Are auditing standards a help in keeping cloud deployment safe?

Maxwell Cooter Advice 21 Apr, 2011
Lieberman; SAS70 not to be trusted
Lieberman; SAS70 not to be trusted

Who audits the audit asks Phil Lieberson of Lieberson Software. How can you ensure that your cloud provider keeps its data secure?

The SAS70 auditing standard for third-party providers is a massive fraud, says Phil Liberman of the eponymous Lieberman Software. SAS 70 is widely used in the US as an indicator of the reliability of service providers and is beginning to be used in the UK – although it is early days over here and the standard doesn’t have the same degree of recognition.

But the standard is so entrenched in US business life as a benchmark to a provider’s worth it is, to say the least, a provocative statement to describe it as a fraud.

It must be said that Lieberman has a vested interest here. His company provides software that authenticates trusted users and beefs up security in the cloud but his basic thesis is a valid one. How far should we take cloud providers' promises on security on trust?  Webroot's Gerhard Eschelbeck made a similar point recently and the efforts by the Cloud Industry Forum to provide accreditation for cloud providers show there's a need for this to be recognised.

But the CIF efforts suffer from one of the flaws identified by Lieberman – it's self-certifying (like SAS70). “Who,” says Lieberman, echoing Juvenal, “audits the auditors? He continues: “The other problem is that because it's self-certified an auditor can write what he wants – there's nothing verified by a third party.”

Lieberman points out another issue with the SAS70 process – the lack of openness. “Nobody gets to see the report. If I do see it, I can't disclose any information as I've signed an NDA.

"We have a need for transparency but we can't have transparency as SAS70 will contain information about flaws. The imperative should be fixing those flaws, not covering them up. Or the protest is that the report will disclose the location of data centres – what I say is that these could be redacted.”

As an example of what he's talking about, Lieberman describes speaking at a conference on cloud security and asking the attendees whether they'd read the SAS70 report of their cloud provider. “Only two people stuck their hands up – and one of those was on the SAS70 committee.”

Above all, Lieberman thinks that the problems with SAS70, and indeed cloud certification in general, are a symptom of a wider problem and that has to do with the way that cloud computing is perceived within organisations. “That's really the problem with the cloud: customers look to move to the cloud to cut costs and cloud providers look to provide the cheapest possible option.”

In this case, looking to provide the cheapest possible option means that cloud providers will not offer additional security. Of course, it's worth reminding ourselves that Lieberman has interest here as he's looking to sell that very software to cloud providers. “We have some large customers among cloud providers, including some of the very biggest but we don't have them all. The ones who don't opt for it say they are not being asked for it by their customers.”

While it's perfectly possible that these cloud companies have opted for other security software, Lieberman does make a valid point that cloud customers are too happy to take security on trust. This sits strangely with the results of survey after survey, all of which reveal that security is the number one issue for companies looking to move to the cloud and the number one obstacle preventing such a move.

The economic climate has driven enterprises to look to the cloud for financial reasons but, says Lieberman, this is not necessarily for their best interests. “Think of cloud as a loss leader, like supermarkets provide – they're building adoption by offering cheap rates. But how long are they going to last and what happens then?”

He thinks that it will take a major crisis with a cloud provider, one involving a massive loss of data for things to change. And at the moment, there are no penalties for such failure. “If you're a UK cloud provider and you lose your customer's data what's going to happen? Is the government going to shut you down?

The argument in such cases is that cloud providers have an interest in keeping customers' data secure as their financial well-being depends on satisfied customers. Lieberman is not sure that such arguments hold much water. “If you pay $500 a year and you lose $100,000 worth of data, what's going to happen? Are you going to get that money back? Not a chance, maybe though the provider will give you your $500 as a gesture of good will.”

Lieberman says there should be public information as to how secure a company is. If there are flaws, they should be indicated. “Security should be public information so that you can see how secure a company is. Companies looking to move to the cloud  have the right to make a decision on accurate information.”

Ultimately, said Lieberman, Cloud providers won't change, he says, until prompted by customers to change.