"Obviously, SAS 70 isn't the entire picture around security," said Drue Reeves, vice president and research director for cloud computing at the Utah-based Burton Group. "I see it more as about operations than about security."
SAS 70 auditing was a small step in the right direction, but it has no substantive value without full disclosure, said Reeves. SAS 70 procedures rely on a hand-picked set of goals and standards determined by the auditor and the auditee, which can vary widely. Further, completing an audit doesn't guarantee that a specific set of standards has been followed, which is the gist of the problem with announcments like these, he said.
"I'm glad [Amazon] did [the audit], but please, please, disclose the report," Reeves said.
Releasing the report is the only way for potential customers to complete accurate risk assessments on using AWS, a basic requirement for many enterprises and something competitors already do. Reeves said he's had no trouble getting in-depth, accurate information from other cloud providers and that Amazon will face increasing pressure to disclose operational information or risk losing ground to an expanding cloud computing marketplace.
"Transparency among providers is quickly becoming a market differentiator," he said. Reeves thinks it's Amazon's inexperience with the service business that has kept the iconic cloud service mute on details about hardware, software, personnel and polices that others readily share.
Reeves believes that Amazon is concerned that if it gives away the details, people will have more questions about security that could potentially drive customers away, when in fact it's just the opposite.
"Any time anyone's going to buy anything, they're going to want to know about it. It's a trust but verify model ," Reeves said.
"Certain parts of the audit report may have touched on proprietary information," Dr. Wang said, "but a very large portion of that report should be able to be sanitized." What's more important is what a SAS 70 audit won't reveal, she added.
One of the major problems with a SAS 70 audit is that it doesn't cover major security weaknesses, said Wang. It's limited to policies and procedures inside the data center, which can leave out a lot.
Wang cited recent MIT research on weaknesses in EC2 which shows how attackers could invade a cloud and quickly locate and potentially attack targets.
"This type of vulnerability is not something SAS 70 addresses," Wang said. She also mentioned other serious weaknesses in SAS 70 audits, such as personnel who might unintentionally bring in malware on a laptop or how data gets from outside to inside a data center.SAS 70 audits can, however, give a rudimentary idea of how a data center approaches security, but only if the report is made public, added Wang.
Some enterprises actually have "completed a SAS 70 Type II audit" as a line item requirement for hosting providers, Wang said, and she thinks Amazon's announcement may be suited to satisfying that checklist item. But it is a baby step in terms of either transparency or security certifications.
"I would like them to complete an ISO 27001 audit," she said. An ISO 27001 audit is much more comprehensive and expensive than a SAS 70 audit, and it doesn't stop at the data center.
In its defense, Amazon said it obtained the certification because its customers were asking for it. "We'll continue our efforts to provide the types of certifications that are important to our customers," Amazon spokesperson Kay Kinton wrote in an email.
Kinton wrote that the audit, carried out by Enrst & Young, was an "assurance that we've successfully been through a rigorous independent audit" on security and infrastructure. She added that any more details would only be released to customers under non-disclosure agreements with Amazon.
Carl Brooks the Technology Writer for SearchCloudComputing.com. Contact him at firstname.lastname@example.org..