The Patchwork Cloud - Security and Incentives

Sunday, March 04, 2012

Rafal Los


The Patchwork Cloud - Cloud Service Providers, Security and Incentives

Sometimes, a fellow colleague in the industry hits a point so well it's worth repeating and expanding on it.  I'm referring to Dave Shackleford's post titled "The Cloud's Low-Rent District". 

Dave nails the point perfectly discussing positive incentives for Cloud Service Providers (CSPs) and whether they work - or whether another approach is needed, a more negative approach. 

While I'm participating in the Cloud Security Alliance (CSA) and their efforts to create standards - I think I'd be delusional if I believed every provider will jump on the CSA STAR bandwagon and provide fantastic levels of security to their customers.

Let's face it, asking providers to voluntarily disclose the ins and outs of their security posture, and more importantly their deficiencies, is a little bit of a stretch.  Understandably, as far as standards bodies go, the first step you want to take is to give providers a chance to voluntarily step up to the place and attest to their security practices and adherence to pre-defined controls.  The unfortunate fact is, only the top-notch providers will do this because they're already meeting most of the requirements and controls. 

A CSP (cloud service provider) who isn't doing well at meeting the security controls and not meeting requirements has two options - simply ignore the voluntary attestation and stay off the STAR registry, or only answer certain parts that they're comfortable with.  This isn't necessarily a good thing or a bad thing... all I'm saying is that a scenario like this makes it impossible to have a level playing field.

On the other side of that coin, the effort to create a standards body which could enforce adherence to pre-defined controls would be monumental and probably not likely to happen except in the government space like with the CJIS security rules enforcement.  Similarly, forcing CSPs to even self-certify against the STAR rules and publish the results is similarly difficult - and logic tells us why. 

If I as a provider am particularly poor at something, I would rather not tell everyone, particularly prospective customers, about that.  This leaves the customer with some problems when they're trying to figure out just where to go for their cloud provider needs.

Dave's proposal, like many others have suggested, is to create a "Wall of Shame" which would not highlight the well-mannered providers, but shame the ones that perform poorly.  This would allow customers to disclose poor service, incidents and breaches, and lax security controls at the providers they buy into.  Of course, today this is against most of the contracts you the customer signs off on, so that makes life a little bit difficult, legally speaking, so what are the alternatives? 

Taking this thought further, do we really want to go down the road of shaming to make companies care?  I'm sure that effective but much like negative political campaigns - no one leaves that table without dirt on their hands.

Is there some sort of middle-of-the-road third option here?  I know its impractical (and unconscionable) to ask for a governmental interference here... but there has to be another option.

Ultimately though, whether we go with the negative or positive reinforcement, it'll be up to the customers to make the choice which to support, and whether it will be effective.  If the customers stand up and refuse to work with providers that haven't joined the CSA STAR registry (as an example) then it will force providers to play along or lose business opportunities. 

After all, vendors respond best when money  is on the line, I've learned that from years as a customer.  I think in the end, the customer response, their demand, that vendors provide evidence of effort will ring louder than any wall of shame ever could.

But, as Jeremy Clarkson from my favorite show Top Gear would say, there's a problem.  If customers are going to demand Cloud Service Providers adhere to an attestation or audit standard against a set of controls, it has to be a single set or a single standard.  You can't have 20 different controls "standards" with another 20 different attestation/audit guidelines for them, that simply won't work. 

This is the main problem I think we're facing right now, in the industry.  It's not that we don't have standards, it's that no one can agree on a single governing one.  So here's my simple three-step plan for moving Cloud Security forward...

  • Industry agrees on a single unifying set of security controls plus an audit guidelines (or attestation like the CSA STAR registry)
  • Customers demand their CSPs adhere to and show proof of audit against this standard or simply reject the vendor
  • CSPs all are pushed into a common set of security controls and audit guideline

Now... I wish it were that simple.  All joking aside though, this problem starts and ends with you the customer.  So get on it.  Demand a single standard, and then demand your vendors to get with it.  Then maybe in 5 years we'll get better at cloud security.

There. Everyone wins. I've solved it.

Credit for this little bit goes to Dave for making me think about it, and getting my brain started :)

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Cloud Security
Service Provider
Cloud Security Enterprise Security Vendor Management Managed Services Controls Standards Cloud Security Alliance Rafal Los Dave Shackleford
Post Rating I Like this!
Phil Agcaoili Negative consequences were associated with SAS 70s. When every customer demanded one, service providers were forced to obtain them.

Pay attention the SOC 2 and 3 work that I'm involved with. I suspect that we're on to something.

As a co-founder of the CSA STAR and as a member of the CSA Steering Committee, several efforts with the AICPA , ISO, NIST, the ITU, etc. may make STAR and/or SOC have more relevance and influence CSPs to demonstrate that they are not in the basement with respect to good house keeping security practices.


Phil Agcaoili
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.