The Audit Dilemma in the Cloud
We do see a lot of discussions about cloud services, data privacy and the Patriot Act. Apart from a general trust discussion one of the major points is the question whether data privacy laws require customer audits or not. Actually audits are an issue for both the service provider and the customer.
The Service Provider Point of View
Cloud services are designed for scalability and masses of customers. Some even do mix consumer and enterprise services but let’s assume we are looking at a pure enterprise service. Customer initiated audits are an issue to any large-scale cloud provider. Let’s play with some numbers here, you have about 1500 customers on your service (not that many if you take Google Apps or Microsoft Office 365) and let us assume you have a contracting with contract duration of 36 months. If we now assume each customer is legally bound to do one customer initiated audit within the contract time frame you would have more audits to fulfill than days are in 36 months. Your data center probably will look a lot more like Disney Land with groups being led through it than a professional operation. Also given the fact that an audit is more than just a friendly visit it creates costs by eating up headcount as well as needing extensive preparations and post processing.
If your business is bespoke outsourcing the deal size as well as the cost model would allow you to factor these audits and the effort into you cost model. With a large-scale model and even worse an on demand business model which would allow very short contract durations it is simply not doable from an economic standpoint. In case you are an enterprise that wants to move hundreds of thousands of users into the cloud you will encounter more flexibility towards individual contracts on the supplier side. But the majority of customers does not fall into this category.
Another reason why providers are not in favor of customer initiated audits is the exposure of their architecture, processes and operational models. If you compare the ways multi tenancy is set up for Google Apps and Office 365 you can discover huge differences. The details of this setup are guarded as trade secrets by both providers. Doing hundreds of audits raises the risk of exposure of these trade secrets to the competition. If you have trade secrets yourself imagine how you would feel if these would be exposed.
So what to do? As a provider you still need to fulfill legal obligations and enable your customers to legally purchase the service. You want to build trust with customers and authorities alike. The only way to solve this would be an external audit of your services on a regular base and the full access to the audit reports for all your customers. Make sure the auditing company is well known, trusted and operates in all the markets you address with your cloud service.
Why Audits are a Nuisance for Customers
A business wants to make money in the first place and there is a clear focus on its very own business needs. So auditing a service provider is not generally an initial top priority on a customer’s to do list. There are good reasons for this.
First of all there is a need to understand what an audit is. An audit especially if driven by a local data privacy regulation is in place to check and document the service on several levels. Starting with physical measures like perimeter security through environmental controls and facilities like air conditioning, disaster recovery measures through to processes for operations, data privacy and finally even into HR processes like background checks etc. Not to forget the whole IT architecture, setup, procedures and so on. Even well-staffed IT departments of large enterprises do struggle to take on this extra workload apart from knowledge gaps to be closed.
As a result the customer would have to involve a third-party and pay them to audit on their behalf. This creates extra cost probably not being factored into the business case for cloud computing in the first place. The question then is, if you involve a third-party anyhow, why not agree with the service provider on the third-party in advance or in other words accept that there are no individual audits and rely on the third-party hired by the service provider?
It might be that you do not trust the service provider to hire a neutral auditor and to not influence the audit. If you do not trust the provider at all maybe you should not worry about audits and look for other places to get a service. In general the auditing companies are well-known as is the scope for these audits. Your obligation as a customer is to ensure that you do get the full audit reports and get a clear view on any shortcomings and actions being taken to correct these. You need to understand the value of audits and to what degree they fit your local requirements. Let me give you an example. Many providers claim to be SAS 70 certified but miss to mention whether that is a Type I or Type II certification. There is a huge difference between these two and only by investing time into understanding these, you as a customer can fulfill your obligations.
Special Case: Audits by Authorities
Apart from some regulations preventing the use of public cloud services more or less (e.g. in Germany §202 STGB limiting health and life insurances amongst others or the Sozialgesetzbuch §80 with regards to PII of Hartz IV recipients) there are some rules and regulations specific to certain verticals. Let me pick another German example, banking. Banking is ruled by a specific banking law (Kreditwesengesetz, KWG) and there is a regulation authority (BAFIN). §25a of this law is stating a general right to audit for BAFIN. You cannot escape this. Not complying would result in losing your bank license. So in case you are a bank and do want to use public cloud services you better ensure that your contract enables audits by authorities. And also discuss and document who covers the costs that arise on the provider side. You do not want to be presented a bill in a situation where there is no room for you to negotiate.
The experience shows that providers are willing to create exceptions for audits by authorities in the contracts and I believe that is a wise choice given the fact how unlikely these audits are.
Why are audits a general discussion theme then?
It seems the whole audit piece can be solved by third-party audits. Nonetheless audits or the lack of right to customer initiated audits seem to be the key blocker for cloud computing especially in Europe.
The right to audit is a nice excuse to IT departments in fear. Also often these discussions do take place without involvement of the legal department or external legal advisory. But to speak in general it is a fault of the providers and the authorities alike not being able to clearly communicate the rules and the approach. This leaves room for speculation and confusion where none should be.
It may sound easy but it still is a huge effort, so do neither underestimate the data privacy / audit discussion nor use it as an excuse.