Potential cloud-services customers face a tough problem: How can they trust cloud providers enough to hire them when the providers refuse to reveal important infrastructure details for reasons of security and practicality?
These providers say they can’t open their network architectures to customer scrutiny for fear the details will give potential attackers a blueprint for compromising security. They also say the time involved in answering each customer’s questions would be prohibitive.
The bottom line, as one service provider put it earlier this year, is that customers will never get the level of transparency they want. “We won’t let you audit to the degree that you would audit your own infrastructure,” says Adam Swidler, a product marketing manager at Google, speaking about Google’s cloud services. “It’s never going to be the same as auditing your own infrastructure. You’ll have to extend some level of trust to third-party verification.”
While customers may not be able to walk through cloud providers’ data centers and grill their CISOs, they can submit probing questions whose answers may serve the purpose, says the Cloud Security Alliance, which has written a questionnaire businesses can adapt for their own purposes when trying to assess the suitability of cloud service providers.
Called the Consensus Assessments Initiative Questionnaire, the document is a well-thought-out framework for assessing cloud security. “This question set is a simplified distillation of the issues, best practices and control … intended to help organizations build the necessary assessment processes for engaging with cloud providers,” the CSA says.
Key questions to ask:
Does the provider perform regular penetration testing and internal as well as external security audits that customers can view?
Are customers allowed to perform their own vulnerability tests?
Is data logically segmented or encrypted per customer so one customers’ data isn’t swept up inadvertently with another’s, say, in response to a subpoena?
Can the provider recover data customer by customer in case of a loss?
How are intellectual property rights protected?
Does the provider tag virtual and physical machines used by each customer and can they guarantee that data is stored only in certain countries but not in others as per some countries’ data-storage laws?
What are the provider’s policies for responding to governmental requests for customer data?
What are provider policies about retaining customer data and can they follow customer policies for wiping data from the provider’s network?
Does the provider inventory its own assets and its supplier relationships?
Does it train its staff and document that training in its own and its tenants’ security controls?
Other areas of concern in questioning providers include whether they monitor and control user access rights and what is the nature and extent of security incident response, including provider and customer responsibilities.
The list goes on, but the point of it is to give customers a good assessment of the providers and to give providers a manageable format for responding to customers’ legitimate concerns, CSA says.
Some customers advocate contracting with smaller cloud providers because they can give better direct access to their infrastructures and procedures to ensure the levels of service required. “It is really worth the day trip,” says Jessica Carroll, managing director for IT at the U.S. Golf Association, who chose a smaller provider for just these reasons. “It makes it all real so you know everything in that contract actually exists because you’ve seen it.”