How to check on your cloud provider

The bottom line, as one service provider put it earlier this year, is that customers will never get the level of transparency they want. "We won't let you audit to the degree that you would audit your own infrastructure," says Adam Swidler, a product marketing manager at Google

Potential cloud-services customers face a tough problem: How can they trust cloud providers enough to hire them when the providers refuse to reveal important infrastructure details for reasons of security and practicality?

These providers say they can’t open their network architectures to customer scrutiny for fear the details will give potential attackers a blueprint for compromising security. They also say the time involved in answering each customer’s questions would be prohibitive.

(Cloud Computing Research Center)

The bottom line, as one service provider put it earlier this year, is that customers will never get the level of transparency they want. "We won't let you audit to the degree that you would audit your own infrastructure," says Adam Swidler, a product marketing manager at Google, speaking about Google’s cloud services. "It's never going to be the same as auditing your own infrastructure. You'll have to extend some level of trust to third-party verification."

While customers may not be able to walk through cloud providers’ data centers and grill their CISOs, they can submit probing questions whose answers may serve the purpose, says the Cloud Security Alliance, which has written a questionnaire businesses can adapt for their own purposes when trying to assess the suitability of cloud service providers.

Called  the Consensus Assessments Initiative Questionnaire, the document is a well-thought-out framework for assessing cloud security. “This question set is a simplified distillation of the issues, best practices and control … intended to help organizations build the necessary assessment processes for engaging with cloud providers,” the CSA says.

Key questions to ask:

  • Does the provider perform regular penetration testing and internal as well as external security audits that customers can view?
  • Are customers allowed to perform their own vulnerability tests?
  • Is data logically segmented or encrypted per customer so one customers’ data isn’t swept up inadvertently with another’s, say, in response to a subpoena?
  • Can the provider recover data customer by customer in case of a loss?
  • How are intellectual property rights protected?
  • Does the provider tag virtual and physical machines used by each customer and can they guarantee that data is stored only in certain countries but not in others as per some countries’ data-storage laws?
  • What are the provider’s policies for responding to governmental requests for customer data?
  • What are provider policies about retaining customer data and can they follow customer policies for wiping data from the provider’s network?
  • Does the provider inventory its own assets and its supplier relationships?
  • Does it train its staff and document that training in its own and its tenants’ security controls?

Other areas of concern in questioning providers include whether they monitor and control user access rights and what is the nature and extent of security incident response, including provider and customer responsibilities.

The list goes on, but the point of it is to give customers a good assessment of the providers and to give providers a manageable format for responding to customers' legitimate concerns, CSA says.

Some customers advocate contracting with smaller cloud providers because they can give better direct access to their infrastructures and procedures to ensure the levels of service required. "It is really worth the day trip," says Jessica Carroll, managing director for IT at the U.S. Golf Association, who chose a smaller provider for just these reasons. "It makes it all real so you know everything in that contract actually exists because you’ve seen it."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cloud computinginternetGoogleData Centerhardware systemsConfiguration / maintenance

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?