Transparency and assurance for a trusted cloud

Examples of national and regional efforts to embrace the cloud can be found in the United States, Europe, Japan, China, Singapore, Taiwan, Thailand and many other countries and regions. In the private sector, adoption of cloud services is growing within the banking industry, manufacturing, healthcare and in many other large corporations, as well as small and medium-sized businesses.

Despite the simplicity of the idea of information and communications technology services offered as a utility, on demand and pay-as-you-go, the cloud computing model is based on a complex chain of interactions between multiple parties, which operate in different countries and cross jurisdictions.

The complexity and opacity that sometimes characterise the cloud “supply chain” have generated some barriers to faster adoption of cloud computing, including:

• Lack of clarity around the definition and attribution of responsibilities and liabilities

• Difficulties achieving accountability across the cloud supply chain

• Incoherent global, and sometimes regional and national, legal framework and compliance regimes

• Lack of transparency of some service providers or brokers, particularly around security and risk management

• Difficulties in performing internal and external due diligence

• Lack of clarity in service level agreements (SLAs)

• Lack of interoperability

• Lack of awareness and expertise.

A key underlying theme in all these is the need for assurance and trust between cloud providers and customers, and generally within the overall ecosystem.

Barriers can be removed. Governments, cloud service providers and customers should be working collaboratively towards increasing the level of trust in the market.

To this end, the definition of security control and certification frameworks, SLAs, standardised contractual terms, and the use of continuous monitoring are key means to provide more transparency and governance to the cloud customer.

The European Commission strategy for cloud computing, for instance, is based on three main pillars:

1. Identification of suitable standards and certification schemes

2. Definition of model terms for SLAs, and contractual terms and conditions

3. Definition of common requirements in public sector organisations, and use of public procurement as a market and quality stimulus.

Similar approaches are currently being adopted in the US and Asia-Pacific region. Cloud providers are striving to become more transparent, especially when it comes to security and privacy.

Governments, cloud service providers and customers should be working collaboratively towards increasing the level of trust in the market

Cloud Security Alliance (CSA) STAR, a voluntary registry where cloud providers can publish the results of their security assessment – either self-assessment or third-party audit-based certification – against the CSA best practices, namely Cloud Control Matrix, is a clear example of cloud providers’ willingness to maintain the trusted relationship they have with existing customers and to provide assurance to potential new ones that their service will be sufficiently secure. Assurance is provided by telling customers which are the security controls and measures in place to manage risks to their infrastructures, services and data.

The objective is to put the customer in a position to compare competing offerings against their requirements, to make informed decisions when choosing the service they need and to be able verify, during the service delivery phase, if reality matches what was promised.

These are certainly steps in the right direction and point to the creation of a market where security is a market differentiator, where transparency is the general rule and obscurity the exception. Cloud solution providers have business incentives to be transparent, to share information with regulators, enforcement authorities, as well as current and potential users, about their security practices.

The most obvious business incentive is based on the simple logic that the customer is more likely to buy services only from those providers which provide enough information to effectively manage their risks. In this respect, the example of an incident management process is very illustrative; in fact a cloud customer necessarily needs information and co-operation from the cloud provider to be able to manage an incident properly.

Policy-makers are playing their part by introducing a number of “soft” policy measures, as well as new binding rules on transparency and accountability. We have also seen a more proactive approach of some cloud solution providers who are voluntarily sharing relevant information with the general public. What is still missing, perhaps surprisingly, is a more active role of cloud service customers.

Cloud Security Alliance is a not-for-profit organisation focusing on best practices, standards, research-provider certification and education in cloud computing security. CSA’s activities include the Open Certification Framework/STAR Certification, awareness and educational campaigns, conferences, seminars, summer schools, webinars, educational papers, guidelines for companies and government, and finally training and professional certification through the CCSK (Certificate of Cloud Security Knowledge).