ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Can you trust your cloud provider?

Can you trust your cloud provider?

| Posted at 3:07 PM by ISACA News | Category: Cloud Contracts | Permalink | Email this Post | Comments (1)

Antonio RamosIt is a fact that our organizations’ ability to deliver a service is increasingly dependent on third-party service providers. When it comes to IT service provision, there is no difference.

Facing this scenario, with growing pressures pushing us to reduce costs and embrace this new delivery model of cloud computing, there is an obvious question that will come to mind: Can I trust my cloud provider?

Trust is a very complex issue, and it is not easy to define all the conditions needed to gain it—but transparency is definitely a necessary condition. Being able to know, even before use, the security measures that are effectively implemented in an ICT service is quite useful for assuring the right security levels in the supply chain. This is especially true thinking about using a cloud computing service. Traditionally, following due diligence best practices, we try to audit the service providers or get an independent audit report or certification from them, but we have faced some difficulties:

  • Auditing is not easy, and it is even more difficult if there is not yet a signed agreement with the provider.
  • If we use audit reports from the providers, we have to check if what has been audited is relevant for us—specifically for the service we are going to use—or if the criteria fit our needs.
  • Cloud providers, especially the bigger ones (that have hundreds or even thousands of customers), cannot afford being audited by each customer.
  • If a certification is presented to us, we have to check again if the scope is suitable for us. Additionally, we have to be aware that current certifications are not about the implementation of security measures; they are about the implementation of information security management systems.
  • Finally, all these methods tell us something about a moment in time, but they do not keep this information updated; we have to wait until the next audit/certification report.

If we had a way to compare different services and make sure that security measures were taken throughout the service period, it would be very helpful for our service provider selection process. As I discussed in my presentation at ISACA’s EuroCACS conference, security labeling of ICT services is a way to achieve all these objectives. This method assigns a label to every specific user showing the security measures it effectively implements in that service, allowing us to know in a quick and simple way if it is suitable for our needs. This recommendation to the industry was included in the European Cyber Security Strategy approved in February 2013, so it is something that the European Administrations will be willing to use.

What are your thoughts on security labeling? I encourage you to continue the conversation in the comments below.

Antonio Ramos, CISA, CISM, CRISC
CEO, Leet Security


Probably not, though I suppose It depends on your definitions of "cloud" and "trust"...

If the question were "Can you trust your cloud provider?" my answer would have to be "No".

In turn I ask: Why would you trust your cloud provider?

Even if the answer were "Yes" [you trust your cloud provider], for whatever reason, perhaps your 'trust' is relevant to specific offerings/services? Maybe you have had a history of exceptional performance with a specific service/vendor? Is it simply low/acceptable risk? Whatever the reason(s) the issues remain the same. Even if you 'trust' what does that mean? What is the intent? Trust is one thing, but validation and verification are quite another.

...And did I mention that I don't believe everything I read? =]

While security labels may help narrow offerings, which would likely benefit new tenants during their market research and evaluation efforts more than existing tenants, applying security labels to cloud offerings may actually complicate 'trust'. This could effectively push the trust boundary farther from what we perceive to have today. I use the word perceive intentionally as something so complex and lacking in transparency as 'trust' in the cloud is a rough estimate, an educated guess at best.

There is already an abundance of inefficient and ineffective oversight that fails to fully meet business [security] requirements. As mentioned by the author, Cloud providers, especially the bigger ones (that have hundreds or even thousands of customers), cannot afford being audited by each customer. – Exactly! These labels just become one more thing that the providers, their contractors, subcontractors, etc.… cannot and will not be able to provide sufficient validation and assurance for their tenants. Adding labels may provide some high-level assurance and/or generic differentiation between offerings/services, but will almost certainly add to the oversight and perhaps create confusion among tenants current and future. Terms like ‘due diligence’ and ‘putting the onus on the customer’ come to mind here. Not only do the labels become an 'audit-able variable' in themselves, but the labels could spawn with variance among vendors and service providers, similar to what occurs today with present-day certifications. We don’t solve anything here; we just fragment the problem and move the pieces around. Even the most comprehensive and through agreements I have seen become irrelevant in the fine print. This seems to be especially true in the context of emerging technologies [and threats].


Why would you trust your cloud provider to assign labels, or any other governing body for that matter?

Why would the cloud service providers adopt anything that could potentially limit their agility and cause them to be more transparent?

While theses questions are intentionally vague and somewhat rhetorical they are valid regardless. Presuming justified ‘trust’ and/or a leap of faith from the tenant… Let's also say that the established security labels are adopted to a point of market relevance... A cloud offering is dynamic and flexible by nature, a moving target that was different yesterday and will be different tomorrow. Anything that makes these services more rigid limits the offering and defeat the purpose. The best one can hope for is a sincere snapshot that accurately reflects the service(s) being offered.

If labels are not the answer what is? I’m not sure there is one – at least not a one size fits all answer. Short of a truly private cloud I suppose it depends on your definitions of "cloud" and "trust". Once you define what they mean to your organization and their definition within your industry, perhaps there is an answer waiting for you!

In summary, I do not believe security labels would add as much value as they would add overhead. I am not trying to rain on anyone's parade, but at the risk of sounding cynical I only see such labels being of benefit to the organizations developing and assigning them. Being affiliated with at least one of those organizations, as most of us are, I cannot confirm or deny my support for such an approach. All I can really say is that more labeling/classification/structure generally leads to more work, and rework, an increased level of effort for an industry already overwhelmed by the less-than-manageable apples-to-oranges cloud services industry.

MJL Sr at 10/15/2014 6:17 PM
You must be logged in and a member to post a comment to this blog.