Some cloud vendors, however, ask for outside auditors and consultants to assess their security in accordance with industry standards. The ISO 27001 and ISO 27002 information security standards are among those SaaS vendors follow, with "an increasing number of cloud vendors" using a third-party for annual assessments, Hill says.
Hill says such standards are useful as a starting point. Indeed, third-party certification provides a level of assurance and may cut down on the amount of security assessment and validation a customer has to do on its own.
That's the thinking behind FedRAMP. The government program offers a standard security assessment process for cloud solutions including SaaS. Cloud vendors that successfully complete a FedRAMP review are granted a provisional security authorization, which agencies government-wide may leverage. The idea is to eliminate redundant security checks. The General Services Administration, which administers FedRAMP, contends will program save about $200,000 per authorization.
A third-party assessment organization performs the FedRAMP check, which takes into account 298 security controls. Keese, whose Cary, N.C.-based company obtained a FedRAMP authorization in December, believes cloud vendors can expect the assessment to take 12 to 16 months. They may bemoan such a difficult process, he says, "but it is difficult for a reason. Your computer security practices can't be wishful thinking."
Sign up for CIO Asia eNewsletters.