WEBVTT 00:00:01.540 --> 00:00:07.750 Finally, let's discover what could be used for a cloud audit and assurance. 00:00:08.540 --> 00:00:15.060 What we'll do is first separate the definitions of an attestation from a 00:00:15.060 --> 00:00:19.420 certification in the cloud, and we'll see how both of these have been 00:00:19.420 --> 00:00:23.450 adapted and adopted into cloud platforms. 00:00:23.840 --> 00:00:24.580 Finally, 00:00:24.740 --> 00:00:28.820 we'll look at the published audit results of a cloud 00:00:28.820 --> 00:00:32.439 service provider and see how that could be very useful for 00:00:32.439 --> 00:00:35.940 selection criteria. In the past, 00:00:35.950 --> 00:00:39.570 when you needed to have trust of a provider, this was 00:00:39.570 --> 00:00:42.900 very much a self‑directed platform. 00:00:42.910 --> 00:00:45.560 I recall working at a sizable organization and needing 00:00:45.560 --> 00:00:50.270 colocation resources from Rackspace and Amazon Web Services when 00:00:50.270 --> 00:00:53.360 they were web services and not the cloud. 00:00:53.940 --> 00:00:56.460 When I needed to get management sign‑off on moving our 00:00:56.460 --> 00:00:58.530 platforms over to AWS and Rackspace, 00:00:58.540 --> 00:01:01.670 I was invited to come into the facility and provide my limited powers of 00:01:01.670 --> 00:01:06.390 scrutiny of their facilities and my opinion of it to see if it met basic 00:01:06.390 --> 00:01:09.150 fitness to warrant our trust for operations. 00:01:09.340 --> 00:01:10.200 Today, 00:01:10.210 --> 00:01:14.210 I would most likely not receive such an invitation from a CSP to walk 00:01:14.220 --> 00:01:17.650 onto their facilities to get a sense of confidence, 00:01:17.740 --> 00:01:24.050 but instead, I would actually end up trusting others who were perceiving 00:01:24.050 --> 00:01:27.600 what that environment was like in the form of an audit. 00:01:27.630 --> 00:01:34.370 So now we have the capability of using organizations as representatives to 00:01:34.380 --> 00:01:39.310 go into the cloud service provider and to gain assurance of the controls 00:01:39.320 --> 00:01:43.250 based upon established auditing practices. 00:01:43.260 --> 00:01:50.790 Those organizations like Ernst & Young, Deloitte, KPMG, PWC have 00:01:50.800 --> 00:01:53.570 somewhat of a strange symbiotic relationship between the service 00:01:53.570 --> 00:01:55.580 organization and the auditing firm. 00:01:55.590 --> 00:01:56.440 In many cases, 00:01:56.440 --> 00:02:01.610 the audit firm keeps office space at the provider facility. Based upon certain 00:02:01.610 --> 00:02:05.490 rules of engagement and best practices, the auditing firm must maintain at 00:02:05.490 --> 00:02:08.360 least two paths of bifurcation that shall not meet. 00:02:08.500 --> 00:02:11.450 It is a separation between consultative advisory 00:02:11.450 --> 00:02:13.800 offerings and the audit function. 00:02:13.810 --> 00:02:16.940 The design is to ensure that the customer can maintain trust that 00:02:16.940 --> 00:02:20.150 the auditors provide an authentic feedback on the environment 00:02:20.150 --> 00:02:22.180 where the customer has their assets. 00:02:22.940 --> 00:02:27.480 There are two primary assurance and trust practices, 00:02:27.490 --> 00:02:30.860 the first one, an attestation by the American 00:02:30.860 --> 00:02:32.770 Institute of Certified Public Accountants, 00:02:32.770 --> 00:02:36.440 otherwise known as AICPA, maintains the standards establish, 00:02:36.450 --> 00:02:39.460 requirements for performing and reporting on examination review, and 00:02:39.460 --> 00:02:43.830 agreed upon procedure engagements that enable practitioners to report 00:02:43.840 --> 00:02:48.230 on subject matter ordinarily other than financial statements, the 00:02:48.230 --> 00:02:51.260 effectiveness of those capabilities. 00:02:51.280 --> 00:02:55.980 A certification put on by the International Organization for Standards, 00:02:55.990 --> 00:02:57.660 maintains required processes, 00:02:57.660 --> 00:03:00.340 standards, and guidelines that allow organizations to 00:03:00.340 --> 00:03:03.060 use in efforts to certify others. 00:03:03.070 --> 00:03:06.580 So certifications can be a useful tool to add credibility by 00:03:06.580 --> 00:03:08.990 demonstrating that your product or service meets the 00:03:08.990 --> 00:03:15.050 expectations of the customer. First, let's more closely examine attestations.