Transparency in Cloud Services from the Security Perspective

Friday, December 16, 2011

Rafal Los


My colleague Christian Verstraete posted an entry called "Lack of Transparency in Public Cloud" on the Enterprise CIO Forum recently... and when I read that, it got me thinking.

Transparency from Christian's perspective was similar, albeit slightly different than mine, and this couldn't be a good thing. 

I took a second read through Christian's post, thought about it some, and have come to the conclusion that there are multiple perspectives, important ones, on the concepts of transparency, for the cloud services we're consuming today.

What does this mean?  I mean to say that there is an operational perspective as Christian outlines in terms of provider transparency.  We are now starting to see cases where a SaaS service offering is built on top of a PaaS service, built using multiple IaaS services and that is enough to make anyone's head spin. 

Knowing where your data actually physically resides "in the cloud" is critical, but knowing how many services, partners and layers the final service offering you as the customer are consuming - that is critical to not just the operational viability of your cloud service but to the ultimate understanding of failure modes, contracts and legal requirements.

Christian states all that... but it doesn't end there.

Now, let's take my perspective on the idea of cloud transparency.  My viewpoint - and I admit a lot of this is influenced heavily from discussions with intelligent folks like Tom Reilly who is the captain of the Enterprise Security business unit back at the HP mothership - is that transparency is the capability to look inside the operational day-to-day activity of your cloud provider, as a customer of that provider. 

This builds on top of Christian's ideas that we the consumer should know where, what, and how our cloud services are grounded - and addresses the how more directly.  As a consumer, transparency means that I have auditability of the controls, systems, and capabilities that directly impact my consumed service. 

From a technology perspective this means that I can pull up a real-time dashboard of some kind (preferable over a point-in-time report) and look at the events that have impacted my cloud offering.

Whether it's an administrator logging in to patch up some of my systems, or rebooting a virtual switch that impacts my connectivity, or a new administrator coming aboard... whatever - I, the customer, want to know. 

Of course, there is a challenge here - and that challenge is multi-tenancy.  How much do I show customer A, without jeopardizing customer B?  How do I, the vendor, separate data yet show it in a sanitized manner to the customers who want to see it? 

These challenges from the provider end are very real... as real as the customer demand building for them.

So then, in the final analysis, there are at last 2 components to transparency for the cloud... infrastructure/provider component-specific, and operational task specific.  I'm sure there are more aspects of this, including financial, liability/risk and others... I can only imagine if you're a consumer of an enterprise cloud service you must be reading this and your head starts to spin. 

Where does it end?  Does this level of complexity justify the service/savings you are getting?  I think the answer is yes, but there is still lots of work to do from the provider end to provide all this transparency to the customer; then from the customer end to educate yourself on just what you should be asking for and expecting.

There is a lot of maturity that is missing still from the "Cloud"... so I think to compensate for that we need better transparency - but will that turn into something that we need forever?  Probably.

Stay tuned, more to come on this topic!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Cloud Security
Service Provider
Cloud Security Enterprise Security SaaS Vendor Management Managed Services Enterprise Risk Management Transparency
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.