Cloud Security: Could we learn from the hotel business?

Whether you look at figures from the World Economic Forum, or IDC, security is amongst the top concerns brought up for not embracing the public cloud. Actually I disagree with the statement, because the issue is not security as such but the lack of transparency about the security measures implemented.  Fundamentally there are three elements playing a role in this perception:

  • What security processes, procedures and tools has the public cloud provider implemented and how do they compare with the ones of the customer? In other words, if the customer chooses to use public cloud services, is he still compliant with regulations, and does he have true end-to-end security between his own operations and the cloud service?
  • Who is participating in the delivery of the service? Indeed, the higher you go in the IaaS, PaaS and SaaS pyramid, the more chances you have that the service is provided by a group of companies, each doing part of the job. I call that the “Cloud Supply Chain.” It was really interesting to see the services that stopped operating when Amazon got its partial outage.
  • What service is the customer really subscribing to? Yes, there are terms and conditions that need to be approved, but let’s be frank, most people don’t read them. On top of that, they are often written in a legalistic language, making it difficult for many of us to grasp the nuances and subtleties of what we really get, where the supplier’s responsibility stops and what is left up to us to manage.

So, this being said, how do we create a system by which we can describe to users, in simple terms, what they are receiving from a security point of view? Realizing that you probably do not need the same level of security for all services you perform, we may need an approach with multiple levels. Indeed, you do not need the same level of security if you perform a digital car crash, or have a digital mock-up of an airplane flying, than if you maintain the names and credit card numbers of your customers.


When I travel, and that happens quite often, I want to know what type of a hotel I will reside in. I want a certain level of comfort, particularly when on short business trips. I want some facilities such as a gym, internet connections, etc. On the other hand, when I go on a backpack expedition for holiday, well, my needs are not the same. So, when choosing a hotel, I look at the star system. Depending on my needs, I may take a 2, 3 or 4 star hotel. And I rarely get disappointed. I do not need to know all the bells and whistles about how this classification is established. I just roughly know that a given amount of stars corresponds to a certain level of comfort. It’s easy, quick and visual.


Could we establish something similar for our cloud services? Could the industry agree on a classification? And allow an independent entity to rate a given cloud service?  I believe we should. Indeed, this would make it clear to the user what type of security and service he gets without having to disclose to him all the details on how that was achieved. Many public cloud service providers argue they cannot disclose their security measures as that would tell hackers how to attack them. Using a star (or maybe cloud) system, would make that link between the complex, detailed description of processes, procedures and technologies used, and the needs for a simple description of what is being received.


I am proposing this by service, and not by service provider. And there is a reason for that. Indeed, remember the cloud supply chain. On the one hand, a service will only be as secure at its “weakest link,” and on the other, as the Cloud Security Alliance points out in its report on top threats to cloud computing, insecure interfaces and API’s are one of the key areas of risk. So, providers in the cloud supply chain have to work together to ensure appropriate levels of security on the integration points.


At a meeting I attended last week, there was a large debate whether this was to be voluntary or mandatory. Frankly I believe it’s the wrong debate. Indeed, would you go to a hotel that has no stars? No, because you want to know what you are getting into. In other words, I believe if such system were established, even on a voluntary basis, the fact some suppliers would offer the nomenclature would force the rest of the industry to follow. The market forces are like that.


The real question is about who would assess the actual number of stars/clouds the particular service would get. We need an organization that is truly independent, that can be trusted by the users and that has deep technical knowledge to evaluate the true security level reached by the service. Should this be an existing standards body, an audit firm, a multi-national organization or a consortium set-up by the industry? Again, how this entity gets into existence does not matter, what it achieves does. And there it needs to very quickly gain the trust of the users or the effort will be lost.


Do you agree with my proposed approach or not? Let me know. It’s an important subject and we need to address it as an industry if we want the public cloud to really take off.

 

 

 Can't make it to HP DISCOVER? Go Backstage online!

 backstage_pass.jpg

 

Comments
itManageCast | ‎06-01-2011 08:22 AM

Interesting idea, but to carry on your hotel metaphor, how would the potential cloud "traveler" know & understand the star/cloud rating in context of the already burdensome compliance regulations (HIPPA, PIPEDA, PCI) to which they are likely already subject?  The star system makes it simple to understand the over-all quality of the stay one is expecting, but one still needs to do their research to make sure the hotel has the specific ammenties the customer wishes to enjoy (or needs).

 

Further point for consideration, hotels are intended for brief stays. If one is planning on renting a house, that's a whole different ball game. Maybe we're looking at something abit more in depth here, like the real estate ratings systems. I suspect that's what you are alluding to in the tail end of your blog, indicating that on the implementation side this is more complex than a brief "mystery guest" stay to experience what it's like to be a customer of a particular cloud service.  "Real estate ratings are based on parameters like the developer's record, service, cost overruns and innovations These will help buyers benchmark and identify quality projects in a city. "

Regular Advisor | ‎06-03-2011 04:59 PM

Thanks for the comment itManageCast.

 

Christian is on holiday, so I'll take a shot. 

 

First I think you two are in general agreement. I think the star rating is viable but their would be a lot packed into those stars. I see those like a car trim level you have the basic, luxury, extra luxury - where you get more features with each until their are no more features.

 

The other thing that comes to mind is the feature logos on say a DVD player. Bluray, WiFi, HD, 1080i, CompacDisc, etc. Not as simple but really quick to see if it meets your needs.

 

For cloud it might be PCI, HIPPA, ISO27001, etc. But you'd probably also need someone like a customer satisfaction award company.  Maybe it is a combination of stars for customer satisfaction and industry logos for features.

 

I'm looking foward to what Christian will say.  Just the fact that we are talking about it is a good sign and shows the market is maturing.

 

 

RyanKo | ‎10-10-2011 04:19 PM

Hi Christian, you are absolutely right.  The Cloud Security Alliance is doing something similar to what you recommend with its new STAR registration process.  See my post here for more details.  I am sure you are aware of this. Let me know what you think about this new registry?

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.