One of the problems that led to the financial crisis was that financial companies paid agencies like Moody’s and Standard & Poor’s to rate their products—a clear conflict of interest. Surprisingly, something similar happens in the world of cloud computing.
In a new report, Gartner’s Jay Heiser points out that cloud computing vendors pay the certifying agencies for SAS 70 certifications. Organizations rely on those certifications to ensure that their vendors are meeting best practices, but maybe they should be more diligent.
The report warns, “Do not accept the claimed existence of a certification or other third-party assessment as being adequate proof of security and continuity fitness for purpose. Thoroughly review the assessor’s written report to ensure that the scope of evaluation is adequate, and that all necessary processes and technologies were appropriately addressed.”