It's a Long Road to a Secure Cloud - Page 2

Phil Lieberman (Profile)
Thursday, April 14th 2011

As I’ve noted, moving to cloud services means accepting the cloud provider’s terms of service – in effect, agreeing to play by their rules. This means that in general your frequency and duration of service outages (service windows) will be stipulated by the cloud provider and not you. Limits on traffic, transactions, users and other values may all be set by your provider. In some cases the cloud provider reserves the right to scan your data and present users with advertising based on what is sent in email. And if your hosted neighbors are a nuisance (think Wiki Leaks), your access may be impaired by denial of service attacks, or simply by overwhelming loads placed on the infrastructure.

Yet to me the most unsettling cloud security issue is the fraud perpetrated against customers by the SAS70 certification process. Customers implicitly rely on the security “being there” when a cloud vendor says they have been SAS70 certified.

What customers don’t know is what SAS70 certification actually says about that vendor since these reports are confidential.  It is rare for customers to demand to see the SAS70 report before plunking down their money (don’t forget to sign that confidentiality agreement), and rarer for the customers to compare the SAS70 reports of multiple cloud vendors. It’s frightening to think how few auditors of cloud customers know to review these critical SAS70 reports or are being kept in the dark by IT departments regarding their usage of third party cloud providers. Even those auditors who know where to look for the data may have no experience or known processes to properly evaluate and report on the cloud solutions used by their clients.

“Trust me” is not a security strategy. Unfortunately many organizations seem ready to take big leaps into the cloud, naively trusting that the big-company names who host these offerings will protect their backsides.