Is SOC Report Branding Just Alphabet Soup?
SAS 70 isn’t a thing anymore and hasn’t been for awhile. SSAE 16 superseded the SAS 70 pronouncement in 2011. However, outside of a relatively small cohort of practitioners, how many people actually understand the SOC 1, SOC 2, SOC 3 branding? You guessed it… hardly anyone. And it has been 6 years. I know […]
Just Because Cloud Companies Pay For a SAS 70 Doesn’t Make It Any Less Legit, Does It?
Confession: not 100% sure on the hype surrounding SaaS, cloud computing, living in the cloud and whatever but apparently it’s the next big thing (if it’s not already) and might make our lives just one notch short of Jetsons flying car awesome.
Ask guys like Geoff, he’ll tell you all about it. I buy it and I don’t even need to use it, have heard amazing things, and have even evangelized it once or twice.
But it’s your data so instead of jumping on the SaaS/Cloud bandwagon without asking what happens to it once you do, it might be wise to check out the SAS 70 certification and the strange relationship that legitimizes it.
Complying with the AICPA lends a certain bit of credibility to vendors who want to show how tight their control systems are so auditors can rely on them, right?
Perhaps not, says Jay Heiser via Gartner in “Analyzing the Risk Dimensions of Cloud and SaaS Computing,” who is concerned by a sense of deja vu between the faulty systems that collapsed throughout the financial crisis and cloud computing. In an extremely risk-adverse environment, a bit of caution is due before jumping head first into the unknown.
Or you can just trust the shiny marketing materials and forget that it’s your data.
Now back to cloud computing and SAS 70. Okay, let me get this straight: So the cloud companies pay accounting firms for SAS 70 certifications just as the financial organizations paid Moody’s for an investment-grade rating?
“Yes, if you see someone who claims to be SAS 70, they have paid an accounting firm. Not only have they paid an accounting firm to go do the test, but they’ve told the accounting firm what processes need to be tested,” Heiser says.
And that’s different from an audit client paying an auditor how?
In a financial crisis corollary, Big 4 opinions are fetching less these days than they used to. Cloud computing marketers don’t really get what they are pushing but cloud provider clients certainly should understand what this means for the shift to life in the cloud.
Better start updating those marketing materials.
How Cloud Computing Security Resembles the Financial Meltdown [Datamation]