The Statement on Auditing Standards No. 70 (SAS 70) has become the ubiquitous auditing report by which all cloud computing service providers are judged. So how did this financial auditing report become the standard by which we examine cloud service providers? How much can we trust this report as a true representation of the security controls in place?
SAS 70 was originally titled “Reports on the Processing of Transactions by Service Organizations” but was changed by Statement on Auditing Standards No. 88 to “Service Organizations”. The guidance contained in SAS 70 is effective for all service auditors’ reports dated after March 31, 1993.
There are two types of service auditor reports.
|Type I||Type II|
|v Reports on controls placed in operation (as of a point in time)v Looks at the design of controls- not operating effectivenessv Considered for information purposes onlyv Not considered a significant use for purposes of reliance by user auditors/organizationsv Most often performed only in the first year a client has a SAS 70||v Reports on controls placed in operation and tests of operating effectiveness(for a period of time, generally not less than 6 months)v Differentiating factor: Includes Tests of Operating Effectivenessv More comprehensivev Requires more internal and external effortv Identifies instances of non-compliancev More emphasis on evidential matter|
The rise of cloud computing pushed companies to search for a method to validate these new types of services. Publicly traded companies that had to be compliant with SOX were already familiar with the SAS 70. It was a natural evolution to adapt the report to auditing cloud computing service providers even though it was not originally intended for this purpose. Amazon Web Services & SAS70 Type II audit procedures
Amazon Web Services’ controls are evaluated every six months by an independent auditor in accordance with Statement on Auditing Standards No. 70 (SAS70) Type II audit procedures. The report includes the firm’s opinion and results of their evaluation of the design and operational effectiveness of our most important internal control areas, which are operational performance and security to safeguard customer data. The SAS70 Type II report as well as the processes explained in this document, applies to all geographic regions within the AWS infrastructure.
AWS’ SAS70 Type II Control Objectives
|Security Organization||Controls provide reasonable assurance that there is a clear information security policy that is communicated throughout the organization to users.|
|Amazon Employee Lifecycle||Controls provide reasonable assurance that procedures have been established so that Amazon employee user accounts are added, modified and deleted in a timely manner and reviewed on a periodic basis to reduce the risk of unauthorized / inappropriate access.|
|Logical Security||Controls provide reasonable assurance that unauthorized internal and external access to data is appropriately restricted and access to customer data is appropriately segregated from other customers.|
|Secure Data Handling||Controls provide reasonable assurance that data handling between the customer’s point of initiation to an AWS storage location is secured and mapped accurately|
|Physical Security||Controls provide reasonable assurance that physical access to Amazon’s operations building and the data centers is restricted to authorized personnel.|
|Environmental Safeguards||Controls provide reasonable assurance that procedures exist to minimize the effect of a malfunction or physical disaster to the computer and data center facilities.|
|Change Management||Controls provide reasonable assurance that changes (including emergency / non-routine and configuration) to existing IT resources are logged, authorized, tested, approved and documented.|
|Data Integrity, Availability and Redundancy||Controls provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing.|
|Incident Handling||Controls provide reasonable assurance that system incidents are recorded, analyzed, and resolved in a timely manner.|
Limitations of SAS 70 Ø It is not as robust as other security frameworks, such as ISO 27000 or the NIST 800 series. Ø ISO 27000 or the NIST 800 series take a broader approach to information security by reviewing the entire program from a risk management perspective. In contrast, the SAS 70 is focused primarily on security controls and procedures surrounding the data center and financial implications. Ø The SAS 70 report can be misleading to the casual observer as it only focuses on controls and procedures that are agreed upon before the audit by the auditor and the company being audited. Cloud & SAS 70 The Type I report only requires the auditor to make an opinion on the effectiveness of the controls in place at the time of the audit. The Type II report takes this a step further by requiring the auditor to test the controls as well as document his opinion on their effectiveness. The SAS 70 report is focused on accurate financial reporting so the auditors involved are typically from CPA firms. A CPA firm possesses the education, training and experience to audit financial controls and may even have insight into other types of controls. However, the question becomes should a CPA be validating information security controls? If the auditor does not possess expertise in information security, it will be very difficult to provide much insight into the effectiveness of the controls. There will be technical areas that will get overlooked just as a CISSP would not recognize inaccuracies in a financial audit. Of the many regulations touching upon information technology with which organizations must comply, few were written with Cloud Computing in mind. Auditors and assessors may not be familiar with Cloud Computing generally or with a given cloud service in particular. That being the case, it falls upon the cloud customer to recognize:
Ø Regulatory applicability for the use of a given cloud service Ø Division of compliance responsibilities between cloud provider and cloud customer Ø Cloud provider’s ability to produce evidence needed for compliance Ø Cloud customer’s role in bridging the gap between cloud provider and auditor/assessor
Should an organization interested in purchasing cloud related services even bother requesting this report from a prospective provider? The SAS 70 can still be useful if the provider has tested more than the minimum number of controls; however, a vendor that provides a SAS 70 will most likely only be focused on areas of strength. A vendor that does not provide a SAS 70 may or may not be serious about information security and protecting your data. Recommendations are Right to Audit clause, involvement of Legal Personnel and Cloud Aware Auditors, Compliance to ISO/IEC 27001/27002,SAS 70 Type II, Evidence of Compliance, Identification of impact of Regulations on Infrastructure, Policy & Procedures, Information Security Reference: http://en.wikipedia.org/wiki/Statement_on_Auditing_Standards_No._70:_Service_Organizations http://searchcloudsecurity.techtarget.com/tip/The-SAS-70-report-and-cloud-service-providers?asrc=EM_EDA_13410271 http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf Related articles
- Auditing Cloud Computing: A Security and Privacy Guide (365.rsaconference.com)