When I See a Can in the Road All I Want to do is Smash It

Right now, the "can" I really want to smash, is the notion that SSAE16 provides assurance about Security, Availability, Processing Integrity, Confidentiality, and Privacy. The AICPA has been clear that SSAE 16 is not designed to provide assurance about these things from the beginning, but somehow the message was not understood by the market last year. For anyone that missed the video by Barry Melancon, President of the AICPA, please take a couple minutes to watch.

I have my Tweet Deck configured to alert me when anyone tweets about SSAE16. Despite the AICPA's best efforts to educate the masses about the changes in the standards, here are few of the ways SSAE 16 has been portrayed over the past few weeks:

  • We proved our data is secure by getting SSAE 16 certification
    • Achieving this certification validates our operation at all levels
    • SSAE 16 confirms that our clients are receiving the most reliable solutions
    • The SSAE 16 report validates our success in following industry standards
    • SSAE 16 compliance provides an extra measure of confidence that our managed services provider meets and exceeds the highest industry and regulatory standards
    • Successfully completing the SSAE 16 audit symbolizes maturity, safety, and security
    • Provides tangible proof of our commitment to delivering unsurpassed value, performance and security

      All of these quotes can be found in the press releases on the internet. There's just one problem, none of the statements above are true. As Barry Melancon explains in the video I linked to above, there is no such thing as a SSAE16 certification, it is not an industry standard, and SSAE16 is not designed provide assurance about any of the things listed above.

      The news is not all bad though. There are some service organizations that understood the changes in the standards, and got it right the first time. Here are a few of their quotes:
      • By meeting the criteria set forth in the Trust Services Availability Principle, the SOC2, Type II Report confirms that Internap’s data center security and operational procedures have been reviewed and tested by an independent certified auditor and validates that controls and processes are suitably designed and operate effectively to protect and safeguard customers’ equipment and data.
      • The SOC 2 examination evaluated the design and operating effectiveness of the Cbeyond Louisville data center controls for compliance with the security and availability criteria set forth in the American Institute of Certified Public Accountants Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Cbeyond Cloud Services processes, procedures and controls have been formally evaluated and tested by an independent auditing firm. This examination demonstrates that Cbeyond Cloud Services is compliant with the relevant security and availability criteria and that its customers are served and hosted in a secure, controlled facility.
      We need to collectively smash the "can" of junk assurance, that is using SSAE16 for making assertions about security, availability, processing integrity, confidentiality, and privacy by understanding the following:
      1. SOC1 (aka SSAE16) does not include any industry standards. Each organization gets to decide which controls they want to be tested on, and the service auditor performs tests to validate that only those controls are effective. SSAE16 itself is a standard, but only one that governs service auditors.
      2. SOC2 is based on the Trust Services Principles and Criteria (TSPC) which address five domains; Security, Availability, Processing Integrity, Confidentiality, and Privacy. The TSPC provide an objective common denominator of comparing service organizations. Once these standards have been met by the service organization, they can honestly say they comply with them.

      I can't wait for that satisfying feeling I will get when I will hear the CRUNCH sound of service organizations asking their service auditors for SOC2 reports rather than SOC1 (aka SSAE16) reports when they need to provide their customers assurance about their Security, Availability, Processing Integrity, Confidentiality, and Privacy. Please also see my post on combining other criteria such as the Cloud Security Alliance's Control Matrix, the Payment Card Industry's Data Security Standards, and ISO 27001 with a SOC2 engagement to reduce compliance costs.

      1 comment:

      1. In case of data security, none of existing services can guarantee full protection because every system has its own breaches and hackers can sooner or later find them. I know only that virtual data rooms have stronger protection than simple cloud services.