Posts Tagged ‘cloud computing’

When the Cloud makes Rain

November 5, 2012 Leave a comment

This morning I was preparing to make some final adjustments to a presentation I am to deliver on Wednesday at the Cloud Security Alliance Congress in Orlando. Prezi ( is a cool cloud app that allows a much more interesting presentation than the square slide, square slide, square slide sequence of Powerpoint. The issue this morning was that every attempt to get to the site ended in 502 Bad Gateway. I hate when that happens. 

I checked Twitter and sure enough, was having major issues. Hundreds of tweets from customers desperate to get their presentations running. Many panicked tweets like “My presentation is due and your site is down?!?!” Hmmmm. This cloud stuff is really cool when it works. But if you have connectivity issues or the host site is unavailable because of poor change management (my prediction for why Prezi is down today) what can you do? The cloud service providers have you over a barrel. They have your content. You cannot update or edit your own content when their site is down.

Having given many presentations where wifi or internet connections were unavailable, I knew that using Prezi was a risk. Prezi has a feature that will allow you to download your presentation for offline use. Apparently many of their customers had not thought ahead about the possibility of the service being offline.

When your entire business model revolves around 24/7 availability, it only takes one event like this morning to ruin your world-wide online reputation. I hope prezi comes through unscathed on this one. Perhaps they should consider a traditional software licensing model that does not rely on 99.99% uptime for their infrastructure.


SOCs Rocks? or not……

May 6, 2011 2 comments

So, the AICPA has killed off a defacto brand, SAS 70, and created three new reporting standards, SOC 1, SOC 2, and SOC 3 to replace it.  If that sounds a bit like a Dr. Seuss book, you are in good company.   SOC stands for Service Organization Controls which is what these new reporting standards are supposed to address.

SOC 1 is the “new” SAS 70.  The official standard is SSAE 16, or “Statement on Standards for Attestation Engagements number 16” to be precise.  When the AICPA announced the demise of SAS 70, they simultaneously introduced SSAE 16 as its replacement.  So naturally, as a service organization who has had SAS 70 audits for years, and is already “SAS 70 certified”, you will ask your auditor for an SSAE 16 report for 2011, right?  Yes, you will.  And that is precisely why the new SOC reports will not accomplish what the AICPA wants them to.

The biggest problem with SAS 70 was that it has been misused and abused since Sarbanes-Oxley (the other SOX) became law.  It was never intended to be an audit of general IT controls for an unrestricted audience.  It was created by auditors for other auditors who were performing financial statement audits.  The guidance for SSAE 16 clearly states that a SOC 1 report is also intended for auditors performing financial statement audits.  But  the service organizations that have had SAS 70 reports are now asking their auditors for SSAE 16 reports because their customers are asking for SSAE 16 report because it is the “new SAS 70”.  Those customers don’t care that the report is intended for use in financial statement audits.  They just want the report so that when their auditors ask for the SSAE 16 report (which they inevitably will) it will be available.

SOC 2 and SOC 3 reports could have been the next big thing for companies seeking some kind of assurance over the IT general controls for their cloud and colocation service providers.  The reports are based on a standard set of control principles which makes it easy to know that a given service organization has all the right kinds of controls in place.  But because the AICPA did such a poor job of preparing everyone for the change and educating them on which report was best, everyone will just ask for SSAE 16 because it is the replacement for SAS 70.  The people in the trenches who are asking for these reports don’t care about whether it is appropriate or not.  They just want to be able to give the report to the auditors when they ask for it.

And by the way, the auditors asking for the report really don’t care either.  As long as they can check the box on their working papers that will soon say “SSAE 16”, it won’t matter if the service being provided has a financial statement impact to their client or not.  They are covered and that is all that matters.

Meanwhile we still don’t have a certification or a standardized audit to ensure that Cloud Provider A and Cloud Provider B have appropriate IT general controls in place.