Security: Don't Believe the (SAS 70) Hype
Confusion about the efficacy of SAS 70 seems to be more the rule than the exception. A new report suggests that a SAS 70 reality check is long overdue.
In the software-as a-service (SaaS) and application-hosting worlds, the Statement on Auditing Standards (SAS) 70 has acquired an undeniable mystique. Sometimes, SaaS or hosting vendors even trumpet SAS 70 "certification" as a security or regulatory clean bill of health.
Even if hosting vendors responsibly position SAS 70, their clients often harbor unrealistic expectations of their own. One upshot is that confusion about both the scope and the efficacy of SAS 70 seems to be more the rule than the exception.
That's the conclusion of a new report from market watcher Gartner Inc., which argues that a SAS 70 reality check is long overdue.
Becky Sharp, president and CEO of International Scholarship and Tuition Services (ISTS) Inc., a Nashville, TN-based provider of scholarship and tuition management services, agrees. Sharpe has a decidedly pragmatic take on SAS 70. "We had [received] requests from clients to ask us if our data center was SAS 70-compliant, so I specifically looked for vendors who offered that," explains Sharpe, who has an information technology sales background. (She had previously logged time as a star salesperson with an IBM reseller based in the Southeast.)
Perhaps because of her experience in IT sales, Sharpe is predisposed to view SAS 70 as a mixed bag: understood within a specific context, it can be an important and even a valuable certification, she concedes. At the same time, she notes, it's far from a panacea.
The danger, Sharpe points out, is that companies tend to harbor unrealistic expectations about its efficacy. "The IT departments at firms don't seem to be confused about it [i.e., the efficacy of SAS 70]," she observes. Instead, she suggests, client IT departments tend to view SAS 70 as more of a checklist item. "If you can tell them [i.e., corporate executives] that your data's in a SAS 70-compliant data center, it's going to check a lot of items off their list," Sharpe concludes.
That's what Gartner itself concluded, noting that both hosting vendors and customers tend to treat SAS 70 as an inoculation, so to speak, which protects against a variety of regulatory ills. "SAS 70 is basically an expensive auditing process to support compliance with financial reporting rules [such as] the Sarbanes-Oxley Act (SOX)," said French Caldwell, research vice president at Gartner, in a prepared release.
"Chief information security officers … compliance and risk managers, vendor managers, procurement professionals, and others involved in the purchase or sale of IT services and software need to recognize that SAS 70 is not a security, continuity or privacy compliance standard."
For one thing, Gartner stresses, SAS 70 isn't a form of certification. It instead describes how an auditor "should report on process-related risks relevant to financial statements and transaction processing." Instead of being "certified" SAS 70-compliant, hosting providers are designated with either of two forms of (auditor-determined) "attestations." A Type I attestation indicates that a provider has documented processes which address explicit control objectives; a Type II attestation indicates that an auditor has performed an on-site evaluation to verify (in addition to a Type I attestation) that documented controls work as advertised.
"Many providers of traditional application hosting, SaaS and cloud computing are currently treating SAS 70 as if it were a form of certification, which it is not," said Jay Heiser, research vice president at Gartner, in a prepared release. "Furthermore, some claim that SAS 70 addresses security, privacy and continuity, which is misleading. Instead, it is only a generic guideline for the preparation, procedure and format of an auditing report. SAS 70 always places the onus on the service recipient, or more precisely, on the recipient's auditor, to ensure that all controls relevant to the recipient's requirements are examined."
Square Peg, Round Hole
According to Gartner, SAS 70 was simply not designed to address the topology (to say nothing of the vicissitudes) of the SaaS or application hosting delivery models. "Given that SAS 70 cannot be considered as proof that an offered IT service is secure, it should be a matter of suspicion when a vendor insists that it is," Heiser argued.
"Vendor claims to be 'SAS 70 certified' indicate either ignorance or deception, neither of which is a good basis for trust. The only thing that can conclusively be said about having a SAS 70 Type II attestation is that an auditing firm has agreed that the service provider is effectively performing those controls that they paid the auditing firm to evaluate."
All the same, Gartner concludes, some SAS 70 attestations are preferable to others. "a SAS 70 Type II evaluation," the market watcher concedes, "does provide a very high degree of assurance that the examined controls are effective. The performance of controls is evaluated over a period of time; it is not just a snapshot of control effectiveness." That being said, Gartner cautions, "Customers should never assume that the provider has implemented all the appropriate controls, and they must review the controls documentation at a minimum and, ideally, review the complete evaluation report."