Executives are jumping on the outsourcing bandwagon as cloud service providers promise unlimited scalability, reduced expenditures for hardware and IT staff, and the ability to offload software and routine maintenance at a moment’s notice.
In fact, Gartner analysts predict that 35 percent of enterprise IT expenditures will be managed outside the IT department’s budget by 2015.
But overzealous executives eager to jump to the cloud may encounter security issues down the road, as the security practices of the cloud service provider are often unclear — up to and including where the data is stored. A survey by Symantec shows that only 27 percent of companies have set procedures to approve cloud applications that use sensitive or confidential information.
“It’s easy to deploy data and applications to the cloud, but most executives don’t have a handle on the true risks associated with those decisions. So they fail to build the proper assurances into the procurement process,” says Brian Thomas, IT advisory services partner for Weaver.
Smart Business spoke with Thomas about the risks of outsourced computing services and why companies should seek an auditor’s assurance during the procurement process.
What are the specific risks associated with the cloud and outsourced computing?
Possible issues include data integrity, confidentiality, privacy and security, system availability and reliability, and data retention and ownership. But the threat level and mitigation strategies vary depending upon the importance and sensitivity of the data being processed by the cloud service provider.
It may not matter if you can’t access your sales prospects for a few hours if your hosted CRM application goes down, but business would come to a halt if your hosted e-mail or e-commerce system crashes. Therefore, the provider’s server redundancy and service-level contract guarantees may be the most critical risks to address, where in other cases, the primary concerns may be security and privacy issues. Certainly, regulated companies need to pay particular attention to how the cloud service provider addresses their regulatory risks.
How can executives identify outsourcing risks?
When considering cloud computing project ideas, executives should ask a lot of questions. First, they must understand the nature of the cloud services being procured and the sensitive aspects of the systems being hosted or managed by the provider. After getting an understanding of the types of data and systems that will be exposed to the cloud, executives should ask ‘what if’ questions of their project teams. Such questions should be focused on general risk areas including data integrity, confidentiality, privacy and security, and system availability and reliability.
Executives should also get an understanding of their company’s exposure to risks related to data ownership and retention. Examples of questions to ask include, ‘What will happen if we lose connectivity to our cloud service provider for an extended period of time?’ And, ‘What happens if our cloud service provider is acquired by another company?’
How can executives use an outside audit to ensure the performance of service providers?
A third-party assessment by a qualified professional is the only way to know whether a cloud service provider has designed and implemented effective measures to identify and mitigate relevant risks, as self reporting is inadequate and providers may simply tell you what you want to hear.
You can save money by having your auditor review a cloud service provider’s service organization controls (SOC) report. There are three reports available under the AICPA’s standards for service providers. SOC 1 is based on the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and is best suited for companies that previously used SAS 70 for Sarbanes-Oxley or financial audit compliance. SOC 2 addresses the design and operating effectiveness of a service organization’s controls over the security, availability, processing integrity, confidentiality and privacy of a system. This may be more valuable for executives evaluating the controls a cloud service provider has in place to address risks beyond those relating to financial reporting.
SOC 3 involves the same scope as SOC 2; however, the report contains less detail and is intended for broader (marketing) audiences.
When are SOC 2 and SOC 3 appropriate?
Executives should request that their cloud service providers submit a SOC 2 report where applicable. The scope is generally best suited to address the concerns of users of cloud services. SOC 2 reports provide details of the procedures executed by the auditor to test the controls in place at the cloud service provider, and the results of those procedures.
If a cloud service provider only has a SOC 3 report available, that may be sufficient for getting comfortable while evaluating the service provider during the procurement process. However, executives responsible for the cloud services should request that the service provider submit a SOC 2 going forward to ensure that they can monitor the provider’s efforts to address any failed control activities.
Are there other certifications that can help mitigate risk when transitioning to the cloud?
If the provider cannot provide a SOC 2 report, see if they are certified as ISO 27001 compliant or if they have obtained assurance reports from a security firm addressing the ISO 27001 standard. If the provider processes, stores or transmits credit card information, it is required to meet the Payment Card Industry’s Data Security Standard (PCI DSS). Be careful when using these other forms of assurance. Their scope is generally narrower than SOC reports and may follow less rigorous quality assurance standards. However, in the proper context, they can be useful for executives attempting to get information about the activities performed at the cloud service provider.