We get this question a lot: “I am a managed service provider and I resell or leverage public cloud services…can I be certified?” At the heart of this question is the issue of whether managed service providers who deal with public cloud are somehow less legitimate than other service providers. I’d like to address this issue.
The easy answer to this question is yes; MSPs who leverage public can be certified and audited. When going through any of the UCS levels of audit (including a full SSAE 16 audit), MSPs must disclose the types of technologies they use, including any third party service providers. This means, if you use Amazon Web Services (AWS) to store customer backup data, that will be mentioned in the report. Now, the UCS or SSAE 16 audit may disclose your use of a third party solution like AWS, but it does not mean that our auditors would be able to provide your customers (the readers of the report) with visibility or guidance into how that data is being stored.
For example, such a report might state that the MSP uses backup technology to store data within the AWS cloud. The report would not go into detail on how Amazon accesses that data, whether it is secure, or whether it is always accessible (as some customers might demand). The report would only state that the data resides in the Amazon cloud. Everything leading up to the data resting within Amazon would, however, be disclosed and tested within the audit process.
This process is useful for telling customers how and where their data is being stored and managed. For the MSP, it is helpful to simplify this often complex process for the customer so they can understand exactly what the MSP is responsible for and would fall outside the managed services relationship.
You may be wondering whether a customer would care if their data is in the public cloud. Honestly, the answer depends on the customer and the service they are buying. MSPs who primarily leverage public cloud, while capable of being UCS & SSAE 16 audited/certified may find it difficult selling their services to certain types of customers. Banks, credit unions, hospitals, health care providers, insurance companies, public companies, and any regulated company might raise an objection to their data being exposed to public cloud.
On the other hand, MSPs who have the capability to deliver private cloud services would also be capable of being certified & audited but would be able to deliver to those more regulated customers data management assurances that would satisfy their regulatory guidelines. It is for this reason that I have been such a vocal advocate for MSPs to deliver both private and public cloud solutions, so as to maximize the breadth of their services and the types of customers to whom they can do business.
For those of you wondering whether a public cloud provider can be audited and certified; technically, yes they can. The problem is most do not provide great levels of assurance or clarity as to how they safeguard customer data. Think of public cloud as a cloud; it’s difficult to see through and easy to get lost. Generally speaking, audits end where public clouds begin. Hence the reason why so many MSPs are seeing success in the private cloud world.
Sign up for MSPAlliance’s Bi-Monthly MSP & Cloud Journal. Follow us via RSS, Facebook, and Twitter. Interested in writing for MSPAlliance? Please contact us for more information.