Cloud Security - Transparency is a must!
Now, more than ever, is it important to demand that your cloud services provider provides complete transparency regarding the security and compliance measures they use and have in place to protect your companies’ sensitive information and intellectual property. The more that companies drive critical IT and Data from the many distributed corporate data centers to a smaller number of cloud services could result in potential disaster for companies around the world when transparency is not made available, whether purposely or by sheer oversight. In meeting with many customers, I’m discovering that while there are many large cloud service providers that offer quite an array of services and capabilities, there is little to no transparency regarding security and compliance information transparency. For instance, many cloud providers have their own firewalls, monitoring and controls to ensure that attacks, APTs, malware and otherwise unauthorized activity, but much of that information is not made available to customers for use in their security and monitoring capabilities. It would seem to me that this is a problem that potentially impacts a cloud customers’ ability to ensure complete visibility and protection for their own assets by being unable to incorporate all security intelligence and log information from beginning to end of a potential threat vector.
This is of particular interest to me as I’ve done a number to security reviews in the past of hosted service providers and was able to ensure that there was complete transparency for the company I worked at. The times clearly have changed where there is bigger desire maintain secrecy of this information by cloud providers. It also seems like there is stepped up development of proprietary security, mostly encryption based, that cloud providers are also loathe make transparent. For these, I used to require the provider to have these types of protocols certified by an industry expert and many of the customers I speak with are not able to obtain even these types of assertions. Since this may be a bigger and more pervasive problem, it may take a few breaches or theft of information before customers can start demanding more transparency of their cloud service providers. Who knows, even the good ole auditors will come to the rescue and be required to provide public attestations or certifications that support industry standards such as those from the Cloud Security Alliance.
In any event, as you and your companies move more and more corporate capabilities to the cloud, you should start deeper discussions with prospective cloud providers prior to acquisition asking for access to more security information and intelligence to incorporate into your monitoring and security processes.