Tracking And Measuring Cloud Providers' Security Performance

[Excerpted from "Monitoring and Measuring Cloud Provider Performance," a new report posted this week on Dark Reading's Cloud Security Tech Center.]

The move to cloud computing services is a big one for most IT organizations. But nowhere is the change more profound than in security, where the use of cloud services introduces a whole new array of questions and concerns.

While moving even in part to a cloud model is a big change for many reasons, the most significant difference is a loss of direct control. Just as security groups often struggle with managing security inside a corporation when in a governance role, we struggle even more with governing the security of assets that no longer sit within our own data center. The challenge is to develop and implement a strong governance model for these cloud offerings that ensures that security is part of the conversation.

The type and size of provider you’re dealing with can make a big difference in terms of how robust its security program is, the types of controls it has in place, and the amount of leeway you will have in contracts.

Large providers such as Amazon.com and Salesforce.com, for example, are likely to simply dictate their universal contract terms and leave it up to you to agree or not. This may provide a clearer picture of what security controls the provider believes are in place, but less ability to assess them for yourself.

However, we are starting to see an increasing number of specialized mom-and-pop providers working in the cloud space, particularly within the software-as-a-service segment. These organizations have expertise at solving a particular business problem, but often they are neophytes when it comes to cloud infrastructure—and particularly to nuances around contracts and security.

One challenge with cloud offerings is that it’s easy for individuals throughout your business to acquire them without engaging IT or IT security. In fact, that’s often the point. IT and IT security, unfortunately, can be seen as obstacles to the business, so going directly to an outside provider is very enticing.

While your cloud provider will undoubtedly assure you that it takes security seriously, and may even provide documentation of the controls it has in place, you’ll want to go a step further and include the "right to audit" within your contract. This provides customers with the ability to validate that expected security controls are in place.

No matter how strong a security program is, there’s always a possibility of some kind of security breach. In contracts with your cloud providers, make sure definition of the term "breach" is made explicit. In other words, it’s important that there’s a clear understanding on both sides of what constitutes a breach. In addition, the conditions under which your organization will be notified of a breach should be specified.

To find out more about the specific metrics and tools you can use to measure your cloud service provider's security performance -- and to get details on how to implement them -- download the full report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.