This week Gartner’s Global IT Council for Cloud Services issued a press release outlining the rights and responsibilities of cloud computing service providers and consumers.
“The right to know what security process the provider follows” is one of the highlights:
“With cloud computing, security breaches can happen at multiple levels of technology and use. Service consumers must understand the processes a provider uses, so that security at one level (such as the server) does not subvert security at another level (such as the network). Without this knowledge, service consumers risk security violations caused solely by the provider not accounting for the ways in which consumers might use a service. Service consumers also need to understand a provider’s business continuity plans, so that they can ensure that their own operations continue in an emergency. Service providers are not consistent in explaining either their security processes or their business continuity plans.”
Having been in the software industry for more than 30 years and having worked with many organizations to ensure proper privileged identity management, I’m happy to see Gartner’s inclusion of security process as one of the rights. In fact, I’ve been advising our clients on this very subject for some time now.
I think the cloud is a really good, compelling idea, as it can reduce the cost of IT dramatically. By moving services to data centers anywhere in the world, we’re offered the potential for service delivery that costs far less than the alternatives. And the idea of outsourcing security and liability is extraordinarily compelling.
However, enterprises should ask the right questions of their cloud providers before taking the leap and blindly assuming that their data is safe. You should ask your cloud service provider to meet every point of compliance that your IT organization is required to meet. You should also ask your cloud service provider every question that your IT auditors ask you, like:
- What provisions have been made to provide the required trail of access to the user’s auditors on demand?
- What provisions are in place to allow the sharing of privileged control between the cloud vendor and user for appropriate reporting and verification?
Because today’s cloud vendors offer literally no transparency and little information, don’t be surprised if you don’t like the answers you get. Most cloud vendors would say that for security purposes, it’s on a “need to know” basis and you don’t need to know. Others claim that they’re SAS 70 compliant, but that’s really only a self-certification, just ask Gartner analysts French Caldwell or Jay Heiser.
Remember – you are the consumer paying for a service. It is appropriate to demand to know precisely what measures are in place and what auditing processes are supported as part of the service agreement.
Hello,
The information provided on the Gartner page {Url Below}
only menions that SAS 70 is not what clients should be looking out for when using Cloud Service.
I would appreciate if more detailing can be given as to which Certifications should Cloud Providers be having.
Best Regards
The SAS 70 certification is meaningless unless you read the actual report and are satisfied with its contents. The quality and assurances of the report must be individually evaluated by you the customer. It is not a universal guarantee of security quality by any means.
Unfortunately, for all of us, the SAS 70 group has decided that its members need to keep it a secret. Consequently, you must demand to see the report and sign a non-disclosure statement (if they allow it to be read), to view it.
Add to this the fact that many of the cloud vendors do not allow you to independently audit their security, nor do they provide disclosure of their audit logs, you have few options other than to trust them on their word (with few to no direct monetary consequences for them if they fail to secure their infrastructure).
There are no independent certifications that you can trust at this point in time.