Cloud providers working on ways to prove they warrant trust

Finding a way to verify security within cloud provider networks is essential but won’t be easy, a cloud security expert told attendees at the Security Standard conference.

Customers need to know how data is protected, where it resides and whether it can be transferred to another provider if need be are at odds with providers’ need to keep their security measures secret, said Vincent Campitelli, vice-president of IT risk management at consulting firm McKesson Corp.

Providers simply don’t have the resources to allow each customer to inspect their networks and perform periodic audits, he said. “That’s an unsustainable mode.”

On the horizon are new models for checking out provider networks that are just being talked about, he said, including the notion of an “uber cloud” service provider that has vetted the security, infrastructure and standards of an array of cloud providers and can attest that they comply with standards.

Those standards have yet to be formulated and would have to meet customer requirements, he said, but they may emerge from work being done by the Cloud Security Alliance.

Traditional third-party assessment of physical networks won’t work in cloud environments, Campitelli said, because the assessors aren’t qualified to assess cloud architectures. “They need tools and new skills,” he said.

A more attainable goal is services that would allow customers to manage security configurations, audit logs and self-manage services. They would also be able to impose data leak prevention measures, perform patching of applications and execute vulnerability analysis of the services they buy, he said.

But even that wouldn’t be ideal. “How do you know the tools work and do what they say they’ll do?” he asked. “Providers need to have customers gain confidence in these tools.”

Another speaker at the conference said that information needed to make good decisions about cloud security isn’t generally available from the service providers. “Data you’re likely to want is not available, and if it is available, it’s not available to you,” said Warren Axelrod, research director for financial services with United States Cyber Consequences Unit, a private consultancy.

The risks that customers want to know about aren’t new, they’re just in a new environment where it’s difficult to assess them. “They’re not new risks; they’re a new representation of them,” Axelrod said.

That poses a problem for corporate IT security professionals pressured to approve use of public cloud services because they are so much less expensive than traditional in-house infrastructure deployments. But that means losing control over data.

“If you lose control, you still get the blame. That’s what regulators tell you,” he said. “It’s tough to be responsible without having the control.”

The best course is for corporate teams of IT security and legal experts to assess the downsides of data compromises and then only submit data whose value is low enough that if it is compromised, the costs are bearable, he said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.