News

Why cloud service providers also should be security coaches

Karen Goulart, Senior Features Writer

Should cloud service providers also be security and compliance coaches? The idea is not as strange as it might sound, and could save headaches on both sides down the road, some industry experts and insiders say.

    Requires Free Membership to View

Migrating to the cloud can be a good, cathartic disciplinary process to lock down security controls.

Chris Richter,
vice president of security services, Savvis Inc.

Doug Barbin, a principal at BrightLine CPAs & Associates Inc., a Tampa, Fla.-based assurance and compliance advisory firm, said there's often a disconnect between what cloud service providers actually provide in terms of security policies and maintenance and what the customer ultimately is responsible for handling on its own.

"In these virtualized environments ... a [virtual machine] may have a standard Windows implementation; the machine is passed over to the customer, who has administrative access to that VM," said Barbin, speaking at the recent Gartner Catalyst conference in San Diego. It's at this "customer handoff" that the answer to who is responsible for things like maintenance and patching is left a very gray area, he said.

The biggest challenge Barbin encounters with his clients is this "expectation gap." Customers often fail to understand where their responsibility begins and ends for ensuring that a given cloud service meets their company's regulatory requirements versus the cloud service provider's compliance responsibilities. "The assumption is you outsource and it's just taken care of; the customer doesn't always recognize they have a responsibility in securing the environment as well," he said.

Cloud compliance, a two-way street

Scenarios like this one illustrate why it's the place of cloud service providers to coach customers on how they can be compliant in a cloud environment, said Dan Blum, vice president and distinguished analyst at Stamford, Conn.-based Gartner Inc. An experienced cloud service provider will step in, share insights and coach the customer to make the necessary changes -- a service that ultimately will be valuable to both parties, he said.

Read more about cloud service providers and security

See the results of recent survey on secure cloud computing

A look at some cloud security best practices

CIOs who are getting a handle on cloud security risks

Chris Richter, vice president of security services at hosting and network services provider Savvis Inc., agreed. Savvis, based in Town & Country, Mo., helps customers prepare for such events as a Payment Card Industry, or PCI compliance audit or a Health Insurance Portability and Accountability Act compliance audit, he said. It also helps customers re-architect their environments if they're migrating from on-premises computing to the cloud, Richter said. This migration period is often the best time for a company to improve security controls, he added. He claims to have seen "horrendous messes of data centers" that he then was able to help clean up during the migration process to a cloud environment. "It forces customers to go through that discipline," he said.

Classification data tends to be Richter's clients' weakest area. In response, he has cautioned them about mixing highly valuable and sensitive data with data designed for public use on the same network segment. "They may even have these data centers running on the same servers, and they'll often make the mistake of throwing too few security controls at it -- or too many, and spending too much money," Richter said.

"Migrating to the cloud can be a good, cathartic disciplinary process to lock down security controls," Richter said. His advice to prospective cloud clients? "Help us help you."

Let us know what you think about the story; email Karen Goulart, Features Writer.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

Do your cloud service providers coach you on security and compliance issues?

Karen Goulart, Senior Features Writer
What's your opinion?
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest