I just came across yet another security pro recommending private audit of a cloud services provider facilities to get comfortable with the operations. Really?! It seems that the security and privacy professionals recommending this need to catch up on their reading and perhaps a little bit of math.
Fundamentally, cloud services are all founded on the principle of “scale.” Microsoft’s “Economics of the Cloud” whitepaper discusses the many ways that scale contributes to the supply and demand side economics of cloud services provision. In my blog post “Special is Extra” I explored how special requirements have the potential to increase the costs associated with the cloud service. Enterprise class cloud services providers therefore look to use standard approaches across their environments to provide scale at lower costs to customers. Standard approaches often include third party audits to test compliance against recognized approaches such as SAS70, ISO 27001, FISMA and HIPPA.
Now consider a cloud service provider with 10000 customers using geographically distributed resilient facilities. Full compliance audits against any recognized audit standard is a lengthy endeavor, even when all the supporting processes and paperwork are in good order. Audits can often last several months. So even if customers engage auditors with cloud services experience, these private audits will not be single day affairs and will require many days on site. If we were to be very optimistic and suggest that each audit would require a week on-site, with approximately 200 working days a year (no weekends, holidays, round down for easy math), that would leave 40 potential audit slots. At any one audit slot, there would be 250 (10000/40) individual customer reps going through the cloud facilities. The number of individuals could be far higher since each company would be represented by more than one person.
Let’s consider the impact of this from a security perspective. We quickly see that this practice, even if practical, would greatly reduce the assurance of the cloud services and increase the costs of the services (due to the added staff required to assist the 250 audit teams each week, to shepherd the teams through the facilities, conduct clearances and reviews of all visitors etc.)
As you consider your enterprise class service provider, review the independent audit reports against your compliance requirements. Rest assured that the independent experts that conducted these audits did so on your behalf and on behalf of all other customers using the service.
