The ABCs of Cloud Compliance

The Biggest difference between SAS70 and SOC2/3

One of the biggest differences between an old SAS70 report and a new SOC 2/3 report is that management of the service organization cannot decide which controls they will test. Service organizations can select which criteria to evaluate (security, availability, confidentiality, processing integrity or privacy), but they must meet the criteria established within the standard for each one. Gone are the days of the SAS70 report that leaves you wanting to know more.

So what should I look for in a potential provider’s SOC 2 report?

It is not enough to select a service provider with a SOC 2 report — you must actually read the auditor’s opinion and make sure it is unqualified. A qualified opinion could mean that the provider failed to provide adequate, operational controls in a particular area. One quick gut check for an unqualified report is to see if the company displays the SOC 3 seal. If they do not, this could be a red flag that their SOC 2 report is qualified, since the AICPA does not grant use of the SOC 3 seal unless your SOC 2 report opinion is clean.

Choosing a cloud provider that has obtained a SOC 2 report will reduce the risk any user organization faces, as the report will provide an in-depth view into the provider’s controls to meet compliance and any gaps that could elevate your risk. The SOC 2 report also outlines controls the user organization should put in place, and can provide clarity around what services it provides to its customers versus what precautions customers must take on their own. By closely examining such controls, you can immediately identify which providers have the highest compliance standards already in place as compared to those with mechanisms in the works.

Finally, make sure the report covers the criteria you find relevant to your organization. While a SOC 2 report can be a great asset to finding a suitable provider, it is not a one-stop solution to ensure complete compliance. Different industries require different levels of security, confidentiality and privacy, and the SOC 2 report may not emphasize the principles most relevant to specific regulations. Likewise, the SOC 2 is not all-inclusive enough to serve as a single source for compliance across all standards, or replace the need for additional certifications.

Additional questions to ask

What additional compliance questions should I ask a potential cloud provider? Entering the evaluation and assessment process with extensive knowledge of your regulatory requirements, system description and services you plan to outsource to the cloud will further help you ask targeted questions to candidate providers regardless of your industry.

To verify a certain provider is compliant and will protect your customers’ data to the fullest, be sure it can answer the following questions confidently and clearly:

What time period does your SOC 2 report cover? – As regulatory dynamics are consistently changing, simply having a SOC 2 report on hand does not necessarily mean it is in line with the latest policies. Verify the dates the provider’s most recent SOC 2 reports were completed, and look for any significant lapses between completions.

What physical and logical security procedures are in place to protect and maintain your IT infrastructure?– Any provider you consider should be able to immediately identify the security and availability criteria it has in place to host and control data access.

Be sure to ask for specifics surrounding the controls in place at both physical and virtual storage centers, as well as the people and procedures responsible for enforcing such policies.

How are physical resources shared and, if necessary, destroyed? – If a provider shares physical resources with outside organizations, define the specific controls in place to prevent unauthorized data access from a partnering company. Compliant providers should have dividing mechanisms in place to prevent cross-organization access, and be able to easily separate credible users from questionable ones. Additionally, should you need to remove or destroy some of your data down the road, you should inquire into how the provider ensures information is fully eliminated and not accessible to outside users.

While outsourcing data and operations to the cloud can bring a wealth of benefits, businesses also must be aware of the regulatory requirements involved in transitioning to the cloud. Understanding what requirements must be taken into consideration, and the questions to ask potential providers, can make sifting through the regulatory abbreviations less complex and intimidating.

Ultimately, the goal of compliance in the cloud is ensuring your data is as secure, confidential and private as possible. By doing your due diligence, your company can find the right cloud provider that will protect your customers’ data and prevent additional headaches down the road.

Caroline Lowden is the director of Internal Audit for Cbeyond, a leading cloud and network services provider to more than 62,000 small businesses throughout the U.S. She can be reached at [email protected].