Cloud security transparency today equates to a non-disclosure-agreement discussion between an enterprise and service provider over the provider’s controls. The end result
A lot of CIOs are fearful they don’t believe they know enough about the cloud.
Chris Richter, vice president of managed security services, Savvis.
Despite several standards-based efforts, providers don’t have a repeatable mechanism for these types of interactions, and customers often don’t get an apples-to-apples comparison of providers.
Calls for cloud transparency, however, continue to resonate as IT evolves and moves onto cloud computing platforms, attractive for their efficiency and elasticity. Enterprises moving applications and data to the cloud, or consuming a provider’s services, need to understand cloud provider security. But providers remain hesitant to give up proprietary information, or expose themselves to exploit.
“What [customers are] trying to do is figure out a way to determine what are the questions they should be asking cloud providers and evaluate a service, evaluate the risk and whether it meets compliance requirements,” said Microsoft’s Tim Rains, a director of product management in the Trustworthy Computing Group. “Customers want to compare service offerings on an apples-to-apples basis. They need a standard set of questions to ask and get consistent set of answers. That’s what we’re hearing from customers.”
The Cloud Security Alliance’s Security Trust and Assurance Registry, or STAR, is the closest thing to a standards-based effort meeting this need. STAR launched in the fourth quarter of last year and its aim is to be a public repository of providers’ security controls. Providers who are STAR members can fill out either the CSA’s Consensus Assessments Initiative Questionnaire or the Cloud Controls Matrix framework questionnaire, both built according to the ISO 27001 standard, and ultimately agree to have that data published online and publicly accessible.
“[Providers] don’t want to be creating new security issues and don’t want to publish anything that’s exploitable,” said Jim Reavis, executive director of the Cloud Security Alliance. “Once we get through the questionnaires and the providers understand it’s not about publishing a HP WebInspect scan, but more about whether they’re performing a Web assessment and how to make it available to customers; once they’ve understood it was at that level, they’ve been won over and have said it makes sense. Then it’s more of a legal question.”
Reavis said most of the large providers have filled out questionnaires and are aboard in principal with the STAR effort; legal teams are reviewing the responses and the level to which they want to publish data publicly. To date, only Microsoft, Mimecast and Solutionary have agreed to publish their controls.
“From our perspective, STAR makes a lot of sense,” Microsoft’s Rains said. “The industry and providers have gotten together to work out a set of questions based on a set of standards. The questions are standard and the answers are standard and customers can compare apples to apples and it’s all based on an international standard.”
The use of the ISO 27001 standard also keeps providers from oversharing controls, Rains said. Using Microsoft’s published questionnaire on its Office 365 service as an example of how this is avoided; Rains pointed to the section on architecture around user identity credentials. The ISO requirement is that passwords expire every 90 days and are seven characters of minimum length. Microsoft’s response is that passwords are assigned a maximum age and minimum character length.
“We’re not telling people any information on whether it’s 90 days, for example, we’re simply saying that we’re following the ISO standard and we have independent auditors coming in and making sure we’re doing what we’re supposed to,” Rains said. Customers can take this as a baseline that controls are in place that meet international standard, and if they wish to extend the relationship, can learn more under NDA.
“We get ask these types of questions all time and the compliance mapping associated with them,” said Ken Owens, technology vice president of security and virtualization services at Savvis, a service provider. “The questionnaire provides a baseline of answers. We have a good story about how we take security seriously. It’s a useful tool for us in customer discussions; they can use a NDA to get to the details behind it.”
Providers hope they can eventually use security as a differentiator for their services. A March 2011 Savvis survey of more than 400 enterprise IT and security managers identified security, by a large margin, as the No. 1 barrier for companies to use cloud computing. Savvis’ Owens said customers are much more conversant about cloud and security and are applying pressure on providers about transparency of controls. Customers, Owens said, want to know not only if their applications are right for the cloud, but what are the risks to those apps, how those risks can be assessed, how changes in security policies can be monitored, where their data is located, and when it’s moved, will a provider inform them?
“We’ve seen hesitancy in moving enterprise applications into the cloud for fear of security,” said Chris Richter, vice president of managed security services at Savvis. “A lot of CIOs are fearful they don’t believe they know enough about the cloud.”
Efforts such as CSA STAR can go a long way toward creating educated consumers, Reavis said.
“We’re doing some of the work for them. Here are the tools, and maybe we can save them some time from a due diligence perspective,” Reavis said. “Why create your own assessment tools? Use a common tool. Some customers get it, and that’s what I’m hoping for to, tongue-in-cheek, create a viral occupy cloud providers movement. If customers don’t ask for it and providers don’t feel the need to provide it, we’re going down a path of nasty incidents and people not doing the right thing.”