- The lack of cloud security standards and the expanding range of cloud providers complicate RFPs.
- The Current Analysis Cloud Security Study shows IT SPs ahead of carriers and the U.S. ahead of Europe.
The decision to migrate to the cloud is complicated by the expanding number and variety of cloud service providers (typically carriers, IT SPs, vendors, or dedicated cloud SPs), each with its own legacy of strengths and weaknesses, coupled with a dearth of specific cloud security standards to put into a request for proposal (RFP). Apart from PCI DSS in the retail sector and FedRAMP for the delivery of cloud services to the U.S. government, security standards pertaining to cloud services are related to general business process quality (ISO9000), data center management processes (ISO27001-5), auditing (SSAE 16), and a slew of more vertical industry-specific requirements around handling of sensitive personal data. Corporate customers are still relying on best-practice guidelines from standards bodies such as NIST in the U.S. and ENISA in Europe, as well as the user/industry forums such as the Cloud Security Alliance with its Cloud Matrix tool. Still, what does the cloud security playing field look like from the service provider side? How can they assess their service offerings to amorphous customer requirements, as well as the other providers in the market?
At Current Analysis, we set out in 2010 to create a set of comparable criteria to assess cloud security across the range of cloud providers in the market. The second study, which encompasses eight global carriers and IT SPs, will be published in the coming weeks on CurrentCOMPETE. The study uses a framework based on five components: what services are available and where; what migration and implementation support the SP can provide; the breadth and depth of data security measures; the available identity and authentication services; and how the multi-tenant, virtualized environment where data resides and applications run is secured. The headline conclusions are: all cloud providers have significantly expanded their range of cloud security offerings over the past twelve months, the IT SPs are ahead of carriers, and the U.S. is ahead of Europe.
The responses underscore the wide variety of security approaches to cloud computing, most notably around the expansion of real-time (big) data analytics tools. These tools have emerged from the security incident and event management (SIEM) correlation database tools used by security operations center experts to spot traffic anomalies. Now, leading edge cloud service providers are ready to hand these tools over to the customers, allowing them to configure and customize settings themselves, and then deploy the cloud provider’s massive computing capability to provide sophisticated, proactive (and, sometime in the future, preemptive) security. But where does this leave the corporate customer? Security may have been improved (following significant cloud provider investments), but does it make the cloud security assessment easier for the customer? Have you actually experienced big data services – in the wild? What kind of experiences does your company have when relating your security needs to what service providers are developing?