December 17, 2010, 11:49 AM — Potential cloud-services customers face a tough problem: How can they trust cloud providers enough to hire them when the providers refuse to reveal important infrastructure details for reasons of security and practicality?
These providers say they can't open their network architectures to customer scrutiny for fear the details will give potential attackers a blueprint for compromising security. They also say the time involved in answering each customer's questions would be prohibitive.
The bottom line, as one service provider put it earlier this year, is that customers will never get the level of transparency they want. "We won't let you audit to the degree that you would audit your own infrastructure," says Adam Swidler, a product marketing manager at Google, speaking about Google's cloud services. "It's never going to be the same as auditing your own infrastructure. You'll have to extend some level of trust to third-party verification."
While customers may not be able to walk through cloud providers' data centers and grill their CISOs, they can submit probing questions whose answers may serve the purpose, says the Cloud Security Alliance, which has written a questionnaire businesses can adapt for their own purposes when trying to assess the suitability of cloud service providers.
Called the Consensus Assessments Initiative Questionnaire, the document is a well-thought-out framework for assessing cloud security. "This question set is a simplified distillation of the issues, best practices and control ... intended to help organizations build the necessary assessment processes for engaging with cloud providers," the CSA says.
Key questions to ask: