a refreshingly frank article about cloud security...

...focusing on the audit aspect.


The basic thrust is that cloud computing security claims rely on SAS70 type audits, which have an inherent conflict of interest of the kind that was at the heart of the recent financial meltdown.  Jay Heiser, a Gartner analyst who specializes in security, [says] "I found more parallels between what happened in the financial services and cloud computing than I anticipated."

The second point, which is probably even more important in my personal opinion, is that SAS70 is an auditing standard for financial statements, and never had anything to do with IT in the first place.  And the people who conduct them are, more often than not, accountants.  The kind of questions I asked Raghavan when we were discussing the TQMS cloud setup are probably not even asked in a SAS 70 audit ;-)

No comments: