This question really surrounds the issue of security, whether or not some of the major cloud providers have the levels of security to protect enterprise users and information they claim to have and/or whether or not there is willingness to be open and frank about the levels of security or gaps thereof there are. This has been a pretty common problem since the days of application hosting providers. I recall these providers getting inundated with requests to have their environments audited ad nauseam against whatever the security standard du jour at that time. Then there was the issue of encryption and whether or not that was appropriately designed and implemented – again we asked that they have an industry expert attest to the security of that encryption. Then there was the requirement to audit the provider ongoing to ensure the security requirements remained in place over time. Clearly, all these good things need to be done. But, “why” do we still have this problem and why are some of these bigger cloud providers saying to enterprises, “Go ahead and use my SaaS or IaaS, but don’t put your sensitive data out there!” Or, “Yes, we have encryption, but we can’t tell you about it or show how secure it is because it’s proprietary.”
In many cases, we’re still back to square one on the security front. Cloud providers want enterprise business, but still don’t see security as a key requirement until they’ve sold enough service subscriptions or gotten enough complaints or, worse, have suffered a breach. I’m not sure why these large providers don’t want to share their security capabilities or intelligence with customers. I can only suspect that they might feel they have some culpability should there be any breaches. What concerns me is the continued lack of industry fortitude from customers telling these providers they must either have security or make the security intelligence they have available to customers so there is an effective defense against external threats to users and information. Customer cyber readiness and response needs to be a minimal consideration going forward whether it’s a customer procuring cloud services or a cloud service providing customers a service.
At the end of the day… the bad guys are out there doing their level best at stealing information for whatever gain. The least that cloud providers could do is to provide enterprises with whatever it takes to ensure complete visibility with regard to how well protected their information and users are and be extremely clear about where their security gaps are and look for ways that both the provider and customers could work together to close those gaps.