The issue is that one company’s SAS 70 certification isn’t the same as another’s: “You define the controls as the service provider and the auditor comes in and makes a judgment whether these controls are sufficient or not” with testing, says Chris Day, chief security architect at cloud computing provider Terremark, a major cloud services provider, which holds a SAS 70 certification. “SAS 70 is very enterprise-specific: my SAS 70 is different from yours or IBM’s, for example. It’s difficult to know whether my SAS 70 is more comprehensive as yours, which would be troubling for something as complex as cloud security.” Day says that the PCI Security Standards Council (PCI) is actually a better standard for gauging data security, because it dictates a series of controls, how they should be implemented, and what level of logging should be deployed.
PCI is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
Continues Day, “We have SAS 70, but that it doesn’t necessarily tell the whole story. SAS 70 is a foundational certification.”
Reavis of the CSA says ISO 27001 is actually better for cloud services than SAS 70. “It’s more holistic and covers more ground,” he says. ISO 27001 specifies how an organization should handle its information security management, including security controls, risk assessment, and other issues.
However, like SAS 70, ISO 27001 is self-defined by each organization that uses the certification. “You can exclude from the certification some very important things,” Reavis says. Even so, he says, ISO 27001 makes the most sense for now: “We feel that until we can get a cloud security certification, ISO is a better interim step” because it’s more broad than SAS 70, he says.
Source of Information : Implementing and Developing Cloud Computing Applications 2011