In my last post, I kicked off a series on New Year’s resolutions that I’d like to see cloud providers embrace in 2014. I began with Suggested Resolution #1: Reinforce that security is a shared responsibility.
Next up is Suggested Resolution #2: Be precise about what the service does, and doesn’t do.
It is exciting to see so many new and interesting cloud solutions coming to market. This is great for customer choice and shows positive momentum for the cloud industry. However, this proliferation of new offerings increased the need to educate customers and accurately set their expectations.
Specifically, when it comes to security, no one likes surprises. A potential cloud service customer should have no confusion about which features – especially security features – are included in the core cloud service. Likewise, it should be abundantly transparent which security controls are available through add-on services and what they will cost. Getting all these details on the table up front will enable customers to weigh their options and choose the plan and pricing that works best for them.
At the same time, it’s also important for cloud customers to do their homework and come prepared to discuss their specific requirements. Business leaders and purchasing managers should start by consulting with their own IT security experts. Cloud providers can help guide customers to the optimal service offering by asking the right questions early in the process.
Take security compliance, for example. If an organization is subject to compliance requirements such as ISO 27001, the service contract should set the expectation that the cloud provider will be able to support the organization’s needs to meet their ISO 27001 needs. This can take several forms, including the cloud provider signing a memorandum of understanding or including a provision in the service contract that the cloud provider will maintain their own ISO 27001 certification that the organization can rely on.
A good resource for companies looking to evaluate the security credentials of potential cloud providers is the Cloud Security Alliance Security, Trust & Assurance Registry (STAR). Launched in 2011, the STAR documents the security controls provided by various cloud computing offerings and presents them in a publicly accessible, searchable registry.
I’ll be back again soon with my third and final post on Suggested Resolutions for Cloud Providers in 2014.