Cloud Security Standards

They seem to be random character strings: ISO 27001/IEC 2005, SAS 70 Type II, SSAE-16, PCI DSS, EU DPD 9546 EC… But there is a value behind each one of them, if you understand the story.

If we discount the smaller niche cloud players who provide very specialised services – let’s concentrate on the high-volume players – there’s a reason you can buy 1 hour of compute for 5 cents. Volume. By having absolutely massive data-centres distributed throughout the world - Microsoft’s Chicago data-centre is more than 700,000 square feet. Let’s just put that in to perspective with a little diagram. Here is the average soccer pitch: 115 yards by 74 yards…


Total area = 76,590 square feet. So there are just under nine and a quarter of these in the Chicago Datacentre. Which is surprising – I thought the only professional team in that city was Chicago Fire…


Just look at the Chicago Fire soccer pitch picture above to get an idea of scale – that’s just one pitch, not nine and a quarter. Imagine being at the position of this little group of fans, looking across nine and a quarter pitches:


…now imagine that filled with racks of servers, shipping containers full of servers, cooling, specialised power supplies. Operating on this kind of scale, the huge cloud operators even spec their own hardware from the suppliers. These are specialised computers designed to work in cloud datacentres.

This scale brings very cheap prices. Computing at these volumes is a commodity. Imagine one of these operators had a million customers all buying their compute and storage commodity and then imagine they all wanted to perform security audits on all the datacentres they were using. Microsoft has 6 major data centres around the world, even more if you include CDN distribution points. The other large cloud operators are in vaguely similar positions. That would probably equate to multiples of millions of datacentre audit requests. Hopefully you can see that the large cloud operators would be spending all their time, money and resources with millions of audits and as a result, doing a bad job of providing compute and storage as a commodity (at commodity prices). The whole commercial model of cloud computing as a commodity would simply evaporate and there’d be no such thing as cloud computing.

So – to try and get round this essentially commercial problem, cloud operators have embraced a number of security standards. They’re saying “no, we don’t operate the kind of business where you can come in and audit our datacentres. If you need that there are some niche players, hosters and outsourcers out there who can probably help (and $$$ charge) you. However you can take advantage of audits that have been done according to a set of information security principles and criteria”. The details of these are embedded in to some of those awful numbers I quoted in the first sentence of this blog post.

So that’s why large cloud operators have embraced this group of standards, certifications, accreditations etc. I often quietly chuckle when I hear security consultants advise “negotiate the terms of the contract”, “insist on auditing the security of the cloud operator. If they say ‘no’, walk away” because it shows no appreciation of the real world. If you are about to buy a car, a house, a large piece of expensive furniture – it’s natural to negotiate. If you walk in to a convenience store and pick up a can of coke then try to negotiate the price you’ll get some very strange looks. You’ll walk out of the store either cokeless or having paid the stated price. That’s what it’s like with commodities. If you go to the supplier they’ll have a volume discount price-sheet. One coke costs one price, 1000 is a bit cheaper per can, one million gives a pretty good discount. Just like buying compute resources from large cloud operators. If you say you want to audit the production processes of the factory where the drinks are manufactured they say “no – it’s a canning factory, we don’t have an operation that is geared up for individual audits. We adhere to x and y food/drink standards and we are audited on that. You can see our certificate. If that’s not good enough, sorry, but you’ll have to buy your drinks somewhere else”.

So the standards give you something you can look at and determine if that fits your own ideas of what you’d audit, whether they are reasonable and applicable, whether they fit with compliance and legislation standards you have to fit yourself. And if they don’t? It reminds me of a joke by the late-great Tommy Cooper. “Doctor, it hurts when I do this” holding his arm out. “Well, don’t do it then” the doctor replies. If a cloud operator doesn’t meet certain security criteria you require, don’t use them for that data/application. You might decide to host it in your own datacentre or go to a niche outsourcer who will likely be more expensive but meet your stated criteria.

Let’s start with ISO 27001/IEC 2005. Anybody can look at Microsoft’s certificate on the BSI website.


Click the above image to see the BSI certifications.

…but what does it mean? The International Standards Organisation have created a set of control frameworks that deal with information security. The idea is that an organisation that enjoys the certification can show that the controls they have in place for information security are adequate. As long as the consumer (the customer) of the certified service agrees that each control framework provides adequate safety over their own information, it means they don’t have to perform their own audit against that organisation. You can probably start to see why this is important if you are about to use a large cloud provider’s data centre to host some of your data because you can’t audit the datacentre directly yourself.

Some of the control frameworks aren’t applicable to some organisations  The company creates a statement of applicability in which they say which frameworks apply in order to prove adequate security of information – so for example huge companies like Microsoft have their HR procedures audited under a whole collection of separate standards. Therefore HR processes might not appear in the statement of applicability. Of course if the cloud provider you are going to is a 10-person company, it’s fairly unlikely they’ll have internationally recognised HR procedure certifications, so for your own peace-of-mind, you might want to see a statement of applicability which for them includes HR processes such as the vetting of staff.

The company then engages an auditor – Microsoft uses the British Standards Institute (BSI), a widely recognised auditor of International Standards – to audit the processes against the control frameworks defined in the statement of applicability. What the auditor essentially says is “we agree there are policies and procedures in place which, when adhered to, mean these control frameworks apply”. The key point is that you can’t just simply compare one cloud operator’s security certifications to another’s unless you understand their individual statement of applicability. Although I suspect it’s unlikely the BSI (or indeed any other ISO auditor) would grant a certificate if the statement of applicability said no control frameworks applied!. The statement of applicability really means both the service provider and their customer to have to boil the ocean with certain aspects that just aren’t applicable.

One thing that seems to always be associated with ISO27001 is SAS70 Type II. This asks the question “are there controls in place and are they being operated”. So although the ISO certification determines which procedures are actually applicable, the SAS70 Type II accreditation determines that the procedures are adequate and that they are actually being performed. Hopefully you can see why both would normally appear together.

Over time we will see a gradual move away from SAS70 Type II to SSAE-16 for an attestation that procedures are adequate and are actually being performed. SSAE-16 defines 2 types of interest to cloud operators; SOC1 and SOC2. SOC1 is where the cloud operator says “these are my control frameworks, policies, procedures – these are what you should audit me against”. SOC2 essentially means the auditor says “These are the things we think are important for information security and that’s what we are going to audit you against”.

Let’s move on to other standards like PCI DSS, the Payment Card Industry Data Security Standard. It’d be easy to think, on seeing that Microsoft’s Online services are PCI DSS compliant to think the Windows Azure Platform itself allows you to build your own payments platform and that it would therefore inherit PCI DSS benefits from the platform. Be carful here – that’s not the case. PCI DSS when applied to Microsoft’s online services means the payment platform that Microsoft uses for taking payments against say you Office 365 or Windows Azure subscription meets the standards of security and privacy they require. I’d humbly suggest that most organisations would be better off to use an existing payment provider who already carries PCI DSS blessings in their service rather than try to build one that conforms.

There is something that gets often trotted out in security conversations around the cloud – EU DPD 9546 EC, known as the EU Data Privacy Directive. This essentially says “when I take your information, how am I going to protect you and put the necessary protections around it. Moving that data inside the EU is not a problem because in Europe we’re all part of the same club and we all agree on those standards”. When data is taken out of Europe is where it gets tricky because for example the US is not in the EU. The directive allows data to be sent wherever you want, as long as there are adequate protections around it. One of the key agreements here is “Safe Harbour”. So for example any US organisation that enjoys Safe Harbour certification can receive EU data as if it still resides in the EU, because the EU are satisfied that they have put adequate controls in place to protect that data. But there aren't adequate protection for EU data in every country in the world.  The trouble is that as the world wide distribution of cloud services grows, it’s possible that data could be held (or could transit through – such is the nature of data-transfer on the Internet) in such countries. EU model clauses can be used to apply in these cases. Obviously not necessary with organisations from say the US or Canada where they can enjoy Safe Harbour, but a country which doesn’t enjoy Safe Harbour can use an EU Model Clause which again says “there are adequate controls in place to protect this data”.

I hope this post has helped to explain why it is that major cloud operators can’t really have millions of data-centre audits going on and how it is that security accreditations and certifications can help you in lieu of conducting your own audits on a data centre. As we go forward it’s clear that inexpensive cloud services are going to rely more and more on security audits performed by trusted industry and government bodies. It also means cloud-providers’ customers are going to demand more and more detail in these standards.


This article  is cross-posted to the UK MSDN Blog