14 DAY TRIAL // The latest installment of the Cloud Fundamentals Video Series is focused on evaluating the various offerings available for cloud services
based on the security controls they offer.
One of the important factors in choosing a specific service provider is transparency, but customers also need to take into consideration how to get insight into the security controls that are being used for the management of cloud service offerings.
Tim Rains, director, Trustworthy Computing, explains that security professionals are interested in the security practices and security controls that cloud service providers use.
He also notes that all the details on these security controls that providers use to operate a service can then be clearly communicated to audit and enterprise risk management groups.
However, gathering of this kind of information could be challenging these days, the same as the use of these details to make comparison between the different services offerings coming from providers.
Tim Rains notes two of the factors that make this process much harder than it should actually be:
- There is no industry standard set of questions that cloud service evaluators can use to ask cloud providers about the security practices they employ to manage their services. Subsequently cloud evaluators must create their own evaluation criteria. To this end, some organizations have spent considerable time, resources and budget on developing their own evaluation criteria, or have paid consulting companies to do this for them. This duplication of effort across the industry is inefficient and expensive for both cloud evaluators and the cloud providers who are forced to interpret and respond to a myriad of different requests for information.
- There is no industry standard format for cloud providers to provide answers to questions about the security practices they use to operate their service offerings. i.e. different cloud providers might answer the same question in very different ways making comparing and contrasting them difficult. For example, some cloud providers might answer a given question with more or less detail than other cloud providers, or by using numeric values while others provide a written response, making a direct comparison difficult.
However, the industry is working on making sure that the comparison of security practices used to manage cloud services is made easier than before.
The Cloud Security Alliance, Security Trust & Assurance Registry (STAR) can be used as an example here, and the new video in the Trustworthy Computing Cloud Fundamentals Video Series is meant to offer an insight into the benefits of STAR.
Moreover, Tim Rains and Kellie Ann Chainier, a cloud business manager from Microsoft’s worldwide public sector team, discuss the manner in which Microsoft is leveraging STAR to deliver to customers the visibility into the security controls that they are looking for.