SAS70 II and the Cloud

Spam has become a bit of a sore subject at work. We’ve been using what was Sybari Antigen (now a Microsoft product) on our Exchange server for years. However, it’s just not managing all our spam issues at an acceptable rate any more. It certainly blocks a lot, but about 15-20 messages are still getting through to my Outlook client every day, where only about 80% of those are being caught with Outlook junk mail filtering.

And since I’m a BlackBerry user, it means that those 15-20 messages are delivered to my mobile device regardless of what my Outlook client does with them at my desktop. So I’ve started a search for another solution.

Our first decision was “appliance” vs “SaaS”. From a network admin perspective, there is a lot to like about moving anti-spam services into the cloud. I liked the idea of offloading spam traffic to an outside network, thus only having my network support legitimate mail delivery. I liked not having yet another box to plug in and wire into my LAN racks. I liked being about pay monthly/annually for exactly the services we were using. And I liked the possibility of being able to add on some email archiving and discovery services at a later time.

So I compared a few services, kicked my results up to management and was ready to sign up. But there was one roadblock – SAS70 II certification. As a company that does fall under HIPAA, SAS70 certification was something I was asking about while I was researching vendors, but now it was time to prove that certification to our auditors.

SAS70 II certification involves a variety of areas: Physical Security, Environmental Protection, Computer Operations, Information Security, Data Communications, Customer Access Controls and DR/Business Continuity Assurances. Many of the vendor we were considering were using data centers of major telecommunications companies/ISPs and while those companies were certified for themselves, that certification doesn’t necessary mean that the anti-spam vendor (a client of theirs) was also fully certified – especially in the areas outside of physical security and environmental protection. SAS70 certification is not transitive, so to speak.

Ultimately, our auditor recommended that we NOT use services based in the cloud for our email, because there was a chance (either by later using them for archiving or by them quarantining a legitimate message, etc), that they could be storing our company data. This was a risk my company was not willing to take.

This isn’t to say that their aren’t SaaS vendors who are SAS70 certified. But my company is a little spooked by the whole “cloud computing” idea right now. So it’s back to drawing board for me, this time looking at appliances.