Under the Kimono—Cloud Data Center Security
Do you really trust that your cloud service provider is adequately protecting your data? An astonishing 94 percent of all compromised data involved servers according to the latest Verizon Data Breach Report, which highlights the vulnerability of all IT systems to external attack.
Most public cloud infrastructure providers offer customers little or no insight into their underlying data center security policies and practices beyond touting their numerous certifications. For many enterprise cloud customers, particularly if they are in security-sensitive industries such as financial services or handle personally identifiable information, certifications are simply not enough assurance to satisfy internal audit processes. Independent standards bodies such as the Cloud Security Alliance (CSA) and Open Data Center Alliance (ODCA) are working to fill the trust gap.Most public cloud services companies are reluctant to reveal much, if anything, about their data centers and security procedures. Unless you are a major Fortune 500 company with a few million dollars to spend, you are unlikely to get HP, Rackspace, or Amazon to show you around their cloud facilities any time soon.
For the uninitiated, data centers are rather boring physically—racks and racks of servers in noisy dim warehouses. But since 98 percent of the breaches involve external agents, an understanding of the methods for securing the networks and infrastructure are more telling.
One new certification is the Cloud Security Alliance Security, Trust and Assurance Registry (STAR), which follows the security certificate model by establishing a chain of trust from the data center through the alliance to the end user. Companies that wish to be in the STAR registry submit their credentials, and the CSA certifies that the company meets these requirements. Since its inception in Q4 of 2011, the program has attracted some leading lights in the cloud services industry—such as Amazon, Microsoft, and Teremark—but it is still too early to tell if STAR will become a real cloud security standard. The Open Data Center Alliance Provider Security Assurance program takes another approach. It outlines what they term a usage model framework, which defines the minimum levels of cloud security required for four service tiers that map to differing industry needs. These range from bronze for basic security up to platinum designed for military organizations. Anything beyond the bottom tier will require certification by a third party auditing organization. Do these certifications actually mean anything? In the end, only you will be able to determine the right level of cloud security assurance for your company. But it would be nice if the vendors would be a bit more forthcoming about their general security policies, even if they are understandably reluctant to share the details. How much of an obligation does a cloud service provider have to provide its customers transparency into its operations?