With the Infosecurity conference and exhibition upon us once again, it is often a time to spot themes in the cloud security marketplace. And over the last couple of weeks it has become apparent that one important theme to emerge is the blaming of service providers for not delivering more secure services to end users as part of the fundamental service package.
There have already been a few stories along these lines on the run up to the conference, and the latest to approach the subject – if from a slightly different angle to direct blaming – is the APM Group, the Cloud Industry Forum’s independent certification partner. Indeed, it has also pointed the finger at the user community itself
Its position is the mitigating the security risks of cloud computing starts with selecting the right Cloud Services Provider (CSP). The company will be addressing this subject at Infosecurity Europe, stressing that, whilst end users will still need to exercise caution and conduct their due diligence, the CIF Code of Practice can assist in the selection process.
“Security is typically cited as an obstacle to the deployment of cloud solutions,” Richard Pharro, CEO of APM Group said, “ but, in general, the perception that cloud has heightened security issues is unfounded. In truth, data is not inherently more insecure in the cloud than on-premise. It all comes down to what safeguards there are, be they technical or legal.
“CSPs will often have more robust and up-to-date security than their customers, in particular SMEs, who often have limited full-time IT resources and struggle to keep up to date with security issues and fixes. Maintaining the best levels of security and service reliability are part of the core business proposition of every CSP, for if they fail at that they have very little else of value to offer the marketplace.
“Good security does, however, start with choosing the right provider. You shouldn’t be afraid of asking prospective CSPs tough questions about how your data will be kept secure. For example, what mechanisms the CSP operates in regard to access control, data storage, and data in transit to ensure compliance with data protection as well as offer effective security and sovereignty? If they can’t satisfactorily answer these questions, I’d suggest that you keep looking.”
The Cloud Industry Forum has established a Code of Practice for CSPs to make the selection process easier. It aims to standardise enterprises offering cloud services to provide assurances for end users looking to migrate to the cloud.
Pharro sees this as a credible, certifiable tool that allows CSPs to demonstrate they meet specified requirements of transparency, accountability and capability. For example, providers that have certified against the Code have demonstrated their compliance with industry standards of best practice with regard to transparency and capability.