SAN FRANCISCO -- Companies looking to cloud providers for security guarantees will have to settle for the business...
equivalent of a promise and a handshake, a panel of cloud data security experts told attendees at the 2014 RSA Conference.
There is no technical way to prove their security, so we have to trust them.
chief technology officer, Co3 Systems
Dealing with a cloud provider mirrors the benefits and drawbacks of using more traditional outsourced providers and independent software vendors, said Bruce Schneier, chief technology officer for Co3 Systems, a Cambridge, Mass.-based startup focusing on incident response management. Both types of providers have access to company data: An outsourced business process relies on trusting people, while purchasing third-party software requires trust that defects will not compromise customer data or the security of that data, he told attendees.
Similarly, companies cannot know with certainty if a cloud provider is secure, he said. They can only trust assertions that the provider has good security processes in place.
"We are now giving [third parties] our data, rather than using their software and hoping it doesn't mess with our data," Schneier said. "There is no technical way to prove their security, so we have to trust them."
Companies are increasingly moving business processes and data into the cloud to ease management and improve productivity. The average large company has to deal with employees' use of 545 different cloud services, according to management provider Skyhigh Networks' 2013 Cloud Adoption and Risk Report.
"There is sort of this myth that people are not using the cloud because of security concerns," John Pescatore, the moderator of the panel and director of emerging security trends for the SANS Institute in Bethesda, Md. "The reality is that the horse is largely out the barn."
Yet most cloud providers do not provide security assurances about their networks. That leaves much of the security legwork up to the customer, especially for small and medium-sized businesses, said Bret Arsenault, chief information security officer for Microsoft. For a large company like Microsoft, requiring assessments is a matter of course. No matter if the company is a cloud firm or an outsourcing provider, Microsoft requires that they provide some assurance that they meet a list of more than 200 security controls.
"It is always the same discussions with cloud providers," he said. "It is a little bit like the movie Groundhog Day."
The process will become more formalized, Schneier said. Cloud providers will have a standardized audit performed, the results of which they can provide to their customers.
"Water will flow down, and maybe liabilities do as well, which gives me, as a customer, some ability to trust what comes in front of me," Schneier said.
More from RSA Conference 2014
Check out all of SearchSecurity's special coverage of the biggest annual event in information security: https://searchsecurity.techtarget.com/essentialguide/RSA-2014-News-analysis-and-video-from-RSA-Conference-2014.
In addition, companies have choices in how they handle the cloud, stressed the experts. Companies should first assess their data and make certain that the most important data, the top-secret information critical to the business, remains inside the business firewall, said Eran Feigenbaum, director of security for Google Apps.
"The cloud is not an all-or-nothing strategy," he said. "Most of your data falls into the two categories -- public or sensitive -- those types of data are a great use of the public cloud, so that you can devote your security resources to the top-secret data that you don't keep in the cloud."
Utilities, for example, have good reasons for not using the cloud. Many utilities require more stringent controls for cloud data than they do for their internal networks, Scott Saunders, information security officer for the Sacramento Municipal Utility District, said on Friday during a panel discussion on the security of critical infrastructure.
"We want certifications from how the cloud is being used and who has access to it," he said. "There have been times when I have canceled projects because of the cloud risks."