When it comes to cloud security, one of the most popular features offered by providers is security auditing. Security audits are what a provider uses as a method of inspecting and maintaining a company’s internal controls, which consist of policies, procedures, and safeguards. The renowned audit, SAS 70 type II, was conceived in 1992 and has since evolved to form SSAE 16. Though both of these audits are commonplace in the security realm, like most other features they do not come without disadvantages that need to be addressed and weighed against advantages by the person or company utilizing the audits.
Statements on Auditing Standards (SAS) are managed by the American Institute of Certified Public Accountants (AICPA). The AICPA is responsible for setting the standard for the examination and execution of security audit principles, such as SAS. In 1992, the AICPA drafted and enacted SAS 70 in order to report on the controls placed in operation and on the tests of operating effectiveness. The basic idea was to examine and test a company or provider’s day-to-day security.
SAS 70 is broken down into two types aptly called Type I and Type II. The definition of Type I is that it examines an entity’s control environment for a specific day in time. Basically, Type I examines a company’s security environment during a single specific time. Conversely, Type II examines controls and tests the operating effectiveness of an entity over a substantial period of time—Type II not only examines, it actually tests a company’s security effectiveness over a period of time, usually once or twice per year.
What is SSAE 16?
Rather than thinking of the Statement on Standards for Attestation Engagements (SSAE) number 16 as a replacement for SAS 70, one should think of it as an evolved form. SSAE 16 includes two distinct requirements to the almost simplistic SAS 70. The cloud provider, or other service provider, must present a description of its system and written management assertions.
As defined by SSAE 16, a system is the services provided, along with the supporting processes, policies, procedures, personnel, and operational activities that comprise the service provider’s fundamental activities that are applicable to the user or company. This is important because SAS 70 merely required a description of a provider’s controls, while SSAE 16 requires a description of all of the policies and procedures that constitute its system.
The written management assertions are a way of further clarifying and cementing security measures. An assertion is a written formal statement emphasizing a number of items used for assessing risks and control objectives. By adding these two requirements, SSAE 16 creates a more defined and secure environment for a service provider’s subscriber.
Not So Fast
It’s true that SAS 70 and SSAE 16 create a safer cloud environment for users, but it’s important to consider that they’re not perfect. It’s a common misconception that cloud providers are SSAE 16 or SAS 70 type II certified. The reality is that there’s no certification for these audits. They are compliant. SSAE 16 and SAS 70 are simply standards put forth by the AICPA. They are not laws or regulations.
They are also subjective. The policies or procedures for testing are often determined by the provider or the auditee, allowing for a wide variation of what is being tested and how. This limits auditing to those policies or procedures and can sometimes fail to examine and expose major security weaknesses.
Because SSAE 16 and SAS 70 are not perfect, major providers will begrudgingly disclose their audits to the public, if they choose to disclose them at all. In 2009, Amazon Web Service (AWS), the cloud service provided by online superpower Amazon.com, became SAS 70 type II compliant. Despite promoting how secure their cloud service was after successfully completing multiple audits, many people weren’t entirely sold on the idea and wanted to see the hard data. In fact, many naysayers accused AWS of providing a false sense of security in their cloud. Similar instances occurred at other internet giants such as Google, Microsoft, and Sales Force.
The bottom line is that the cloud needs a standard of which to be measured by when it comes to security. It is frequently recommended by tech gurus that the cloud service you choose is SAS 70 type II compliant. As with any of the latest technology developments, there are pros and cons. It is up to the subscriber to weigh those alongside multiple provider options to determine which provider is best suited for them.