Part IV – The trouble with data center audits

So far, I’ve explored compliance issues pertaining to the world of cloud computing. Last time, I shared the trouble with SAS 70 audits. Now, in the final installment of this series, I’m going to look at data center audits.

If you’ve been paying close attention, you probably realize that there is actually a much deeper problem that needs to be addressed. Let’s go back to Joe’s sub shop for one last visit.

After a brief meeting with your accountant, you’ve finally had a chance to read Joe’s menu. You return to the shop feeling well prepared to enjoy the great dining experience all your friends keep telling you about.

“I’d like a roast beef sandwich, hold the onions and horseradish, please.”

The employee at the counter enters your order and hands you a ticket. You wait for them to call your number. As you’re waiting, it suddenly hits you… they’re not making the sandwich in front of me anymore. They’ve moved everything into the back kitchen! It’s taking a while for your order to come out of the kitchen, so you decide to express your displeasure with this change.

“Hey, you used to make the subs right out here where I could watch. I liked that! I could see everything that happened, which made me confident that my sandwich was being prepared the way I like it and that the ingredients were being handled in a sanitary fashion.”

The employee hardly acknowledges that you’re speaking. So, you press a little harder.

“So, now that the food is being prepared [pointing with an exaggerated motion] BACK THERE, how do I know the employees are taking appropriate safety precautions like washing their hands, wearing gloves and using hairnets?”

The employee responds quickly and confidently. Clearly, Joe has trained them on how to answer this question.

“Oh, that’s no problem! We have an audit report from the owner of the strip mall, Strip Malls of America, Inc.!”

Instantly, you start to feel that same strange sense of confusion you felt when you first asked to see the menu at this place. Hesitantly, you ask,

“So the audit report for Strip Malls of America says that YOUR employees wear gloves and hairnets when handling food?”

For the first time, the employee seems a little annoyed with your never-ending series of questions.

“Well,… no, not exactly. Our employees don’t actually work for Strip Malls of America, they work for Joe. But, it does say that every tenant in a Strip Malls of America owned property must mop the floor, wash the windows and sweep the sidewalk in front of the store. That’s pretty much the same thing!”

The problem should now be obvious. Having clean sidewalks, floors and windows is a good thing, but these environmental factors have a fairly remote relationship to your sandwich. The people and processes that are directly involved with handling your food are much more relevant. Yet, they are not addressed by the audit report provided by Joe’s Subs.

The same problem exists for customers when their cloud vendor relies exclusively on an audit report from their third-party data center provider. The data center provider isn’t provisioning and managing your data or applications… your cloud vendor is!

Demand what you need
So, the next time someone attempts to prove that their cloud hosting service is secure, available and private by citing some OTHER company’s audit report, my advice is to take your business elsewhere. If that’s not practical, then insist that the vendor extend the right for you to perform an independent audit of their operations. By doing so, you’ll protect your company’s interests and help to make the cloud computing marketplace more mature and responsive.

1 Response

  1. One of the biggest challenges in and out of organizations today is to convince people (managers, leaders) that it is their responsibility to know what is going on. Pointing to a third party assessment is NOT doing the job! It’s also pretty cold comfort when reality strikes.

    Anecdotal exp: having contracted with a data shredder to destroy printouts, etc. I was provided with regular statistical updates and a variety of boilerplate assurances including testamonials from certifying bodies, audit agencies ad satisfied customers. Being a responsible sort, I sent when of my staff over with instruction to be friendly and observe in a general learning kind of way (as opposed to a visit from the client kind of way.

    The upshot was that he returned with actual confidential records from multiple organizations including lawyers, banks and government.

    Strongly support your advice – know for yourself and use systems to inform, not mask, reality.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like...