Lately I’ve been on a lot of calls and email-threads with customers and salespeople concerning compliance with various standards and regulations. I have also been working very closely with our auditors over at Brightline to attain a couple of attestations and a certification for Sumo Logic. I have come to realize that there is a lot of confusion out there regarding all of this. Further adding to the general confusion is the relative newness of cloud-based service organizations like Sumo Logic that leverage IaaS providers. I’d like to clear that all up (in a sort of final way that I can link to when it comes up the next time. 😉 )
First off, let’s clear the air regarding some terminology. As I mention above, there is some confusion in the marketplace around these terms, so I am going to describe them in my own words and try to cut through the CPA-speak.
Standards: A standard is a way of doing things, or a methodology to define a way of doing things. Standards may state things like minimum password-lengths and encryption algorithms. SAS70 was a standard (it is now obsolete!), PCI is a standard. Standards are not laws.
Controls: Controls are very simply the little rules that make up a standard. I’m sure there is a much fancier definition, but this one will really do 🙂
Regulations: Regulations are laws. HIPAA and SOX are regulations that have direct legal consequences. Some regulations may require that you follow a certain standard, but standards are not laws.
Compliant/Compliance: Very simply you are compliant with a standard or a regulation when you are following it. Compliance is usually demonstrated through an audit or series of audits.
Certification: A third party offers a declaration that you meet a standard for which a formal certificate exists. PCI requires a certification. The Payment Card Industry allows certain auditors and service providers to certify that a service is compliant to their standard. PCI are the only standards I am going to talk about here that have a certification. You cannot be certified as complying with a regulation. There is no HIPAA or SOX certificate, any more than there is a certificate stating that someone is “speed limit compliant”.
Attestation: An attestation is a report from your auditor which your management signs promising that a standard is being and will be adhered to. The report will include any exceptions to the standard the auditor observed. These exceptions do not render the report invalid, as there is no certificate. If you have an exception, you didn’t fail- you still get a report that simply states the exception. It is then up to whomever is purchasing the audited service to decide if that exception is within their regulatory/policy/audit tolerances. SAES-16 reports (which replaced SAS70) are attestations. Using the speed limit example, an attestation would be a letter from you promising you always drive under the speed limit along with a note from your accountant stating that when she drove with you every day last week, you did, in fact, drive below the speed limit at all times, and that when she checked in on your speedometer logs six months later, none of them read above 65MPH.
An Unbroken Chain of Paperwork
Let’s say you’re a potential customer of Sumo Logic (or another cloud-based service) and your use case falls under an area where you have compliance concerns (we’ll say SOC-2 by way of example.)
In order to satisfy your auditor that you will remain SOC-2 compliant while using our service, you will need to show them our SOC-2 attestation. They will then roll that paperwork up into your report.
When Sumo Logic undergoes its SOC-2 audit (at the time of this writing we just completed our SOC-2 type 1 audit and are awaiting the report any day now!) our auditor looks at our service and determines which parts of the SOC-2 standard we are responsible for, and which bits our IaaS provider (AWS in our case) is responsible for. They then get AWS’ SOC-2 report and roll that into our report in the appropriate places. In turn, AWS’ report may very well contain reports from the companies they utilize, in an unbroken chain of paperwork.
In part two I’ll discuss various certifications and regulations that are pertinent to doing business in the cloud 🙂