How to check on your cloud provider

The bottom line, as one service provider put it earlier this year, is that customers will never get the level of transparency they want. "We won't let you audit to the degree that you would audit your own infrastructure," says Adam Swidler, a product marketing manager at Google

Potential cloud-services customers face a tough problem: How can they trust cloud providers enough to hire them when the providers refuse to reveal important infrastructure details for reasons of security and practicality?

These providers say they can’t open their network architectures to customer scrutiny for fear the details will give potential attackers a blueprint for compromising security. They also say the time involved in answering each customer’s questions would be prohibitive.

(Cloud Computing Research Center)

The bottom line, as one service provider put it earlier this year, is that customers will never get the level of transparency they want. "We won't let you audit to the degree that you would audit your own infrastructure," says Adam Swidler, a product marketing manager at Google, speaking about Google’s cloud services. "It's never going to be the same as auditing your own infrastructure. You'll have to extend some level of trust to third-party verification."

While customers may not be able to walk through cloud providers’ data centers and grill their CISOs, they can submit probing questions whose answers may serve the purpose, says the Cloud Security Alliance, which has written a questionnaire businesses can adapt for their own purposes when trying to assess the suitability of cloud service providers.

Called  the Consensus Assessments Initiative Questionnaire, the document is a well-thought-out framework for assessing cloud security. “This question set is a simplified distillation of the issues, best practices and control … intended to help organizations build the necessary assessment processes for engaging with cloud providers,” the CSA says.

Key questions to ask:

  • Does the provider perform regular penetration testing and internal as well as external security audits that customers can view?
  • Are customers allowed to perform their own vulnerability tests?
  • Is data logically segmented or encrypted per customer so one customers’ data isn’t swept up inadvertently with another’s, say, in response to a subpoena?
  • Can the provider recover data customer by customer in case of a loss?
  • How are intellectual property rights protected?
  • Does the provider tag virtual and physical machines used by each customer and can they guarantee that data is stored only in certain countries http://www.networkworld.com/news/2010/110410-microsoft-cloud-services-hampered-by.html but not in others as per some countries’ data-storage laws?
  • What are the provider’s policies for responding to governmental requests for customer data?
  • What are provider policies about retaining customer data and can they follow customer policies for wiping data from the provider’s network?
  • Does the provider inventory its own assets and its supplier relationships?
  • Does it train its staff and document that training in its own and its tenants’ security controls?

Other areas of concern in questioning providers include whether they monitor and control user access rights and what is the nature and extent of security incident response, including provider and customer responsibilities.

The list goes on, but the point of it is to give customers a good assessment of the providers and to give providers a manageable format for responding to customers' legitimate concerns, CSA says.

Some customers advocate contracting with smaller cloud providers because they can give better direct access to their infrastructures and procedures to ensure the levels of service required. "It is really worth the day trip," says Jessica Carroll, managing director for IT at the U.S. Golf Association, who chose a smaller provider for just these reasons. "It makes it all real so you know everything in that contract actually exists because you’ve seen it."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cloud computinginternetGoogleData Centerhardware systemsConfiguration / maintenance

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Tim Greene

Tim Greene

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?