Microsoft Uses SOC 2 To Demonstrate CSA CCM Compliance

SOC 2 reporting is still in its infancy stages. However, since its introduction in 2011, BrightLine has been engaged to perform hundreds of SOC 2 projects. Chris Schellman of Brightline offers tips for cloud service providers considering this audit report.

Chris Schellman is the President and Founder of BrightLine, which is accredited as a CPA Firm, PCI QSA Company and ISO 27001 Registrar. He is a licensed CPA, CISSP, PCI QSA and ISO Lead Auditor, and has contributed to nearly 1,000 SOC examinations.

Christopher_Schellman_BrightLineCHRIS SCHELLMAN
BrightLine

SOC 2 reporting is still in its infancy stages. However, since its introduction in 2011, BrightLine has been engaged to perform hundreds of SOC 2 projects. That’s a lot. In fact, it’s very possible that BrightLine is not only a major pioneer in this arena, but is also the world’s leading provider.

That said, we have a deep interest in the developmental path of SOC 2 reporting. A major milestone in that development occurred recently when Microsoft claimed to be the first cloud provider to complete an SOC 2 examination for Windows Azure that integrated the Cloud Security Alliance’s (CSA) Cloud Control Matrix. (See Microsoft's blog post.)

Tips for Cloud Service Providers

It goes without saying that other cloud service providers (CSPs) are now considering following Microsoft’s lead. In anticipation of this, I would suggest that CSPs consider the following points before making any decisions:

1. Unless Microsoft takes the unlikely step of publicly posting its SOC 2 report, relatively few people will ever see the report. Professional guidance gave Microsoft considerable leeway in defining the scope of the examination, including the additional CCM criteria. So without actually reviewing the report, it is impossible to know how Microsoft defined CCM compliance for itself. It should not be assumed that such claims mean full compliance with CCM. It could be the case that Microsoft only included those CCM criteria they deemed applicable to their services. In other words, it’s simply unknown to anyone that is not privy to the actual report. CSPs should take note of not only this issue, but the fact that they would also be afforded the same leeway if they choose to undergo an SOC 2 examination that integrates the CCM.

2. Any cloud service provider that wants an SOC 2 examination should acquaint themselves with the AICPA Trust Services Principles and select the combination of the five principles they would like to be assessed against (i.e., Security, Availability, Processing Integrity, Confidentiality, and Privacy). It is not possible to obtain an SOC 2 examination that integrates CCM without including at least one of these five principles in the scope of the examination. The criteria for compliance with any given principle is straight-forward. Obviously, it would be a waste of both time and money to engage an auditor to attest to compliance with Trust Services criteria that the CSP could have self-assessed as non-compliant prior to specifying the scope.

3. The Trust Services Principles are highly redundant, somewhat convoluted, and have worn with age. For this reason, the AICPA has convened a committee to revamp the guidance. The exposure draft for the new version was released on July 30, 2013, with responses due by the end of September. Preliminary analysis of the exposure draft indicates significant improvements. As such, CSPs may consider delaying any new SOC 2 examinations until the next version of the Trust Services Principles is effective.

4. In situations where CSPs are solely concerned with third party attestation regarding CCM compliance, an AT 101 report should be considered. There is very little difference between the two reports and it would save considerable time and effort over performing an SOC 2 with CCM integrated into the assessment. In fact, all SOC reports are AT 101 reports, with each type of SOC report simply having a distinct purpose. When none of the branded SOC reports fit the bill, service organizations often prefer the more “generic” AT 101 examination.

Finally, while the Microsoft announcement may be a positive development for both CSPs and SOC 2 providers, it is also the world’s best demonstration of the inadequacy of SOC 2 for technology providers. In other words, SOC 2 was unable to meet the reporting needs of Microsoft’s customers and prospects without massive supplementation (i.e., the CCM). Suffice to say that there is a major “doughnut hole” in the SOC reporting structure that deserves serious consideration by the powers that be.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish