One of the top cloud questions I get asked when I’m out and about is “how secure is my data in the cloud”. It’s a simple question with a complex answer that spans dimensions, physical security, data redundancy, data protection, service levels and an underlying reliance on everything being trusted because it’s out of your own hands. Traditionally your business would have been trusting you, the IT Department, and that trust would have been based on the premise that you’re part of the organisation and so working to a common goal. So how do you build up trust if you’re in an outsourced situation where your data is being looked after by a cloud provider?
Well if you look at the basis of the reasons that you trust the people in your IT department (and conversely the reasons why you loose trust) you start to gain a peak at the answers. First and foremost the people in your IT department were probably employees or contractors under a contract of employment to provide services, 37.5 hours of work for example, in exchange for remuneration. In a cloud or outsourced situation it’s fairly obvious that this is a very similar relationship. You have a contract with your provider and you pay them to perform the the level of service that you agreed with them when you last renewed your relationship. So you (and they) have the protection that the contracts affords you both. With Microsoft if we don’t match up to those levels of service we give you a discount against the time you have remaining on the contract – so much like you could dock an employees pay for not turning up to work. This builds trust because you have an element of mutual loss if something goes wrong. If you had an employee and they didn’t turn up to work one week would you probably prefer not to have to pay them than have them work for an extra week (and possibly not turn up again) for free.
Skills and training
Being well skilled as an IT Professional is essential and everyone expects their IT Department to be well skilled. In the scenario of a cloud provider you want to know that they really know what they are doing. You want to be able to see that they’re running this stuff, just like you want to see people in your IT Department running the same laptops as their users, you want to know that a cloud provider is using it’s own stuff. We do. This builds trust in two ways, firstly because you know that you share similar values to the company providing the service, we tend to trust people who are like us. In a business situation it’s actually comforting to know that you’re trusting people who are in it to make money, but it’s also important to know that there’s more to it than that like pushing things forward with innovation in the right space. In addition we also have International Organization for Standardization / International Society of Electrochemistry 27001:2005 (ISO/IEC 27001:2005) and Statement of Auditing Standard (SAS) 70 Type I and Type II attestations. Which is a bit like trusting an employee to do a job because they have an MBA from Oxford.
I’m pretty positive that 99.999% of people reading this will have a manager. Even if you are the CIO you have a manager, they’re called shareholders or owners or partners or your family. They tend to make sure you are doing the right things in the right way. In most larger businesses this role gets devolved to a compliance or risk manager who overseas operations to make sure they’re done in the right. You trust them, again usually through a combination of some of the above but their over watch assures trust in other people and helps you correct mistakes. In cloud computing we’ve recognised this in buckets and so all good vendors strive to achieve the highest standards and to be audited with regularity.
Microsoft’s data centres were recently granted authorisation to operate under FISMA approval allowing them to host US Federal data. That means that Microsoft has met a whole bunch of requirements and recommended security controls that the US Federal government requires to be in place to allow customer data into the hands of a 3rd party, in other words the US Government trusts the processes and procedures behind our data centres. The same is true of passing those ISO/IEC standards they require upkeep and management. In fact there’s a bunch more:
- Payment Card Industry Data Security Standard – Requires annual review and validation of security controls
related to credit card transactions.
- Media Ratings Council – Relates to the integrity of advertising system data generation and processing.
- Sarbanes-Oxley – Selected systems are audited annually to validate compliance with key processes related to
financial reporting integrity.
- Health Insurance Portability and Accountability Act – Specifies privacy, security, and disaster recovery
guidelines for electronic storage of health records.
- Internal audit and privacy assessments – Assessments occur throughout a given year.
Experience tells me people loose trust in their IT Departments due to lack of transparency. The best laptops go to “special” people. The most senior guys get “admin” accounts. The IT Guy lords his skills over someone not from IT. People don’t know the progress of their problem tickets. Transparency around process and procedure goes a long way, a very long way, to helping give people trust in a system or cloud vendor. With our cloud services you can actually see the processes we go through to run our cloud, so can anyone else who fancies doing it right.
Trust at depth
Security at depth is a term often used to describe how you get more security by layering different security sub systems (AV, Spyware, Patching, Encryption) on top of one another. I think the above represents a similar idea for trust. You know you can trust your cloud provider because they provide you with a number of indicators, some of which will be comfort some necessity, that build up into a model of trust. Also there’s some law to revert to if you are in doubt.