Evaluating Cloud Vendors and SAS 70


With so many cloud computing providers today, how do we as security professionals know if one provider is any better than another? Unfortunately, there are no cloud computing security standards that we can measure a provider against. VeriSign, a leader in online security, recommends asking your provider for a Statement on Auditing Standard No. 70, also known as a SAS 70. A SAS 70 audit is widely recognized because it represents that an organization has been through an in-depth audit of its control activities.


SAS 70 audits come in two variations: type I and type II. A type I certification, also known as a Report on Controls Placed in Operation, provides an independent, third-party verification by a licensed CPA firm as to whether control activities were suitably designed to meet specific control objectives. In a type I audit, no testing is performed to determine operating effectiveness, so a type I audit is generally used only for information purposes.


In a type II audit, an independent licensed CPA firm also conducts the audit. A type II audit is also known as a Report on Controls Placed in Operation and Tests of Operating Effectiveness. The audit verifies control activities were designed to meet specific control objectives and were in place and operating effectively over a period of time that is typically six months in duration.


If you are going to ask your vendor for a SAS 70 report, you should ask for the type II report because it is much more thorough and includes the testing portion. This combined with financial reports, or Sarbanes-Oxley report, should meet the requirements of your internal security auditing organization.