Can Independent Certs Take FUD Out of Cloud Services?

By Frank Ohlhorst  |  Posted 2011-12-21 Print this article Print

When it comes to picking a cloud services provider, many companies and IT departments are overcome by fear, uncertainty and doubt -- FUD. Could independent cloud certifications quell those concerns?

When it comes to blazing new trails in the realm of IT, the road is often paved with a mixture of danger, luck and, most importantly, uncertainty. Nowhere is this more true than with cloud services, an ever evolving segment of technology that many enterprises are hoping provides them with reduce costs and improve IT functionality.

There is no denying that cloud services are being looked at by almost every enterprise IT department.

Gartner predicts that by 2016, more than 50 percent of Global 1000 companies will have stored customer-sensitive data in the public cloud. However, that growth doesn't come without concerns - Gartner also predicts that, 40 percent of enterprises will require independent security testing as a precondition before using any type of cloud service.

Simply put, independent testing, certification and auditing will become the true litmus test for cloud services providers looking to engage the enterprise. What's more, prospective customers will turn to the results of those audits, certification processes and tests to gauge a cloud service provider before signing on the dotted line.

The importance of the auditing and certification cannot be stressed enough for cloud service providers and some are getting on the certification bandwagon as soon as possible. For example, Cbeyond, a cloud services provider that offers small and medium enterprises a variety of hosted services, has become one of the first cloud services providers to meet the stringent requirements of the new SSAE 16 SOC 2 certification.

"Our customers trust our ability to protect their critical data at all times," said Stacy Griggs, senior director of customer experience for Cbeyond Cloud Services. "Becoming one of the first companies in our industry to receive SSAE 16 certification demonstrates our commitment to better serving our customers by investing in technology, and achieving full compliance through a secure, reliable and controlled data center.

Earlier this year, SSAE 16 SOC 2 reports replaced SAS 70 Type II audits as the benchmark compliance report for organizations impacted by privacy and security regulations such as Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) and Sarbanes Oxley Act (SOX). The new standards require that a cloud services vendor complete and submit a written assessment of the operating effectiveness and suitability of its controls.

Touted as a second-generation data center audit standard, SSAE 16 SOC 2 compliance reviews are used to evaluate the design and operational effectiveness of a data center's controls against a strict series of international standards.

Earning a SSAE 16 certification demonstrates that a company is fully compliant with all necessary security and privacy specifications, and demonstrates that customers are served and hosted in a highly secure, controlled facility.

However, the question remains: will the SSAE16 certification moniker quell concerns about the safety of data warehoused in a cloud services platform?

Raj Mehta, CEO of Infosys International, an enterprise services IT consulting firm, feels that certifications are a step in the right direction.

"In an industry bound by so many compliance regulations, it is going to take certifications such as SSAE16 to prove that a cloud services company is accountable for customer data and that the proper security controls are in place," said Mehta. "It is wise for those seeking to use cloud services to verify the security and capabilities of those providers, SSAE16 and other certifications make this a much simpler process and shifts the burden back to the provider and not the customer."

Frank Ohlhorst Frank J. Ohlhorst is the Executive Technology Editor for eWeek Channel Insider and brings with him over 20 years of experience in the Information Technology field.He began his career as a network administrator and applications program in the private sector for two years before joining a computer consulting firm as a programmer analyst. In 1988 Frank founded a computer consulting company, which specialized in network design, implementation, and support, along with custom accounting applications developed in a variety of programming languages.In 1991, Frank took a position with the United States Department of Energy as a Network Manager for multiple DOE Area Offices with locations at Brookhaven National Laboratory (BNL), Princeton Plasma Physics Laboratory (PPL), Argonne National Laboratory (ANL), FermiLAB and the Ames Area Office (AMESAO). Frank's duties included managing the site networks, associated staff and the inter-network links between the area offices. He also served at the Computer Security Officer (CSO) for multiple DOE sites. Frank joined CMP Technology's Channel group in 1999 as a Technical Editor assigned to the CRN Test Center, within a year, Frank became the Senior Technical Editor, and was responsible for designing product testing methodologies, assigning product reviews, roundups and bakeoffs to the CRN Test Center staff.In 2003, Frank was named Technology Editor of CRN. In that capacity, he ensured that CRN maintained a clearer focus on technology and increased the integration of the Test Center's review content into both CRN's print and web properties. He also contributed to Netseminar's, hosted sessions at CMP's Xchange Channel trade shows and helped to develop new methods of content delivery, Such as CRN-TV.In September of 2004, Frank became the Director of the CRN Test Center and was charged with increasing the Test Center's contributions to CMP's Channel Web online presence and CMP's latest monthly publication, Digital Connect, a magazine geared towards the home integrator. He also continued to contribute to CMP's Netseminar series, Xchange events, industry conferences and CRN-TV.In January of 2007, CMP Launched CRNtech, a monthly publication focused on technology for the channel, with a mailed audience of 70,000 qualified readers. Frank was instrumental in the development and design of CRNTech and was the editorial director of the publication as well as its primary contributor. He also maintained the edit calendar, and hosted quarterly CRNTech Live events.In June 2007, Frank was named Senior Technology Analyst and became responsible for the technical focus and edit calendars of all the Channel Group's publications, including CRN, CRNTech, and VARBusiness, along with the Channel Group's specialized publications Solutions Inc., Government VAR, TechBuilder and various custom publications. Frank joined Ziff Davis Enterprise in September of 2007 and focuses on creating editorial content geared towards the purveyors of Information Technology products and services. Frank writes comparative reviews, channel analysis pieces and participates in many of Ziff Davis Enterprise's tradeshows and webinars. He has received several awards for his writing and editing, including back to back best review of the year awards, and a president's award for CRN-TV. Frank speaks at many industry conferences, is a contributor to several IT Books, holds several records for online hits and has several industry certifications, including Novell's CNE, Microsoft's MCP.Frank can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel