There are many SaaS and Security SaaS cloud services out there, but they all lack one thing: full visibility. Why do these cloud services limit the ability to perform compliance auditing, forensics, and basic auditing against an organizations data retention, protection, and other necessary policies? Why not just grant the “right to audit”, or better yet, build a way for each tenant to perform their own audit down to the hardware? Why limit this by leaving it out of contracts as well as the technology? It is all feasible.I recently participated in a cloud services discussion that hovered around everything but the legal aspects of using the service. When I asked about the ‘right to audit’, I was told they would have to get back to me. I am still waiting to hear back. I expect to not hear back, as most cloud services do not want to grant this level of transparency. Instead, they rather control every aspect of the service in order to deliver the highest level of availability, integrity, and confidentiality. However, where is the proof that such is actually the case.
Without proof, when an organization is audited, say for PCI Compliance, they will fail whenever the cloud services are considered in scope. If it is not in scope, they may not fail. Wait they will fail, but the cloud service stated they were PCI compliant? Once more, where is the proof? This ends up being more of a discussion about trust, even so we need provable trust.
In another conversation, an IaaS based cloud was in the midst of another type of Audit, but the legalities of the contract actually refused the organization the ability to impose their own audit. Why would this be the case? It is not a common practice, it is actually the reverse, the ‘right to audit’ is common within most contracts between partners. Without the ‘right to audit’ and the technology to allow an organization to perform such an audit, the cloud will be severely limited. Granted there are works in progress such as CloudAudit and CSA STAR but these are just reporting frameworks. We really need the full ability to audit from the highest levels to the lowest levels. We need to be able to review anything that is in scope for the audit.
This is an age old problem that first popped up with counting houses, how can one prove the counting house did not make a mistake with an individuals money. They allowed the ‘right to audit’. Now we are in the 21st century and we are still hamstrung by the lack of technology to allow individual tenants to audit their instance of the cloud. Transparency becomes even more important when there is security software involved.
When offering cloud services, offer the ‘right-to-audit’, but also team up with your vendors to provide a technological method to audit down all layers without requiring undo personnel overhead to handle audit requests. If you are looking to be a tenant, require the ‘right-to-audit’ in order to be part of the cloud. Ultimately, auditing requires the tenant to know who did what when where how and when.
As The Virtualization Practice is looking to go to the cloud, we will require the ‘right-to-audit’ as a matter of course. However, what this means today will be spelled out in a contract which provides the legal team something to discuss based on our existing written policies. Why? Because cloud services may not provide or have the capability, built in today, to allow tenants to audit without the providers assistance.
One can hope unassisted audit-ability will be provided in the future.