Customized configured simple XML and documented schema’s
•Programming Languages
force.com - Infrastructure, Application and Operational Services
The layers of technologies and services make up the platform.
force.com - Application Architecture
force.com - How it works?

force.com – How it works?

30 day free trial doesn’t provide Workflow support else we can create full featured application. In Trial, we can create a Visualforce page but cannot enable Sites for our organization nor register our Force.com domain name and expose the Visualforce page we created as a public product catalog on the Web.

Workflow Support is available in Force.com One App: Start with one custom app- for your organization only.

force.com - 30 day Free Trial

force.com – 30 day Free Trial

Related articles

Project and Portfolio Management on Private Cloud

PPM deployment on cloud (PPM as a Service) results into faster deployments, Subscription based Pricing, Access to important information on the go and availability. With different use cases deployment model may differ but most of the cloud benefits remain same with the model specific benefits as per need.

Public clouds come with the challenges in terms of Security & Compliance, Data Loss – No High Availability Fail Over and Fraud & Spammers. Storing highly sensitive project data on Public clouds not only creates security threat to data but single point failure also. Thus the basic requirements of the PPM deployment on Private Cloud use case are Governance, Security, Interoperability and SLAs since data and processes are managed within the organization without the restrictions of network bandwidth, security exposures and legal requirements that using public cloud services might entail.


Benefits of Cloud enablement for Manufacturing Industry

Benefits of Cloud enablement for Manufacturing

  • On demand version of ERP
  • High availability – To keep running all operations without failure
  • Functionality and flexibility at much lower cost due to pay per use model
  • Lower operational costs
  • Faster time to market, Quicker deployment and Easy to Use
  • Scope of innovation due to increased focus on business rather than resource management and affordability due to lower cost and flexible payment model
  • Better collaboration and information sharing which provides visibility into every aspect of supply chain
  • Analytics-Access to the necessary information to inform decision making
  • Easy upgrades
  • Visibility to the vendors operations (purchase orders) in its own IT landscape – Hybrid Cloud to connect vendors and suppliers.
  • Cloud computing, Mobilizing of IT applications, will help to collect real-time data from potentially any asset along the value chain.

Disadvantages of Cloud enablement for Manufacturing

Free eBook-Cloud for Dummies, IBM Midsize Company Limited Edition

Followers and Readers!!!

Receive Your Complimentary eBook NOW!

Cloud for Dummies, IBM Midsize Company Limited Edition

Cloud for Dummies, IBM Midsize Company Limited Edition

Cloud computing offers enormous benefits to companies in the midmarket.

This eBook gives mid-sized companies insights on what it means to create flexible pools of computing resources that break down silos in your company so you can perform in a smarter & proactive manner.

Sponsored by IBM and Intel®