Assessing Cloud Computing Agreements and Controls

During a recent seminar I was asked by a Controller to give feedback for a change they had just made, and to predict their external auditor’s opinion. To save money, they shut down their elaborate system for consolidating financials and returned to using spreadsheets that are hosted in Google™ Apps. The loosened structure in consolidation procedures obviously raised concerns. This article demonstrates how Cloud Computing, such as the change the Controller mentioned, is rapidly expanding and its serious implications on the design of certain internal controls.

I’ve broken my analysis into three parts beginning with a definition of the term Cloud Computing and specifically Public Cloud Computing. Next, I will share the results of a survey I conducted on contracts and agreements for several vendors that provide Cloud Computing. Last, I will provide suggestions to address controls in this dispersed environment.

Definition
The term “Public Cloud Computing” is being applied to all kinds of products and services so the definition is deteriorating and not very precise. An easy way to think of it is getting rid of the computers in your data center and instead renting a slice of someone else’s computers at another location. This expanded form of outsourcing has the same risks as we’ve seen before, including a loss of control and information regarding the internal controls being applied to your organizations systems.

Analysis of Agreements
Several popular Public Cloud Computing companies were contacted via their web sites or e-mail and the service agreements were scanned for topics relevant to security and controls. Remember to consult legal counsel to determine how these agreements could impact your specific organization.

Amazon Web Services™ Customer Agreement (version December 7, 2009): Amazon has a variety of hosting services available and they are addressed in one agreement. This agreement contains the following terms and conditions that may be relevant to your controls efforts. • The agreement or any policy can be modified and immediately effective by them simply posting a new version of the agreement on their web site.
• Vulnerability scans or penetration tests are not generally allowed against your systems that are hosted by Amazon.
• Amazon may disclose your content at the request of a government or regulatory body; in other words, there are technicians who may be granted access to the information you’ve stored in their cloud.
• The commitment to security is summed up in section 7.2 which says that “We strive to keep your content secure” but you must acknowledge that you “bear sole responsibility” for security. My review did not reveal any commitment from Amazon to any security standards or to make available any results of security audits, such as a SAS-70 Type II report.

Google™ Apps Premier Edition Agreement (as published on December 8, 2009): The Premier Edition of Google™ Apps is designed for paying customers and includes more features than the free version. This agreement contains the following terms and conditions that may be relevant to your control efforts.

• Google™ reserves the right to change the terms from “time to time” and, if in their opinion a change is material, they will notify customers of the change by e-mail.
• The agreement in section 1.2 states that Google™ has “implemented at least industry standards” for security, although those standards are not spelled out in the agreement. A web page on infrastructure security states that “The controls, processes and policies that protect data have successfully completed a SAS 70 Type II audit” but the agreement does not provide customers the right to actually view the results or the report.
• Interestingly, Google™ reserves the right to host your data anywhere in the world. This might be relevant for certain businesses.
• If “required by law” to disclose customer files and information, Google™ will notify the customer and give them a chance to object to the disclosure.

Microsoft Azure (agreements as available on web sites on December 8, 2009): Microsoft service offerings are guided by a Service Level Agreement and Terms of Use document. There are several of each of these depending on which services you are choosing to use.

• The Terms of Use states that “you bear sole responsibility for adequate security” of information hosted by Microsoft. Security in Microsoft’s cloud computing products is enhanced by their Global Foundation Services (GFS). GFS is a set of extensive and respected security techniques used throughout their systems. However, there is a gap because neither the Terms of Use nor the Service Level Agreements commit that the GFS techniques are used for cloud computing environments.
• Microsoft reserves the right to modify the agreements at any time and will notify you if changed. Changes are expected in late 2009 and early 2010 as the services are transitioned from pre-release trials to full production.
• Microsoft may also host your data at any of their facilities, regardless of its location around the world.

FORCE.COM: This service is owned by Salesforce.com and its specialty is developing your own internet hosted applications (so-called Software as a Service). I was able to speak with staff regarding my security questions. Although they were not able to immediately answer them they did refer me to the Company’s public relations firm. I was provided a lot of information on security practices and was also informed that SAS-70 Type II audits are conducted twice each year. The scope of these audits is said to include FORCE.COM. In addition to SAS-70 audits, the cloud computing environments are reported to be evaluated against TRUSTe, ISO27001 and SYSTRUST. This is a stark contrast to other vendors evaluated herein and the difference is very positive for companies concerned with the control environment at their vendor.

FORCE.COM will make reports available to customers and potential customers after signing a non-disclosure agreement (NDA). My intention is to disclose the results of my survey here keeping in mind that I’m not a potential customer, so it’s not appropriate for me to sign the NDA and I am not able to report results of their audits. However, the fact that these assessments are occurring and that the company is willing to provide the results to customers should move FORCE.COM to the short list of potential Public Cloud Computing vendors. See Trust.SalesForce.com for additional information.

Suggested Control Activities
My conclusion is that these popular Public Cloud Computing services are pre-packaged and not able to be customized for your specific needs. Given this assumption that you will have to either “take it or leave it,” I have developed some considerations for moving to Public Cloud Computing:

• Start with non-critical applications: If you’ve done your IT risk assessment correctly then you already know which business applications are less critical. Consider moving these to the cloud first since there is a reduced risk of material weaknesses in case of problems.
• Business Continuity and Disaster Recovery: Consider Public Cloud Computing as a capital-free way to build out a redundant infrastructure for systems with a short recovery time objective. One might worry less about security controls at the vendor if the cloud system is only meant to bridge a temporary gap while rebuilding the main production systems back at the data center.
• Encryption: Of all the various ways one might try to gain “reasonable assurance” on the security and accuracy of cloud hosted systems, encryption may be very effective. The idea is simple; if you can encrypt your data while it is resting in the cloud, and encrypt the connection to read and write the information, then the need for a tight control environment is reduced. Doing this gets complicated because you can’t specify hardware level encryption either in hard drives or network equipment. You will need to implement encryption through software and there are several viable techniques to accomplish this.
• Backup: Plan how you will back up the data hosted at some unknown location in the cloud. If there is a lot of it then you can’t really backup across the internet back to your own data center. Engage the vendor and consider their integrated backup solutions.
• Planning of system administrator function: Carefully plan how to control and monitor usage of system administrator functions in the cloud. Some vendors only provide one logon for the system administrator.

Summary
With the positive exception of FORCE.COM, none of the evaluated vendors provide extensive information surrounding their security and other controls, nor do they provide much evidence that those controls are effective. So, this type of outsourcing is a challenge from a control standpoint. There is an organization to watch, the Cloud Security AllianceSM, which is attempting to address these issues.

In several ways, it is possible to reduce IT costs through the usage of Public Cloud Computing. With our lean economy I recommend an analysis to see what benefits your organization might realize by moving to the cloud. However, the control environment and specific risks and controls must be considered at the outset. Go for it if it makes sense from a cost-benefit standpoint, but with care!