Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Posted by: Tim Rains, Director, Trustworthy Computing
When Information Technology departments evaluate potential uses of cloud computing for their organization, many of them quickly realize they no longer have the near omniscient visibility into the operations environment they have when hosting those same workloads inside their own premises.
Depending on the deployment model, details pertaining to the operational aspects of a cloud service provider might be abstracted from the customers using the provider’s services. For example, in the case of a public cloud service, customers accept a reduced level of transparency in order to get the benefits, namely potential reduced costs and increased business agility, from the economies of scale that subscription-based cost sharing arrangements can create.Organizations try to manage this loss of transparency in different ways. Some customers I have talked to try to put a “right to audit” clause into the service level agreements they negotiate with their cloud providers. But I’m not sure this really provides the transparency they want, for at least a few reasons:
As Mark Estberg, Senior Director in Microsoft’s Global Foundation Services, describes in the third video of Trustworthy Computing’s Cloud Fundamentals video series, there needs to be a partnership between customers and cloud service providers. Customers need to know that their cloud provider(s) are being responsible with the applications and data they entrust to them; this is especially true for organizations that have compliance obligations. Customers need to be mindful of their requirements and whether they are compatible with the deployment model(s) they are evaluating. Periodic audits by some small number of trusted auditors in combination with some level of automated reporting, seems to be a reasonable model until innovations in the industry provide richer automated reporting.
If you haven’t seen the first two videos in the series, the introduction video and the video on business agility are both available.
Please check back on this blog in the coming weeks as we continue the Cloud Fundamentals Video Series and explore cloud topics that are top of mind for security professionals in the areas of security, privacy and reliability.