Survey after survey, security and more specifically the lack of control and visibility around what is happening to your information on service provider premises, is listed as the number one barrier to cloud adoption.
So far, there have been two approaches to solving the problem:
1 – The “Trust Me” approach: The enterprise relies on the service provider to apply best practices to secure your data, and the only tool you have available to get visibility into what is happening on the service provider’s premise is Google Earth. If you use Gmail and want to know more about what is happening to your email, follow this link or this one.
2 – The “Show Me” approach: The service provider gets bombarded by hundreds of questions and demands for site visits that vary from one customer to another. This creates a tremendous burden for the service provider and a very long process for end-customers before any cloud based service can be deployed. It completely defeats the cloud agility promise.
Compliance requirements and auditors’ insatiable demand for evidence is pushing the industry towards standardizing a “Show Me” approach.
This week’s announcement by the Cloud Security Alliance of a Governance, Risk management and Compliance (GRC) stack to assess security of cloud environments is a great step in that direction. It defines an industry accepted approach to document security controls implemented in cloud offerings. The Cloud Security Alliance’s high profile, with members representing the leading service providers, technology vendors, and enterprise consumers of cloud services, provides the necessary weight and credibility such an initiative needs to be successful.
Such a framework offers service providers and end-customers alike a consistent and common approach to establish more transparency in cloud services. RSA is building these controls into Archer so that customers can use the same GRC platform to assess cloud service providers as the one they already use to manage risk and compliance for their virtual infrastructure and across the enterprise.
This is a great step forward towards solving the “Verify” part of the “Trust and Verify” equation that needs to be solved to drive cloud adoption forward.
What do readers think of this new approach by the Cloud Security Alliance? Is it a step in the right direction or does it need to go further?