When it comes to picking a cloud services provider, many companies and IT departments are overcome by fear, uncertainty and doubt -- FUD. Could independent cloud certifications quell those concerns?
When it comes to blazing new trails in the realm of
IT, the road is often paved with a mixture of danger, luck and, most
importantly, uncertainty. Nowhere is this more true than with cloud services
an ever evolving segment of technology that many enterprises are hoping
provides them with reduce costs and improve IT functionality.
There is no denying that cloud services are being
looked at by almost every enterprise IT department
Gartner predicts that by 2016, more than 50 percent
of Global 1000 companies will have stored customer-sensitive data in the public
cloud. However, that growth doesn't come without concerns - Gartner also
predicts that, 40 percent of enterprises will require independent security
testing as a precondition before using any type of cloud service.
Simply put, independent testing, certification and
auditing will become the true litmus test for cloud services providers looking
to engage the enterprise. What's more, prospective customers will turn to the
results of those audits, certification processes and tests to gauge a cloud
service provider before signing on the dotted line.
The importance of the auditing and certification
cannot be stressed enough for cloud service providers and some are getting on the
certification bandwagon as soon as possible. For example, Cbeyond, a cloud
services provider that offers small and medium enterprises a variety of hosted
services, has become one of the first cloud services providers to meet the
stringent requirements of the new SSAE 16 SOC 2 certification.
"Our customers trust our ability to protect
their critical data at all times," said Stacy Griggs, senior director of
customer experience for Cbeyond Cloud Services. "Becoming one of the first
companies in our industry to receive SSAE 16 certification demonstrates our
commitment to better serving our customers by investing in technology, and
achieving full compliance through a secure, reliable and controlled data
Earlier this year, SSAE 16 SOC 2 reports replaced
SAS 70 Type II audits as the benchmark compliance report for organizations
impacted by privacy and security regulations such as Health Insurance
Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) and Sarbanes
Oxley Act (SOX). The new standards require that a cloud services vendor complete
and submit a written assessment of the operating effectiveness and suitability
of its controls.
Touted as a second-generation data center audit
standard, SSAE 16 SOC 2 compliance reviews are used to evaluate the design and
operational effectiveness of a data center's controls against a strict series
of international standards.
Earning a SSAE 16 certification demonstrates that a
company is fully compliant with all necessary security and privacy
specifications, and demonstrates that customers are served and hosted in a
highly secure, controlled facility.
However, the question remains: will the SSAE16
certification moniker quell concerns about the safety of data warehoused in a
cloud services platform?
Raj Mehta, CEO of Infosys International, an
enterprise services IT consulting firm, feels that certifications are a step in
the right direction.
"In an industry bound by so many compliance
regulations, it is going to take certifications such as SSAE16 to prove that a
cloud services company is accountable for customer data and that the proper
security controls are in place," said Mehta. "It is wise for those seeking to
use cloud services to verify the security and capabilities of those providers,
SSAE16 and other certifications make this a much simpler process and shifts the
burden back to the provider and not the customer."