Can you hear that? It’s the sound of the cries for cloud security getting louder.
At least that’s what Michael S. Mimoso, editorial director for Search CloudSecurity hears.
“Cloud security transparency today equates to a non-disclosure-agreement discussion between an enterprise and service provider over the provider’s controls,” Mimoso declares, adding that “The end result may satisfy the customer and lead to business for the provider, but the process isn’t efficient for either side.”
It’s a no-win situation for the cloud hosting provider, because the way to reassure potential customers about how secure their services are would be to detail their security arrangements. Which makes about as much sense for the provider as showing a prospective depositor how secure the bank vault is by telling them the combination to the lock. So they have to fall back on such appeals as “We haven’t had a serious security breach in ___ years,” or “Well, it’s all state of the art, trust us.”
When what customers want is some sort of objective standard to compare different security setups. “Does your system have This? Does it have That? The other guys can offer This and That on their system, do you?”
Mimoso quotes Microsoft’s (News - Alert) Tim Rains, a director of product management in the Trustworthy Computing Group as saying that customers are looking for just such an “apples to apples” comparison, “a standard set of questions to ask and get consistent set of answers.”
Yes providers can fill out questionnaires, to a certain extent the answers they give can allay a potential client’s misgivings or doubts. And it’s not like providers are trying to be obtuse, they’d love to be able to use security compliance measures as a selling point separating themselves from the competition, throwing around numbers and certifications the way they do with speed and capacity now.
Towards this end, Rains said, Microsoft has joined with Mimecast and Solutionary in the STAR (News - Alert) effort, which Mimoso explains is The Cloud Security Alliance’s Security Trust and Assurance Registry, “the closest thing to a standards-based effort meeting this need,” intended to be “a public repository of providers’ security controls.”
The STAR site describes the organization’s purpose as being “a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.”
The idea is that members get a standardized format to share their security qualifications in a way that doesn’t compromise their actual security measures, but still allows for apples to apples comparisons.
Rains says STAR includes “a set of questions based on a set of standards... and it’s all based on an international standard.”
Granted, there will never be a perfect standard, but STAR is a good step in the right direction of providing the sort of objective criteria serious clients need to know.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO East 2012, taking place Jan. 31-Feb. 3 2012, in Miami, FL. ITEXPO (News - Alert) offers an educational program to help corporate decision makers select the right IP-based voice, video, fax and unified communications solutions to improve their operations. It's also where service providers learn how to profitably roll out the services their subscribers are clamoring for – and where resellers can learn about new growth opportunities. To register, click here.
Stay in touch with everything happening at ITEXPO. Follow us on Twitter.
David Sims is a contributing editor for TMCnet. To read more of David’s articles, please visit his columnist page. He also blogs for TMCnet here.Edited by Juliana Kenny
›