One of the major reasons companies are interested in moving IT into to the cloud is to avoid the costs and complexities
of data centers. These dedicated rooms are often the most expensive real estate in a company’s building. Cloud service providers are building massive shrines to the information age around the country to satisfy this new demand for their services. The costs associated with building and operating these data centers are a major component of the cloud service providers’ costs.
Why is there so much pricing variability for cloud services if each cloud service provider is shouldering similar data center costs? The variability in pricing is due to the fact that not all cloud service providers have built the same level of redundancy and resiliency capabilities into their data centers. So how do you determine what level of protection is offered by a cloud service provider before signing the contract?
SAS 70/SSAE 16 audits
The first place to start with any cloud risk assessment is to examine the provider’s SAS 70 or Statement on Standards for Attestation Engagements (SSAE) No. 16 audit report. The SAS 70 or SSAE 16 should not be the only document considered when reviewing potential cloud service providers, but it can be useful as a starting point if the cloud service provider opted to have more than just the bare minimum number of controls audited. Most serious cloud service providers are marketing this document in order to prove their commitment to information security. Cloud service providers that cannot provide a SAS 70 or SSAE 16 should probably not be considered unless there is other ways to scrutinize their security posture.
These auditing reports are more useful for auditing physical security measures in data centers than technical security measures because of the nature of the audits. SAS 70 or SSAE 16 audits are traditionally carried out by firms that specialize in financial audits that primarily focus on controls, processes and procedures. This focus carries over into data center operations where there is similar importance. A financial auditor may not have much expertise in intrusion detection systems, but the concept of separation of duties applies equally well in physical audits.
Some judgment must be applied to interpreting these audited reports, and there should be healthy skepticism if the cloud service provider passed with no auditor findings. It’s important to consider how many controls were audited and to what level of detail. On a similar note, a cloud service provider that has a few auditor findings in their report may have been more thorough in its audits. A potential customer should be just as interested in what controls were tested in the audit as the overall findings of the audit.
Cloud risk assessment: Custom due diligence
The SAS 70/SSAE 16 reports will not contain everything necessary for a cloud risk assessment to determine data center security and resiliency. Consequently, an organization must develop its own custom due diligence questions for the potential cloud service provider or risk missing potential risks.
For example, San Antonio, Texas-based Rackspace Hosting Inc. provides a thorough SAS 70 Type II report that provides insight into how the cloud provider secures its internal operations. However, in 2009 Rackspace was forced to issue service credits totaling between $2.5 and $3.5 million because of an outage caused by a lack of redundancy in its electrical infrastructure. This wasn’t the first time the lack of electrical system redundancy had caused problems for Rackspace; it also suffered an outage in November 2007. The lack of electrical system redundancy was probably never reported on the SAS 70 Type II reports because it was never audited. Rackspace has worked to rectify this issue and now offers 100% uptime SLAs, including their power infrastructure; this is an example of what can be missed on a SAS 70/SSAE 16 report.
There is a defined set of standards for data center security and resiliency that can be used as a reference when developing custom cloud service provider due diligence processes. The Telecommunications Industry Association (TIA) 942 standard is a complex set of detailed specifications for rating data centers on their security and resiliency capabilities. The lowest rated data center is considered a Tier 1, while the highest rated data center is considered a Tier 4. The higher the rating, the better the built-in security and resiliency features. A Tier 1 data center may not have a UPS or generator and will have an annual downtime of 28.8 hours. A Tier 4 data center has every power, network, security and environmental control duplicated to limit downtime to just 0.4 hours annually.
It is these differing levels of redundancy that can explain a lot of the variability in cloud services pricing. It is important to consider the value and risk of the information that will be hosted in the cloud and match it to the appropriate data center tier. Not all applications are mission critical and require the level of redundancy -- and therefore the costs -- required by Tier 4.
Another important consideration in the due diligence process is the geographic location of the data center. This type of information may not be something that a cloud service provider wants to share. Some may offer full tours of their data centers, but that is usually a sign that security is not their primary focus. The geographic location is important because it will determine the regulatory and legal environment that will apply to company data hosted in the cloud. A cloud service provider should not be required to divulge exact street addresses of its data centers, but the geographic region can be generally identified for determining regulatory and legal requirements.
The cloud phenomenon has created an environment where IT assets can be deployed so rapidly that questions don’t get asked about something as important as the data center where the cloud lives. There are vast differences in the levels of data center capabilities offered from today’s cloud service providers. Companies must consider choosing cloud service providers similar to how they consider choosing banks or other financial services. They may not actually get to see the bank vault, but they must take steps to know their money is safe inside it. The same should be true with company data.
About the author:
Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services. He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.