Posted by: Tim Rains, Director, Trustworthy Computing

When Information Technology departments evaluate potential uses of cloud computing for their organization, many of them quickly realize they no longer have the near omniscient visibility into the operations environment they have when hosting those same workloads inside their own premises.

Depending on the deployment model, details pertaining to the operational aspects of a cloud service provider might be abstracted from the customers using the provider’s services. For example, in the case of a public cloud service, customers accept a reduced level of transparency in order to get the benefits, namely potential reduced costs and increased business agility, from the economies of scale that subscription-based cost sharing arrangements can create.

Organizations try to manage this loss of transparency in different ways. Some customers I have talked to try to put a “right to audit” clause into the service level agreements they negotiate with their cloud providers. But I’m not sure this really provides the transparency they want, for at least a few reasons:

• Transparency or Breach: If each customer of a cloud provider has the unrestricted right to audit the cloud operations and infrastructure, the audit activity of one customer might constitute a breach or policy violation for other customers sharing the same cloud infrastructure.
• The Cloud is a Stack: Cloud providers typically leverage the services and infrastructure of other vendors during the course of providing services to its customers. For example, network services to and from a cloud provider’s data center are likely provided by two or more network providers (for redundancy, load balancing, etc). Even if a “right to audit” clause provides visibility into a cloud provider’s environment, it likely won’t provide insight into the tiers of providers that constitute the cloud stack that the customer is leveraging. In other words, the “right to audit” clause won’t transmit to all the carriers that are involved in potentially providing service for that customer.
• Audit or Innovate: If every customer in a multi-tenant environment periodically exercised a “right to audit”, this would drive out many of the efficiencies that create potentially lower costs and greater business agility for those tenants. Cloud providers would spend more time responding to steady streams of audit requests than innovating and creating the efficiencies that customers are looking for. 

As Mark Estberg, Senior Director in Microsoft’s Global Foundation Services, describes in the third video of Trustworthy Computing’s Cloud Fundamentals video series, there needs to be a partnership between customers and cloud service providers. Customers need to know that their cloud provider(s) are being responsible with the applications and data they entrust to them; this is especially true for organizations that have compliance obligations. Customers need to be mindful of their requirements and whether they are compatible with the deployment model(s) they are evaluating. Periodic audits by some small number of trusted auditors in combination with some level of automated reporting, seems to be a reasonable model until innovations in the industry provide richer automated reporting. 

If you haven’t seen the first two videos in the series, the introduction video and the video on business agility are both available.

Please check back on this blog in the coming weeks as we continue the Cloud Fundamentals Video Series and explore cloud topics that are top of mind for security professionals in the areas of security, privacy and reliability.