How could we trust public cloud services

Security has been highlighted by CIO’s as the major barrier to cloud adoption for several years. Why is that the case? The lack of transparency of public cloud provider security measures, combined with T&C’s that push responsibilities back to the users of the cloud service have left CIO’s with a lot of unanswered questions.

 

In writing this, do I mean that public cloud services are not secure? Actually no, but not knowing the processes, procedures and technologies used by public cloud service providers means they cannot assess whether those are in line with their own processes and procedures. From the service provider standpoint documenting their processes and procedures, leaves them vulnerable to hackers and other cyber criminals. It’s all an issue of trust and transparency.

 

The issue is actually made even more complex by the lack of visibility of what I call the “services supply chain.” Indeed, when you subscribe a service, you know the company offering you the service, but you have no visibility on who actually delivers the service, in which environment it runs, who handles back-ups etc.

 

So, the lack of trust is quite understandable. How could we overcome this? Well by addressing the concerns of the CIO’s in the first place. And they involve disclosing or certifying two things:

  • That the involved service providers have adequate policies, procedures and technologies to ensure appropriate levels of security in the delivery of their services
  • That the processes and procedures of all service providers involved in the delivery of a specific service ensure an appropriate level of end-to-end security for the service as a whole

So, for each service provider involved in the delivery of the service, their overall security procedures need to be looked into, addressing external intrusion as well as segregation of tenants and their assets within the environment. And then, for each service, the security of the interface points between the portions of the service delivered by each provider needs to be addressed.

 

How can we best do this? There are fundamentally two possibilities, either setting-up a certification process, or having an independent organization auditing, reviewing and rubberstamping the security measures implemented. Let’s look at the pros and cons of both.

 

A certification process would require a clear description of what is being certified and how it is being done. Cloud being a fast moving technology that has many different use cases, it will be difficult to clearly highlight the certification process. Also, a deep knowledge on cloud will be required to perform the certification process.

 

It may be more appropriate to have an independent entity focused on auditing cloud services and rubberstamping them. Ideally, one or a couple entities would be set-up worldwide to perform just that function, assessing the level of security of service providers and the services they propose. Whether those are linked to the US Federal Government and the EU, or whether they are set-up by the industry remains to be seen, but they should work in close relationship with key authorities to ensure alignment between government policies and industry capabilities. I would also argue that such entity should take advantage of the work already performed by teams focusing on cloud, including the Cloud Security Alliance, NiST, ENISA, ISO and a number of local entities, and link closely with them moving forward.

 

Actually, to provide secure cloud services to enterprises, HP developed a specific service, called Enterprise Cloud Services - Compute, where the user has the opportunity to assess for himself the security processes, procedures and technologies used. This reassures CIO's.  

However, establishing standards, certifying and auditing service providers are not enough.  We have a massive education job to do to explain users of public cloud services what can go wrong and why they should pay attention. How would you go after this?

Comments
datacenterscan | ‎06-12-2011 03:59 PM

A public cloud service is a great idea - but the reality is it will be a very difficult sell in the enterprise space.  Consumer world - definetly.  Microsoft has already done a fairly good job with their Live platform and now Apple with the icloud format.  But enterprises ???  Not sure.   It will be a very long and complicated sell.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation