Posted by: Tim Rains, Director, Trustworthy Computing

If you’ve been following our Cloud Fundamentals series, you’ve heard me discuss why transparency is important for both cloud service providers and their customers.  Another important aspect of this theme that customers have discussed with me is how to get insight into the security controls used to manage cloud service offerings. 

Many of the security professionals I have talked to are looking for assurances about the security practices and security controls that are used by the cloud service provider(s) that they are evaluating services from.  Information on security controls used to operate a service can then be clearly communicated to audit and enterprise risk management groups.

Today it can be challenging getting information on the security practices used by cloud providers.  Additionally it can be challenging to use such information to compare and contrast the different services offered by these providers. There are at least a couple of factors making this type of comparison harder than it should be:

1. There is no industry standard set of questions that cloud service evaluators can use to ask cloud providers about the security practices they employ to manage their services. Subsequently cloud evaluators must create their own evaluation criteria.  To this end, some organizations have spent considerable time, resources and budget on developing their own evaluation criteria, or have paid consulting companies to do this for them. This duplication of effort across the industry is inefficient and expensive for both cloud evaluators and the cloud providers who are forced to interpret and respond to a myriad of different requests for information.
2. There is no industry standard format for cloud providers to provide answers to questions about the security practices they use to operate their service offerings. i.e. different cloud providers might answer the same question in very different ways making comparing and contrasting them difficult.  For example, some cloud providers might answer a given question with more or less detail than other cloud providers, or by using numeric values while others provide a written response, making a direct comparison difficult.

The industry is working on ways to make it easier to compare the security practices used to manage cloud services.  One example of this is the Cloud Security Alliance Security, Trust & Assurance Registry (STAR). In this installment of the Trustworthy Computing Cloud Fundamentals Video Series, I discuss the potential benefits of STAR and how Microsoft is leveraging it to provide visibility into the security controls that our customers are looking for, and to help our customers compare the security of some of our cloud services with other vendors’ cloud services.  I’m joined by Kellie Ann Chainier, a Cloud Business Manager from Microsoft’s Worldwide Public Sector team.

 If you haven’t seen the other videos in this series, you can check them out below:

Cloud Fundamentals Video Series

• Introducing the Cloud Fundamentals Video Series
• Cloud Computing & Business Agility
• Cloud Computing Requires Transparency
• Cloud Transparency as an Element of Trust
• The Benefits of Industry Collaboration to Cloud Computing Security
• Benchmarks and Evaluation Standards for Cloud Computing Security

Please check back on this blog regularly as we continue the Cloud Fundamentals Video Series and explore topics that are important for IT professionals who are interested in cloud security, privacy, and reliability.