ISACA Journal - 2013 Volume 6

Subcontracting certain IT functions has been common over the last few decades (e.g., in development, housing, hosting and outsourcing), but the irruption of cloud computing has taken it to a new level. And, although some argue that cloud computing is only an evolution of outsourcing, it is, in fact, a new paradigm that is changing the approach to IT. Instead of something that organizations make themselves, IT is becoming a service they consume (similar to what happened with energy in the industrial revolution).

Security professionals have long been aware that subcontracting does not eliminate the IT risk that organizations face; in fact, with subcontracting, organizations lose control over the security measures implemented by service providers. Thus, security professionals have applied a recipe based on audits and certifications to build trust relationships with these service providers.

However, this approach must change in order to fit the new paradigm. Despite audits and certifications, users continue thinking that more transparency is needed:

Among the limiting factors [of cloud computing adoption], security and data ownership (both related to the ability to protect information assets) and factors related to legal issues, contracts and regulatory compliance topped the list. The fifth factor, information assurance, is significant because it is related to the transparency of cloud offerings and management’s ability to gain comfort that information is protected to the required degree. 1

That is to say, although security professionals have been applying best practices and asking for security audits and certifications, these mechanisms have not been able to transmit the level of trust required by customers of cloud computing services.

DO AUDITS AND CERTIFICATION REALLY FAIL IN
PROVIDING TRANSPARENCY?

Security audits and certifications are the
foundations of trust-building between customers
and providers, but they have some characteristics
that oblige the development of further
mechanisms:
• Typical audit reports cannot be freely
distributed; they are only for the parties
involved (typically, the customer and the
provider), which requires the provider to be
audited by every (potential) customer.

• Service Organization Control (SOC) reports can be made public, but then other issues appear: The criteria used by the auditor may or may not be relevant to the customers because they have been fixed by a third party. If the criteria are not relevant for the customer, the first point is applicable again.

• Finally, regarding certifications, there is no certification for the security of services. What providers are certifying is their information security management system against the ISO/IEC 27001 standard. This certification has two issues:

1. It does not say anything about the security measures implemented by the provider; it indicates only if the provider has an IS management system.

2. It obliges the customer to understand the scope of the certification because it could be relevant for the service to which it wants to subscribe.

Of course, a provider that implements a certified information security management system (ISMS) follows best practices and adopts security measures following a risk management process, but the customer cannot derive the robustness of security measures that the provider has in place only from the certification. The certification provides only simple information: that the provider implements an ISMS following ISO/IEC 27001.

Antonio Ramos, CISA, CISM, CRISC, CCSK, is the founder of Leet Security, the first security rating agency in the European Union and president of the ISACA Madrid Chapter. With more than 14 years of experience, Ramos has specialized in security governance, strategic planning in critical infrastructure protection, cybersecurity and cloud computing. He can be reached at antonio.ramos@ leetsecurity.com.

Security Labeling of IT Services
Using a Rating Methodology
Do you have
something
to say about
this article?
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.