Acquia Achieves SSAE 16: Does It Really Matter
Acquia, which provides enterprise products and services for open source content management system (CMS) Drupal, has become one of the latest cloud vendors to complete SSAE 16 (SOC1) certification. The certification signals that a company has controls and procedures to secure and control content hosted on its platform. Are industry certifications like SSAE 16 enough to attract enterprises away from private cloud implementations?

Certified Safe and Secure

Cloud computing has had a dramatic impact. It has made sophisticated technology solutions more accessible to organizations of all sizes and enabled many businesses to speed their innovation process. However, security, lack of open standards to prevent platform/vendor lock-in and loosely defined service level agreements has led to a growing number of companies implementing their own private cloud infrastructure.

Cloud platform providers are attempting to soothe these concerns by participating in cloud standards initiatives like OpenStack and CloudStack and obtaining certifications. Vendors from Google (Google Apps and App Engine) to  Microsoft (Office 365) and now Acquia have subjected themselves to security certifications from third-party organizations. However, security still tops the list of concerns for IT leaders considering cloud adoption, although the level of concern has decreased over the last few years.

SSAE 16 assesses controls and procedures related to:

  • Customer Support
  • Data Backup
  • Database Security
  • Maintenance and Change Management
  • Network and Systems Availability and Monitoring
  • Network Security
  • Operating System Security

Proponents suggest it validates the effectiveness of operational controls. However, looking more closely, the certification allows the management of the company being reviewed to assert their controls are effective. If the controls are inadequate, but management attests (either intentionally or unintentionally) to their effectiveness -- the company can claim it has been SSAE 16 audited. Unless a buyer looked at the details from the audit report, they would never have a true understanding of the quality of the company’s processes and controls. Similar problems exist in other popular certification processes.

What’s Next

Ultimately, the actual standards for security, service levels and other operational aspects of cloud computing must be established. This is the only way the businesses that consume cloud services will have a clear perspective of what they are getting without undertaking months and months of effort per vendor for every RFP. Standards like SSAE 16 are a good start, but they are far from enough.