Appendix E: Reporting on Controls at a Cloud Computing Service Organization
This appendix describes cloud computing service organizations and provides an overview of the risks and challenges associated with performing a service organization controls (SOC) 2 engagement for cloud service organizations.1
A cloud computing service organization (cloud service organization) provides user entities with on-demand access to a shared pool of configurable computing resources (for example, networks, servers, storage, and applications). Cloud computing is becoming an important IT strategy for user entities that need varying levels of IT resources and for whom purchasing and maintaining sophisticated and costly IT resources is not an effective strategy.
Definition of Cloud Computing
Although many definitions of the term cloud computing exist, the following definition from the National Institute of Standards and Technology (NIST)2 is widely used:
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
On-demand self-service. A consumer can unilaterally provision computing capabilities, ...