Behind the Cloud Curtain

Survey after survey, security and more specifically the lack of control and visibility around what is happening to your information on service provider premises, is listed as the number one barrier to cloud adoption.

So far, there have been two approaches to solving the problem:

1 – The “Trust Me” approach: The enterprise relies on the service provider to apply best practices to secure your data, and the only tool you have available to get visibility into what is happening on the service provider’s premise is Google Earth. If you use Gmail and want to know more about what is happening to your email, follow this link or this one.

2 – The “Show Me” approach: The service provider gets bombarded by hundreds of questions and demands for site visits that vary from one customer to another. This creates a tremendous burden for the service provider and a very long process for end-customers before any cloud based service can be deployed. It completely defeats the cloud agility promise.

Compliance requirements and auditors’ insatiable demand for evidence is pushing the industry towards standardizing a “Show Me” approach.

This week’s announcement by the Cloud Security Alliance of a Governance, Risk management and Compliance (GRC) stack to assess security of cloud environments is a great step in that direction. It defines an industry accepted approach to document security controls implemented in cloud offerings. The Cloud Security Alliance’s high profile, with members representing the leading service providers, technology vendors, and enterprise consumers of cloud services, provides the necessary weight and credibility such an initiative needs to be successful.

Such a framework offers service providers and end-customers alike a consistent and common approach to establish more transparency in cloud services. RSA is building these controls into Archer so that customers can use the same GRC platform to assess cloud service providers as the one they already use to manage risk and compliance for their virtual infrastructure and across the enterprise.

This is a great step forward towards solving the “Verify” part of the “Trust and Verify” equation that needs to be solved to drive cloud adoption forward.

What do readers think of this new approach by the Cloud Security Alliance? Is it a step in the right direction or does it need to go further?

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize