16Nov

Why is Amazon’s SAS70 Audit Bogus?

At first glance it seems like Amazon’s recent announcement of a successful SAS70 audit is grounds for celebration[1]. Certainly it has met with fanfare on Twitter and blogs.

Unfortunately, a SAS70 audit isn’t what most people think it is. Worse yet, Amazon’s reluctance to provide details of the audit provides a false sense of security with no tangible benefits.

Let me explain.

Understanding the SAS70 Audit
The SAS70 is a methodology for performing an audit, not the audit rules themselves. The SAS70 can prove whatever you decide it needs to prove. From taking the garbage out to turning the lights on.

From Wikipedia:

SAS 70 defines the professional standards used by a service auditor
to assess the internal controls of a service organization and issue a service auditor’s report.

Here’s how it works.

For a SAS70, you must specify a series of “controls” and “control objectives”. Like it sounds, you are asserting that a given ‘control’ meets a goal or objective. An example of a control might be the ‘new user creation process’ or a ‘firewall’. An example of a control objective might be the following[2]:

The new user creation process MUST guarantee that a user’s password
is at least 8 characters long and composed of a mix of at least one uppercase,
one lowercase, and one numerical character.

Once all of the control objectives are in place an outside auditor, like Deloitte & Touche, comes in and verifies that you are compliant with the stated control objectives over a period of time. If it is a Type 1 audit the period is 3 days. If it is a Type 2 the period is 6 months.

Now here’s the rub: Who decides what the control objectives are? An outside agency? A regulatory body?

None of the above. The company being audited decides and can make the control objectives anything they like. Here’s a SAS70 FAQ response on the topic right from the SAS70.com website.

Again, the SAS70 is just an auditing framework. Why then do so many think it’s useful?

Background on the SAS70 Audit
The SAS70 comes out of the financial industry and is a relatively generic framework for that reason. The financial industry has tons of different regulatory requirements that vary from state to state and country to country. Moreover, within the financial industry these kinds of audits are undertaken all of the time, the parties involved know what they are testing for, and how to negotiate it.

For example, a large bank might outsource work to a secondary institution and have a desire to see that institution provide proof they are following certain guidelines or regulations. A good example is the Bank Secrecy Act. The large bank in this case knows what the BSA requires and how to evaluate the secondary institution’s SAS70. This knowledge allows them to assess secondary institution’s level of compliance with the BSA. At the same time, the secondary institution is familiar with what its large partners will require and sets up its annual Type 2 to cover the ‘usual suspects’ of controls and control objectives.

So how did we get here?

Hosting Companies and the SAS70
In recent years as financial institutions began to outsource they required that various hosting (and other) businesses perform the audit as well. Unlike their usual partners it hasn’t been clear what hosters need to be compliant with. Because of this most folks have simply done these SAS70s as simple Type 1s that are one-offs. This allowed the hosters to keep their costs down while allowing the bank to outsource and the hosters to generate revenue.

Here’s the problem: Cloud computing is ushering in whole new ways of delivering IT services.

It demands greater transparency than ever, especially when it comes to security. If the average person doesn’t understand the SAS70 and if you don’t provide your control objectives so that others can vet the objectives you sold then you are creating a false sense of security.

You could have one control objective that simply says: “we must keep the power in the data center on” and successfully pass by fulfilling that over 3 days or 6 months.

The Need For A Cloud Security Standard
There are a couple of security and IT standards that can be used as the basis for a good SAS70 audit. For example there is CoBIT and the ISO27002 (formerly ISO17799). There are probably others I’m unfamiliar with. Unfortunately, most of these standards really focus on the Enterprise and not on a multi-tenant public cloud or hosting companies, who have some issues specific to their particular business models and architectures.

So, even if Amazon used one of these, it’s still not good enough for them to keep their controls and control objectives hidden from public view. How are we to be certain that they are sufficient? [3]

Summary
Until there is a security standard for running a cloud then SAS70 audits with unpublished controls and control objectives like the recent AMZN announcement are simply smoke and mirrors. They provide little or no real assurance to the average consumer of the AWS public cloud and serve only to provide a false sense of security.

UPDATE: @wpauley says he has a copy of the AWS controls, but I haven’t seen them yet. When I get a copy I will post them.
UPDATE2: Apparently @wpauley was a special case. AWS is keeping the controls under wraps. If you have a copy send them to me anonymously and I will get them posted.

[1] Even the recent refresh of the Amazon Security Whitepaper (PDF) does not include details on the controls or control objectives
[2] Been a while since I was involved in a SAS70 and there is a specific language they use that I’ve forgotten. Did not find any examples on the net. Appreciate clarifications in comments below if you have them.
[3] I think this raises a broader question, which is should any public cloud ever be allowed to keep their SAS70 controls and control objectives hidden? There is a very nominal argument for security through obscurity, but the reality is that many people will have to see them anyway, so why not shed some light?

Post to Twitter

This entry was written by randybias, posted on November 16, 2009 at 07:39, filed under Cloud Computing and tagged , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • wpauley
    Randy,

    If I were to wear a cloud providers "customer" hat - the free "customer" - you get what is available on the portal. For the "volume" paying customer - this has to be self-service for the most part so how do you share controls without worrying about them going out to anyone anywhere? If you are the "value" paying customer - I agree - I'd like to know the controls and control objectives. This comes down to choice - if a cloud provider is not willing to provide such information to a paying customer then I have the choice to take my business elsewhere.

    Also as a customer I would be also concerned if the controls were published in the public domain because it would provide a map to anyone who wanted to find weaknesses in the controls and try to exploit them. There has to be a balance of what is provided and not.

    I spent some time looking at RightScale and GoGrid too - the notion of using someone to front-end the experience on a large provider like AWS or even build a hybrid where systems are provisioned on multiple backend providers - what happens then? Are the policies and controls transitive? Some of the providers have established

    What if you are not satisfied with copies of the data protecting your data and you want real backups or require HIPAA/SOX/PII controls? Now you may engage yet another party as part of the service-stream. This starts to diffuse the customers understanding of the protections in place as well as make it a lot more challenging for the service-stream of providers troubleshoot the problem (likely creating another service opportunity! :)

    I think there has to be a balance and I think if we did have standards that could provide some level of expectation setting for both sides - then we'd be better off. One example I like to use that generally creates a polarized response is the "credit score" - if we could have a risk score for privacy protections that was like the credit score then it might be possible to understand where you are in terms of risk and if/when you add others to the service stream that score is adjusted accordingly.

    Also it would be useful if the cloud providers considered using more feedback mechanisms like the "password strength meter" you see these days to show you when you do something or add something to your use of their services that improves or deprecates your service level or security posture.

    Just some more thoughts - again a great topic!

    /wayne
  • I think that hiding the controls as a security measure is overblown. Security through obscurity is generally considered to be a poor substitute for real security measures. Not only this, but AWS could simply follow one of the two specs that I mentioned, like CoBIT or ISO27002, or a subset/derivative, and say so, so we know that they are doing something 'real'. Once that is done, you know what the controls and control objectives are, right? So why hide them?

    As an aside, GoGrid runs their own cloud. There looked like there might be some confusion there in your posting about this.

    With regards to the others, yes, it would be just as important for someone like a RightScale to provide transparency as well. Some controls are transitive as RightScale hosts their infrastructure on AWS, but obviously there are limitations to how much is transitive. All of the controls from the Guest OS up would be RightScale's to own, although the network is still AWS. But that's a bit in a weeds. What's important is the general thrust: we need to know and trust public providers.

    I like your points regarding the service stream and the general notion that these are going to be hard problems because you have a blend of services. IMHO, that's primarily where the opportunity lies for folks looking to sell services or software to cloud consumers.

    Your credit score idea is outstanding. I'd like to see a score card with areas that mapped to larger buckets of controls & control objectives. Then an auditor could provide real value to the consumers and the provider both.


    Best,


    --Randy
  • wpauley
    Randy,

    I think there is more to this than that the audit is "worthy of fanfare" or it is "bogus".

    I ran the technical side of a managed service provider for 5 years and have also been responsible for some fairly large operations in and around New England. We had external parties come in and do security audits, PII audits, etc. When we had the results we shared the outcome of the audits with our paying customers. We also messaged the use of the auditing process as a differentiator in our sales and marketing. But we didn't just post the audit information to the public. A good example of this is what ADP does (http://www.adp.com/advisor/vol17no1/4.html) - they have the audits done, they share the applicable elements of the audit on request to their paying customers.
    Now will AWS share their audit results with a paying customer? I don't know (though I have asked them via email earlier today).

    In the end cloud is still evolving and providers are still learning to adapt and adjust to the needs of their customers and what it takes to land "new customers". After reviewing a good number of different cloud providers SLA's, Security whitepapers, and privacy statements - I've come away with the following:

    - Transparency isn't the goal - the goal is to provide reliable services to customers with adequate protections.
    - There is a need for the standards that do exist to be adapted to service providers (e.g. ISO 27005, NIST SP80-300, etc.).
    - Service levels vary a lot – 99.5%, 99.95%, a lack of aggregate levels, some with guarantee’s, and ITIL doesn’t seem to be in the US providers vocabulary yet which is a shame because v3 has some excellent service provider extensions.

    I will be posting a blog on my findings soon – I’m trying to study a few more providers to look at and to see if they respond to some of my direct (via email) questions first.

    Great topic - Thanks.

    /wayne
  • Hi Wayne,


    Thanks for your thoughtful reply. I am not asking for the audit
    results, just the controls and control objectives themselves. There is
    a difference.

    I am aware of how these audits are used within the hosting
    industry. Regardless, the lack of a cloud specific set of practices is
    a serious problem.

    With regard to Amazon, we are talking about a business that
    embraces opacity as modus operandi. It's no secret that they are
    widely known for sharing little or no information and that larger
    enterprises consider them hard to work with.

    My point being that greater transparency by pushing clouds and
    hosting providers to provide clear information on their controls and
    control objectives for the SAS70 can only help the marketplace in
    aggregate. Just saying: "we have a SAS70 audit!" isn't good enough
    since we can't evaluate what that means.

    Unless perhaps you mean that only the largest customers should be
    allowed this information? If so, I obviously have a serious quibble
    with that argument.


    Best,


    --Randy
blog comments powered by Disqus

Twitter links powered by Tweet This v1.6.1, a WordPress plugin for Twitter.