Today, I read a very thorough article titled, ” Cloud computing certification leads to questions of scope, vendor ties” In the article, the writer (Bill Hurley) comments on the involvement of vendors such as Novell in the creation of a Cloud Certification program for identity and access management.
Firs (rant), in my opinion, anyone who wants to participate in (and lead) the development of standards and practices for safer cloud computing should no matter who they work for. The reality is most security professionals work at a for-profit company so the fact that Novell stepped up to invest money and resources in this effort is a good thing. As long as they aren’t creating a sandbox which only they can play in (which they are not) any additional publicity that comes their way as a result is also well deserved. The Cloud Security Alliance is non-profit organization that relies on funding and volunteer work from participating members.
Now, a couple points that were either missed or mis-quoted. The first quote comes from Jim Reavis, Executive Director of CSA – “We see our certification as being narrower in focus and drilling deeper than a SAS 70 [Level] II would in regard to identity and access management. We see the seal as being complementary to a good SAS 70,” added Reavis via email.”
There is a large tendency in just about every article I read to refer to SAS 70 as not deep or detailed enough in some specific domain. Most who have done (or gone through) a SAS 70 audit recognize that the standard does not say anything about identity management or any other domain. Chinxi Wang from Forrester was a little more accurate when he said, “A SAS 70 audit does not specify a pre-determined set of control objectives or control activities that organizations must achieve.” That is true. That said, Wang was less accurate when he referred to a SAS 70 as a self-imposed exercise and then later as a baseline.
SAS 70 is not a baseline at all and while the controls are set by the service provider they do have to align such that the (detailed) control activities need to provide reasonable assurance of being able to meet the (higher level) control objectives. For instance, when an auditor conducts a SAS 70 (Type 1 or 2) she/he has to evaluate all of the control activities being performed in context of the stated control objectives. If a service provider provides a control objective that (for instance… “provides reasonable assurance that system information is protected from unauthorized or unintentional use, modification, addition or deletion”) and then only has a policy to support it with no detective or preventive technology controls… that provider is not likely to get an unqualified opinion.
There is no reason why incremental control activities (such as those to be laid out by CSA) could not be placed within a SAS 70 audit scope. With that I agree with Jim 100% that the certification would be very complementary. The reality is that some SAS 70s have control descriptions that are broader while others go more in-depth than any prescriptive standard available.
Bottom-line is that while we’re still learning how to talk each other, the progression and involvement of so many is a good thing.