“Trust. What you really want from your cloud provider are not just assurances but actions,” said Diana Kelley, cyber-security field CTO at Microsoft. Illustrating her point at Cybertech Tel Aviv: the cyber-security veteran explained that along with trust, a cloud service contract should also address security, privacy, transparency and compliance.
“If you don't have security, you're not going to be able to trust the systems,” she said.
Netscout’s annual Worldwide Infrastructure Security Report in 2019 listed cloud security as the top barrier for enterprise cloud migration. More than 60 percent of organisations list security concerns as a major reason why they are yet to move to the cloud.
“Privacy matters too when you go to the cloud. It's your data. It's your business's reputation. It's your company's customer interactions that are on the line.”
Transparency is important so that people -- customers -- know what the company is doing with the data about them. Compliance is important because when an organisation is working internationally, non-compliance can lead to a lot of fees or fines. It also costs the trust of the customers, she explained.
These principles, when in action,are visible as the seven habits of highly trusted cloud providers, she said
Responsible user of your data
It is imperative that the cloud vendor understands how to use the customer’s data in a way that makes sense to them and in a method that they approve of. The right to monetise the customer’s data is a contentious issue. Even if the customer allows them to monetise the data, whether they can still trust the vendor with it is debatable. So are the methods used to monetise, the third parties involved, their access to the data and what they do with it. Risks, such as the data being stolen from the third party of the cloud provider, are strong.
“But the most important thing is that you understand what they're doing with the data, and that they've looked at privacy and responsible use throughout the entire development lifecycle, including their supply chain with their partners,” she said.
Cloud vendors have to make their customers understand where the data is being used, where it's going, how it's being used and what kinds of compliance the vendor has. The vendor should be honest about where that data goes and how it's used. Most importantly, the customer should have access to that transparently.
“A lot of times, there are high levels of assurance -- ‘we’ll take care of your data’ but what about the location? Who are they sharing it with? What about the visibility? What are their hiring practices? In short, you as the customer should be able to see what's happening with the data,” she said.
Secure at scale
One of the great reasons for cloud migration is that organisations want to have security as they scale. The cloud provider must be able to move push up the security as the business gains customers and scales its operations.The vendor must have the controls in place that makes it ready at scale.
“It means hiring more people in the data centres, building more data centres and manage the existing data centres. Are they ready to continue with security at scale for your company?” she asked.
Privacy awareness The cloud provider has to understand the various global regulations. The data belongs to the customer, so the privacy controls apply within the cloud too. If needed, the vendor should actually go to court and fight for the customer’s rights. Things get murky when it comes to legal action, particularly when the cloud operator based in one country operates a data centre in another for a customer in a third country, and the law enforcement in the data centre’s geography wants to look at the data.
“Another really important action is whether your provider puts a backdoor in for governments? Do you want a government to have access to that data? And which government do you trust?” she asked.
Compliance issues crop up as soon as an organisation makes use of cloud storage or backup services. By shifting the data from an organisation’s internal storage to an external location, the consumer is forced to examine closely the methods of storing, accessing and managing data, so that the consumer and the provider remain compliant with laws and industry regulations.
“Taking the time to go and get the compliance work done: getting the assessment, getting certification, show that they're compliant for the different regulations around the world,” she said.
A cloud service provider should be able to draw a line on how far it will go to monitor and regulate security and compliance on behalf of their end-users. AWS and Microsoft have a shared responsibility model, which puts the onus on customers to patch the data security loops in their premises.
“A lot of times customers say, ‘we don't want you to just do everything for me’. But remember, it's your data. So you decide what you do with it. Just like it's your car, if you leave it unlocked, the responsibility is yours because it's still your car.”
"Remaining updated just don’t cut during the numbing speed in which technology changes. A cloud service provider has to stay a step ahead. The cloud provider should be thinking about the future, building in protections, continuing investment, updating technologies and staying aware of the latest threats and trends.
“Ask your cloud provider, what's in the roadmap, what are they committing to and are they going to continue to keep things secure for you so that you can continue to have trust in their system,” Kelley concluded.