Thursday, 11 June 2009

Keep your head out of the SAS cloud

As mentioned in the previous blog, SAS can help to check the security of SAAS or cloud solutions. The SAAS solution provider should hire an external auditor that will make the report. The SAAS provder should deliver the SAS 70 type II report to the customer.
If you check that all findings are fine in that report, all should be well right?
Well maybe, the SAAS provider pays the external auditor for the report and then delivers this to the customer. Although it seem by definition that when all findings in the SAS report are fine the security is assessed as ok, if they would ever exists. I mean offcourse the risks are managed.
The thing is the SAS report checks is like an ISO 9K certificateion. It checks that all that is written down in the security policies of the SAAS provider is actually done. Ergo when a certain aspect is not written down in the policy, no check is done.

So SAS gets you a bit closer, but not all the way yet. The way to mitigate that would be to request an audit with the list of item from your own policy that needs to be checked by the external auditor.

With mother from SAAS TO SAS

SAAS (Software As A Service) seems ideal for the business. No hassle with machines that need to be bought, software that needs installing and IT personnel that needs to be paid.
When the SAAS is acquired from a reputable big company often the SAAS solution is well organized. That is also true for the security of that solution. When the SAAS solution is acquired at for instance Big Red O they have network segregation, background checks of personnel, extensive high available infrastructure, disaster recovery site and even a procedure to explain how the data will be deleted.
But how do you know ? Because a lot of money is spend with the supplier it will be organized is a secure way? One can also spend a lot of money at providers that do not provide such a secure service, as the research security market for "lemons" has shown, see Ross Andersons paper: http://www.cl.cam.ac.uk/~rja14/Papers/econ_crypto.pdf
A lot of SAAS providers have not gone thru the processes of checking all security angles. As will quickly be clear when the provider is asked for a SAS 70 type II report, an auditor format for a report that has a auditor check the security setup of the provider.
Reading and checking these reports can help to double check the security assumption that otherwise could be the mother of all...