Cloud Computing Basics
There are three key cloud services: Software as a Service (SaaS), Platform as a Service (PaaS), and
Infrastructure as a Service (IaaS).



SaaS providers offer its customers applications over a network
PaaS providers offer its customers to deploy their own applications to a cloud
IaaS providers offer its customers processing, storage, network capacity, and other
fundamental computing resources
Some recent branded cloud service providers include Disaster Recovery as a Service (DRaaS), Backup as
a service (BaaS), Incident Response as a service (IRaaS), etc. Some key risks to a cloud computing
environment include but are not limited to the following:




Compliance risks
Loss of governance
Data protection
Security vulnerabilities
A-lign is here to assist in selecting the relevant audit to reduce key risks in the cloud service provider
environment.
Relevant Audits for Cloud Providers
It is important for cloud service providers to understand its obligations first when selecting an audit.
The key cloud service provider customer obligations include legal, regulatory and contractual. A-lign
provides relevant audits for cloud providers that address each and in some cases multiple key
obligations. Here are some of the audits, with careful selection, that can meet cloud service provider
needs as well as attract additional customers by demonstrating compliance with internationally
accepted security standards and controls.
FedRAMP:
A-lign is one of the few Accredited FedRAMP 3PAO authorized to conduct security assessment to
evaluate the cloud based services against the Federal Risk and Authorization Management Program
(FedRAMP) certification requirements. A-lign assesses required controls outlined in the National
Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) and published by
FedRAMP. A-lign will conclude in a Security Assessment Report (SAR) whether or not it will
recommend the cloud system for authorization. Then it is up to the federal agency to formalize its
decision to authorize the cloud system.
1
©2015 A-lign. All Rights Reserved.
ISO 27001 Certification:
A-lign is an ISO / IEC 27001 certification body accredited by the ANSI-ASQ National Accreditation
Board (ANAB) to perform Information Security Management System (ISO 27001) 27001 certification
for cloud providers. The assessments to certify the cloud provider is broken up into two stages
(Stage 1 and Stage 2). The purpose of conducting the Stage 1 audit is to assess the Company’s cloud
computing scope and conformance to clauses 4-10 listed below:







4: Context of the organization
5: Leadership
6: Planning
7: Support
8: Operation
9: Performance evaluation
10: Improvement
A-lign will plan Stage 2 once A-lign has made a determination at the conclusion of Stage 1 that the
cloud computing service provider is prepared to undergo Stage 2. The purpose of the Stage 2 review
is for A-lign to meet the following objectives:



Perform on-site testing based on Stage 1 scope verification
Evaluate effectiveness of control activities identified to be in scope
To confirm that the Company adheres to its own policies, objectives and procedures
A-lign will conclude in an audit report whether or not it will recommend the cloud system for
certification and/or after any nonconforming items identified during the assessment are corrected.
An ISO 27001 certification against a cloud computing scope is an internationally recognized
accomplishment to managing information security risks that affect the confidentiality, integrity, and
availability of cloud computing service providers.
SOC Reporting (SSAE 16 and SOC 2)
A-lign is a licensed CPA firm that conducts audit reporting of cloud service providers.
SSAE 16 / SOC 1:
2
©2015 A-lign. All Rights Reserved.
Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is attestation standards put
forth by the Auditing Standards Board (ASB) of the American Institute of Certified Public
Accountants (AICPA). A-lign will evaluate these main components of the attestation:



Written Assertion, as provided by the cloud computing service provider, that fairly presents
the cloud computing system
Controls related to the control objectives stated in the Company's description of the cloud
computing system are suitably designed
Controls related to the control objectives stated in the Company's description of the cloud
computing system operated effectively to achieve those control objectives. **Note: This
only applies to a SSAE 16/SOC 1 Type 2.
AT 101 / SOC 2:
Attestation Standard 101 (AT 101) are attestation standards put forth by the ASB of AICPA. The SOC
2 examination can report on the assertions made by the cloud computing service provider in their
controls with regards to the AICPA Trust Services Principles and Criteria regarding:





Common Criteria/Security
Availability
Confidentiality
Processing Integrity
Privacy
A-lign will evaluate these three main components of the attestation:



Written Assertion, as provided by the cloud computing service provider, that fairly presents
the cloud computing system
Fairly presents the cloud computing service provider environment related to the AICPA Trust
Services Principles and Criteria
Controls related to the AICPA Trust Services Principles and Criteria operated effectively
At the conclusion of the SSAE 16 or SOC 2 engagement, A-lign will issue a report with a formal
opinion against the three main components stated above. The SSAE 16 report for cloud service
providers utilize this option in order to comply with customers that may be publicly traded and need
to comply with Sarbanes Oxley. SOC 2 reporting is utilized for cloud service providers that may not
have publicly traded customers and/or customers that require a third party attestation for the cloud
3
©2015 A-lign. All Rights Reserved.
service provided. Type 2 SOC reporting is unique in that it is the only cloud service provider
deliverable that can be assessed over a period of time (typically for at least six months).
FISMA Security Assessment:
A-lign can perform a security assessment to evaluate the cloud service provider against the Federal
Information Security Management Act (FISMA) by assessing the required controls outlined in the
NIST 800-53. Cloud service providers utilize FISMA assessments in order to comply with customer
requirements in the federal government industry, or those that provide services to the federal
government, or want to demonstrate FISMA compliance to potential customers.
A-lign will evaluate the Company's security policies, procedures and processes against the NIST 80053 requirements listed below for a cloud computing information system:
Access Controls
Media Protection
Awareness and Training
Physical and Environmental
Audit and Accountability
Planning
Security Assessment & Authorization
Personal Security
Configuration Management
Risk Assessment
Contingency Planning
System and Service Acquisition
Identification and Authentication
System and Communications
Protection
Incident Response
System and Information Integrity
Maintenance
Program Management
A-lign will conclude in an SAR against the cloud service provider that will include some of the
following:



Name of the cloud computing information system
Security categorization (high, moderate, or low)
Assessment finding summary (indicating satisfied or other than satisfied)
4
©2015 A-lign. All Rights Reserved.


A-lign's assessor comments (weaknesses or deficiencies noted)
A-lign's assessor recommendations (priorities, remediation, corrective actions, or
improvements)
PCI DSS:
A-lign is a registered Qualified Security Assessor (QSA) company approved by the Payment Card
Industry Security Standards Council (PCI SSC) to perform Payment Card Industry Data Security
Standard (PCI DSS) security assessments to validate a company’s compliance with the requirements
of PCI DSS. Cloud service providers utilize PCI assessments in order to comply with customers in the
payment card industry or want to attract customers in the same space. A-lign can conduct the
newly required PCI DSS Version 3.0 assessment for cloud computing service providers. The scope of
the examination included the relevant controls defined in the PCI DSS requirements listed in below:












Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data passwords and other security
parameters
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security for all personnel
A-lign will deliver the Report on Compliance (ROC) and Attestation of Compliance (AOC) in
accordance with the published guidelines from the PCI SSC to include. The ROC and AOC provides
evidence from detail testing as well as a comprehensive look at the conformance to the standard.
HIPAA / HITECH:
A-lign can conduct a security assessment to evaluate the Company’s cloud computing services
against the Security and Privacy Rules outlined in the Health Insurance Portability and Accountability
5
©2015 A-lign. All Rights Reserved.
Act (HIPAA) and evaluate the company's breach reporting procedures as required by the Health
Information Technology for Economic and Clinical Health (HITECH). Cloud service providers utilize
HIPAA / HITECH assessments in order to conform to customer requirements in the healthcare
industry or want to demonstrate conformance to potential customers in healthcare. A-lign
performs the assessment to evaluate safeguards set forth below including the incident response and
breach reporting procedures:
A-lign will evaluate the Company’s compliance with the HIPAA Security and Privacy Rules including
the safeguards set forth below and will evaluate the Company's incident response and breach
reporting procedures against the HITECH requirements.






Administrative Safeguards
Physical Safeguards
Technical Safeguards
Organizational, Policies and Procedures and Documentation Requirements
Privacy Safeguards
Breach Notification
The scope of the assessment will include the Privacy Safeguards only if the cloud computing
company comes into direct contact with private health information (PHI). The A-lign will issue a
HIPAA / HITECH security assessment report against the cloud service provider which will contain the
following sections:



Scope of the engagement
Overview of the procedures performed including the controls assessed
Findings of any deficiencies and recommendations to remediate the deficiencies identified
Benefits
It is important to select the appropriate assessment in order to address the governance affecting cloud
computing. Benefits of such assessments include meeting the legal, regulatory and contractual
obligations between the cloud service provider and customer(s). A-lign works with service providers in
cloud computing in order to assist with the specific audit selection and determining the control issues
specific to cloud computing. We are here to help ensure the proper section(s)!
6
©2015 A-lign. All Rights Reserved.