Should cloud service providers also be security and compliance coaches? The idea is not as strange as it might sound, and could save headaches on both sides down the road, some industry experts and insiders say.
Migrating to the cloud can be a good, cathartic disciplinary process to lock down security controls.
vice president of security services, Savvis Inc.
Doug Barbin, a principal at BrightLine CPAs & Associates Inc., a Tampa, Fla.-based assurance and compliance advisory firm, said there's often a disconnect between what cloud service providers actually provide in terms of security policies and maintenance and what the customer ultimately is responsible for handling on its own.
"In these virtualized environments ... a [virtual machine] may have a standard Windows implementation; the machine is passed over to the customer, who has administrative access to that VM," said Barbin, speaking at the recent Gartner Catalyst conference in San Diego. It's at this "customer handoff" that the answer to who is responsible for things like maintenance and patching is left a very gray area, he said.
The biggest challenge Barbin encounters with his clients is this "expectation gap." Customers often fail to understand where their responsibility begins and ends for ensuring that a given cloud service meets their company's regulatory requirements versus the cloud service provider's compliance responsibilities. "The assumption is you outsource and it's just taken care of; the customer doesn't always recognize they have a responsibility in securing the environment as well," he said.
Cloud compliance, a two-way street
Scenarios like this one illustrate why it's the place of cloud service providers to coach customers on how they can be compliant in a cloud environment, said Dan Blum, vice president and distinguished analyst at Stamford, Conn.-based Gartner Inc. An experienced cloud service provider will step in, share insights and coach the customer to make the necessary changes -- a service that ultimately will be valuable to both parties, he said.
Read more about cloud service providers and security
See the results of recent survey on secure cloud computing
A look at some cloud security best practices
CIOs who are getting a handle on cloud security risks
Chris Richter, vice president of security services at hosting and network services provider Savvis Inc., agreed. Savvis, based in Town & Country, Mo., helps customers prepare for such events as a Payment Card Industry, or PCI compliance audit or a Health Insurance Portability and Accountability Act compliance audit, he said. It also helps customers re-architect their environments if they're migrating from on-premises computing to the cloud, Richter said. This migration period is often the best time for a company to improve security controls, he added. He claims to have seen "horrendous messes of data centers" that he then was able to help clean up during the migration process to a cloud environment. "It forces customers to go through that discipline," he said.
Classification data tends to be Richter's clients' weakest area. In response, he has cautioned them about mixing highly valuable and sensitive data with data designed for public use on the same network segment. "They may even have these data centers running on the same servers, and they'll often make the mistake of throwing too few security controls at it -- or too many, and spending too much money," Richter said.
"Migrating to the cloud can be a good, cathartic disciplinary process to lock down security controls," Richter said. His advice to prospective cloud clients? "Help us help you."
Let us know what you think about the story; email Karen Goulart, Features Writer.