By Christian Verstraete
Security has been highlighted by CIO’s as the major barrier to cloud adoption for several years. Why is that the case? The lack of transparency of public cloud provider security measures, combined with T&C’s that push responsibilities back to cloud service users have left CIO’s with a lot of unanswered questions. “Don’t expect to peer into Google Cloud services security” just describes this frustration. And just stating “trust us, we are more secure than your data centre” does not do it.
In writing this, do I mean that public cloud services are not secure? Actually no, but not knowing the processes, procedures and technologies used by public cloud service providers means they cannot assess whether those are in line with their own processes and procedures. From the service provider standpoint, documenting their processes and procedures leaves them vulnerable to hackers and other cyber criminals. And some claim to have too many customers to be able to share their security measures with each, or to accept audits.
The issue is actually made even more complex by the lack of visibility of what I call the “services supply chain.” Indeed, when you subscribe a service, you know the company offering you the service, but you have no visibility on who actually delivers the service, in which environment it runs, who handles back-ups etc. Actually, many service providers do not even take responsibility if something happens to your account. For example, this is what Amazon writes in its AWS Customer Agreement (dating February 8th, 2011): “You are responsible for all activities that occur under your account, regardless of whether the activities are undertaken by you, your employees or a third party (including your contractors or agents) and, except to the extent caused by our breach of this Agreement, we and our affiliates are not responsible for unauthorized access to your account.”
The lack of trust is quite understandable. How could we overcome this? Well by addressing the concerns of the CIO’s in the first place. And, beyond recognizing the fact that Cloud Service Providers have responsibilities, two things need to be disclosed:
- That the involved service providers have adequate policies, procedures and technologies to ensure appropriate levels of security in the delivery of their services
- That the processes and procedures of all service providers involved in the delivery of a specific service ensure an appropriate level of end-to-end security for the service as a whole
So, for each service provider involved in the delivery of the service, their overall security procedures need to be looked into, addressing external intrusion as well as segregation of tenants and their assets within the environment. And then, for each service, the security of the interface points between the portions of the service delivered by each provider needs to be addressed.
How can we best do this? There are fundamentally two possibilities, either setting-up a certification process, or having an independent organization auditing, reviewing and rubberstamping the security measures implemented. Let’s look at the pros and cons of both.
A certification process would require a clear description of what is being certified and how it is being done. Cloud being a fast moving technology that has many different use cases, it will be difficult to clearly highlight the certification process. Also, a deep knowledge on cloud will be required to perform the certification process.
It may be more appropriate to have an independent entity focused on auditing cloud services and rubberstamping them. Ideally, one or a couple entities would be set-up worldwide to perform just that function, assessing the level of security of service providers and the services they propose. Whether those are linked to the US Federal Government and the EU, or whether they are set-up by the industry remains to be seen, but they should work in close relationship with key authorities to ensure alignment between government policies and industry capabilities. I would also argue that such entity should take advantage of the work already performed by teams focusing on cloud, including the Cloud Security Alliance, NiST, ENISA, ISO and a number of local entities, and link closely with them moving forward.
Establishing standards, certifying and auditing service providers are not enough however. We have a massive education job to do to explain users of public cloud services what can go wrong and why they should pay attention.
Word has gotten out that the latest Sony breach was actually initiated from Amazon Web Services, so not only do users feel exposed due to lack of transparency, it now appears that the humongous capacity available in public clouds facilitate cybercrime. Public cloud adoption requires this to be addressed.
This will be sorted out, but it will take time and require recognition by both politicians and the industry that something needs to be done. In the meantime, can public cloud clients find other platforms that provide them with what I talked about?
Our answer is yes. We call them “Enterprise Class Cloud Services.” These are services for which the security processes, procedures and technologies can be audited, that require the signature of a thorough contract with clearly defined roles and responsibilities, and the definition of service level agreements. HP’s Enterprise class cloud service is called ECS-Compute. So, next time you are looking for a cloud service provider, keep this in mind.
Related blog posts:
- Look before you click: 10 questions to ask before agreeing to a cloud services contract
- Tips, tools and template to draft a cloud computing strategy for your organization
Get even more insights on cloud computing from me and my colleagues, by visiting the Grounded in the Cloud blog.