Evaluating Cloud Vendors and SAS 70

Ralph DeFrangesco

With so many cloud computing providers today, how do we as security professionals know if one provider is any better than another? Unfortunately, there are no cloud computing security standards that we can measure a provider against. VeriSign, a leader in online security, recommends asking your provider for a Statement on Auditing Standard No. 70, also known as a SAS 70. A SAS 70 audit is widely recognized because it represents that an organization has been through an in-depth audit of its control activities.


SAS 70 audits come in two variations: type I and type II. A type I certification, also known as a Report on Controls Placed in Operation, provides an independent, third-party verification by a licensed CPA firm as to whether control activities were suitably designed to meet specific control objectives. In a type I audit, no testing is performed to determine operating effectiveness, so a type I audit is generally used only for information purposes.


In a type II audit, an independent licensed CPA firm also conducts the audit. A type II audit is also known as a Report on Controls Placed in Operation and Tests of Operating Effectiveness. The audit verifies control activities were designed to meet specific control objectives and were in place and operating effectively over a period of time that is typically six months in duration.


If you are going to ask your vendor for a SAS 70 report, you should ask for the type II report because it is much more thorough and includes the testing portion. This combined with financial reports, or Sarbanes-Oxley report, should meet the requirements of your internal security auditing organization.

Add Comment      Leave a comment on this blog post
Jun 24, 2009 2:26 AM John Verry John Verry  says:

I could not agree more with your recommendation that a prospective client seek third party attestation before entering into a services agreement. While many entities are still leveraging SAS-70's as a form of attestation, ISO-27001 is rapidly becoming the de-facto standard for information security attestation. Approximately, 4,000 companies worldwide have ISO-27001 certified their environment (or portions thereof) in the last few years

The advantage of ISO 27001 (over SAS-70's) is that it is an international information security standard that can be leveraged to both architect and certify the operation of a strong control environment.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.