Moving to a “Show Me” State – Gaining Control and Visibility in Cloud Services
Published 01/27/2011
Survey after survey, security and more specifically the lack of control and visibility around what is happening to your information on cloud provider premises, is listed as the number one barrier to cloud adoption.
So far, there have been two approaches to solving the problem:
1 – The “Trust Me” approach: The enterprise relies on the cloud provider to apply best practices to secure your data, and the only tool you have available to get visibility into what is happening on the cloud provider’s premise is Google Earth. If you use Gmail and want to know more about what is happening to your email, follow this link or this one.
2 – The “Show Me” approach: The cloud provider gets bombarded by hundreds of questions and demands for site visits that vary from one customer to another. In most cases, these questionnaires are not tailored for cloud computing, they’re based on the existing control frameworks and best practices used to manage internal IT environments and external vendors.
Neither approach has been satisfactory thus far.
The “Trust Me” approach creates frustration for enterprises moving to the cloud: they cannot meet their compliance processes which often demands providing detailed evidence of compliance and answers to very specific questions.
The “Show Me” approach creates a tremendous burden for the cloud provider and a very long process for end-customers before any cloud-based service can be deployed. It completely defeats the cloud agility promise.
Auditors’ insatiable demand for evidence of compliance is pushing the industry towards standardizing a “Show Me” approach.
The Cloud Security Alliance Governance, Risk management and Compliance (GRC) Stack to assess security of cloud environments is a great step in that direction. It defines an industry accepted approach to document security controls implemented in cloud offerings:
- CloudAudit provides the technical foundation to enable transparency and trust between cloud computing providers and their customers
- Cloud Controls Matrix provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
- Consensus Assessments Initiative Questionnaire provides industry-accepted ways to document what security controls exist in a cloud provider’s offering.
The Cloud Security Alliance’s high profile, with members representing the leading cloud providers, technology vendors, and enterprise consumers of cloud services, provides the necessary weight and credibility such an initiative needs to be successful.
It offers cloud providers and end-customers alike a consistent and common approach to establish more transparency in cloud services. Enterprise GRC solutions such as RSA Archer have integrated the CSA GRC controls into the core platform so that customers can use the same GRC platform to assess cloud service providers as the one they already use to manage risk and compliance across the enterprise.
This is a great step forward towards solving the “Verify” part of the “Trust and Verify” equation that needs to be addressed to help drive cloud adoption.
What do readers think of this new approach by the Cloud Security Alliance? Is it a step in the right direction or should it go further?
Eric Baize is Senior Director in the RSA’s Office of Strategy and Technology with responsibility for developing RSA’s strategy and roadmaps cloud and virtualization. Mr Baize also leads the EMC Product Security Office with company-wide responsibility for securing EMC and RSA products.
Previously, Mr. Baize pioneered EMC’s push towards security. He was a founding member of the leadership team that defined EMC’s vision of information-centric security, and which drove the acquisition of RSA Security and Network Intelligence in 2006.
Mr Baize is a Certified Information Security Manager, holder of a U.S. patent and author of international security standards. He represents EMC on the Board of Directors of SAFECode.