This content is part of the Essential Guide: Navigating cloud computing regulations and compliance requirements
Problem solve Get help with specific problems with your technologies, process and projects.

Why every cloud provider needs a robust security audit strategy

Customers want transparency, but they don't want to be overwhelmed. A cloud security audit strategy needs to balance those two goals.

Security is still and will always be a major concern for any IT professional deciding whether to host company data and/or computing assets in the cloud. That means providers need a strong cloud audit strategy to gain customer confidence.A recent study conducted by technology solutions provider and reseller CDW found that 46% of the 1,242 IT professionals surveyed identified security as one of the biggest barriers to cloud adoption. A 2012 joint report from the Cloud Security Alliance and ISACA revealed that data privacy and testing and awareness are top areas in which confidence in the cloud is low. These anxieties about security are represented in what can be called the "black hole" of cloud services that provide no visibility into the success, status and risks that customer applications face using outsourced IT infrastructure. These customers are crying out for more transparency.

What businesses seek from providers are continuous, customer-specific cloud audit reports.

Providers are aware of these fears and, in response, some have started exposing raw data back to their clients -- listings of all backup jobs, archived copies of log files and such. In practice, this into-the-weeds approach simply serves to return the burden of IT management to the very people that adopted cloud in order to avoid the hassle in the first place. While this may have fringe value for the more empowered IT users that leverage cloud primarily for convenient access to virtual machines, most just want practical business insight into what's working (or not) and knowledge of the risks faced. How can providers be fully transparent without being, well, fully transparent?

SOC and PCI DSS reports aren't a cloud audit strategy

For many providers today, the de facto way to demonstrate a well-executed risk management strategy is to provide customers with Service Organization Control (SOC) reports (which have effectively replaced SAS-70 reports) and Payment Card Industry Data Security Standard Reports on Compliance (PCI DSS RoC). The standards and assessments that frame these reports are some of the most comprehensive and tested today. An auditor's unreserved acceptance of the hosting company's control environment is a strong indicator of a provider with mature risk management practices.

There is, however, a critical gap in these reports; they focus on a provider's general environment and not on each individual user's variable combination of services and configurations. The reports lack visibility into what ultimately should be any IT organization's primary concern: the inherent and situational threats to the ongoing availability, integrity and confidentiality of their business-critical applications in the cloud.

What businesses seek from providers are continuous, customer-specific cloud audit reports. They need dashboards based on key performance indicators to uncover how well they're meeting their own security and compliance requirements and when they need to take action. For example, a health care company may place Health Insurance Portability and Accountability Act compliance as the No. 1 priority, whereas an online retailer will value PCI compliance.

More on cloud audits and other security issues

What are the top cloud security issues that providers face?

Learn about the MSPAlliance's certification and audit process

What you need to know about selling cloud security services

Cloud providers have the opportunity to offer customized security analyses that illustrate to customers how well their cloud security strategies stack up against other businesses'. Armed with individualized comparison reports that show enterprise security controls lagging behind those of similar organizations, IT security pros could then make the case for higher-level security controls to their CEOs and chief financial officers. Customers could also share relevant data with their own clients to demonstrate the level of security that's in place (backed, of course, with regularly updated metrics).

Businesses currently considering cloud services will be asking potential providers about their cloud security audit strategy. If the answer is weak, those prospective customers will consider moving on. After all, while the allure of the cloud is to alleviate IT management burdens, it does little good if businesses can't manage operational risks. And those operational risks can't be managed without continuous data and exploration into the black hole of cloud security.

Sean BrutonAbout the author:

Sean Bruton is senior product manager of security services at HOSTING, a cloud, hosting and managed IT services provider based in Denver, Colo.

This was last published in April 2013

Dig Deeper on Telecommunication networking

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.