How to check on your cloud provider

The bottom line, as one service provider put it earlier this year, is that customers will never get the level of transparency they want. "We won't let you audit to the degree that you would audit your own infrastructure," says Adam Swidler, a product marketing manager at Google

Potential cloud-services customers face a tough problem: How can they trust cloud providers enough to hire them when the providers refuse to reveal important infrastructure details for reasons of security and practicality?

These providers say they can’t open their network architectures to customer scrutiny for fear the details will give potential attackers a blueprint for compromising security. They also say the time involved in answering each customer’s questions would be prohibitive.

(Cloud Computing Research Center)

The bottom line, as one service provider put it earlier this year, is that customers will never get the level of transparency they want. "We won't let you audit to the degree that you would audit your own infrastructure," says Adam Swidler, a product marketing manager at Google, speaking about Google’s cloud services. "It's never going to be the same as auditing your own infrastructure. You'll have to extend some level of trust to third-party verification."

While customers may not be able to walk through cloud providers’ data centers and grill their CISOs, they can submit probing questions whose answers may serve the purpose, says the Cloud Security Alliance, which has written a questionnaire businesses can adapt for their own purposes when trying to assess the suitability of cloud service providers.

Called  the Consensus Assessments Initiative Questionnaire, the document is a well-thought-out framework for assessing cloud security. “This question set is a simplified distillation of the issues, best practices and control … intended to help organizations build the necessary assessment processes for engaging with cloud providers,” the CSA says.

Key questions to ask:

  • Does the provider perform regular penetration testing and internal as well as external security audits that customers can view?
  • Are customers allowed to perform their own vulnerability tests?
  • Is data logically segmented or encrypted per customer so one customers’ data isn’t swept up inadvertently with another’s, say, in response to a subpoena?
  • Can the provider recover data customer by customer in case of a loss?
  • How are intellectual property rights protected?
  • Does the provider tag virtual and physical machines used by each customer and can they guarantee that data is stored only in certain countries but not in others as per some countries’ data-storage laws?
  • What are the provider’s policies for responding to governmental requests for customer data?
  • What are provider policies about retaining customer data and can they follow customer policies for wiping data from the provider’s network?
  • Does the provider inventory its own assets and its supplier relationships?
  • Does it train its staff and document that training in its own and its tenants’ security controls?

Other areas of concern in questioning providers include whether they monitor and control user access rights and what is the nature and extent of security incident response, including provider and customer responsibilities.

The list goes on, but the point of it is to give customers a good assessment of the providers and to give providers a manageable format for responding to customers' legitimate concerns, CSA says.

Some customers advocate contracting with smaller cloud providers because they can give better direct access to their infrastructures and procedures to ensure the levels of service required. "It is really worth the day trip," says Jessica Carroll, managing director for IT at the U.S. Golf Association, who chose a smaller provider for just these reasons. "It makes it all real so you know everything in that contract actually exists because you’ve seen it."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags cloud computinginternetGoogleData Centerhardware systemsConfiguration / maintenance

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?