Cloud computing has seen some exciting announcements over the past few weeks so here is the Pragmatic Auditor’s perspective.
This week, OpenStack was launched. OpenStack is a new collaborative effort to an open source cloud computing platform to the market. Spearheaded by Rackspace and NASA, OpenStack provides open source distributions for file storage and provisioning. So with open source alternatives to VMWare on or Microsft’s Azure, as well as Amazon’s Web Services, the expectations are that OpenStack will provide a much lower barrier of entry to new cloud and service providers.
So I’ll leave the market / revolution discussion to my MBA classmate Dave Rosenberg (Editor at Software Interrupted CNET) and focus on the audit and compliance considerations:
- With an increased number of providers not to mention open source itself, the need for transparency of controls is even greater.
- A by-product of OpenStack will be the increase of service provider to sub-service provider relationships (e.g. a SaaS company hosts at an IaaS co-lo and has their systems maintained by a managed service provider. The most important thing for cloud providers is to be able to map out all their customers’ control and compliance requirements ensuring there are no “gaps” where on provider thinks the other is doing (and vice versa).
- Service providers need to carefully evaluate what assurance and compliance tools suit their customers best. This involves doing a requirements and cost-benefit analysis of SAS 70 / SSAE 16 audits and assessments, PCI DSS validation, SysTrust, ISO 27001 certification, or any combination of those and more.
I saw the earnings release yesteday and Amazon is not about to go out of business. I believe we will see more providers players and the need for new players to substantiate that they can provide a service that is as reliable and secure as AWS.
Along these lines, another recent update is that the Cloud Audit group recently published version 1.0 of the cloudaudit specification to the IETF. I am active member in CloudAudit and this is very exciting. The goal of CloudAudit is not to develop a new standard, but develop a new mechanisms for sharing control information. Version 1 draft laid out the framework for a directory structured that includes the ability for a service provider to post data that can be queried directly or through API for technologies like GRC.
I will provide more updates in the coming weeks. We will soon be releasing the first set of “compliance paks” which utilize the Cloud Security Alliance Cloud Controls Matrix as the initial set of controls that are leveraged in CloudAudit API.
That’s all for now. Time to leave the cloud and head back down to earth for more IT audits!