We are all going to live in the cloud. Well that is what every study, and forecast tells us. From our clash of clans villages, to our connected cars we can expect all of our data to be hosted in an unmarked data center in a town that we have never heard of. Perhaps this is a slight exaggeration, but the reality is for many of us, we simply have no idea where our data will be stored, and indeed even if we are given the name of a physical location have little insight into the operational procedures, staff vetting, or even physical security employed at the location. This old chestnut is described as the lack of transparency, but the truth is that cloud service providers do remain transparent so long as you ask the question.
It sounds simple, and indeed by all accounts, major providers have entire teams dedicated to just that, answering questions from potential customers about the security controls deployed on site. Such a process however is incredibly inefficient, and reminds me of how insurance used to work. I remember getting the telephone book, and flicking to the section titled insurance. There you would phone as many providers as you could answering questions about your car in order to find the most competitive quote. With every call, you felt a small part of your youth just ebbing away as your tolerance for small talk reduced with every quote. In the end you were met with a saving of eleven pounds for three hours work. Of course it was worth it wasn’t it?
In many cases every element of our industry is met with a similar fragmented approach, do you want to get a quote for staff training, well do a google search and contact every training company you have the patience to contact. Differentiating the commoditized offerings such as insurance with price is simple, but deciding which company you want to host all of your corporate data, well that is a different matter.
It is for this reason that the Cloud Security Alliance, and in particular the Security, Trust & Assurance Registry (STAR) is such a valuable resource. This program encompasses key principles of transparency and a validation of the security posture of cloud offerings. The STAR program includes a complimentary registry that documents the security controls provided by popular cloud computing offerings. This publicly accessible registry is designed for users of cloud services to assess their cloud providers, security providers and advisory and assessment services firms in order to make the best procurement decisions. Now in one single place, potential cloud customers can gain insight into the security maturity of multiple providers in a single instance. Recognizing the need for greater transparency we are pleased to confirm that McAfee has our McAfee ePolicy Orchestrator Cloud STAR certified and will add others as they come online.
It is not question of whether the cloud will be ubiquitous, but whether we can ensure that the data centers holding every detail of our business or personal life have the appropriate level of protection. The STAR initiative is integral into providing a foundation for anybody considering using such services, but more importantly the CSA has been at the forefront of cloud security.
So if you are considering outsourcing your work, make sure that STAR is your first port of call, and should consider attending the CSA Summit at RSA this year on February 13 where I will be sharing my thoughts on “Security in the Cloud: Evolution or Revolution?”