As mentioned in the previous blog, SAS can help to check the security of SAAS or cloud solutions. The SAAS solution provider should hire an external auditor that will make the report. The SAAS provder should deliver the SAS 70 type II report to the customer.
If you check that all findings are fine in that report, all should be well right?
Well maybe, the SAAS provider pays the external auditor for the report and then delivers this to the customer. Although it seem by definition that when all findings in the SAS report are fine the security is assessed as ok, if they would ever exists. I mean offcourse the risks are managed.
The thing is the SAS report checks is like an ISO 9K certificateion. It checks that all that is written down in the security policies of the SAAS provider is actually done. Ergo when a certain aspect is not written down in the policy, no check is done.
So SAS gets you a bit closer, but not all the way yet. The way to mitigate that would be to request an audit with the list of item from your own policy that needs to be checked by the external auditor.