Despite the best efforts of cloud service providers and industry groups like the Cloud Security Alliance, cloud security remains a troublesome issue for IT execs.
At an RSA conference session in San Francisco devoted to cloud security, IT security pros complained about the lack of transparency among cloud providers and how that makes it extremely difficult to make informed buying decisions.
Attendees in the audience pointed out that there's currently no certification for cloud security. And cloud vendors won't allow enterprise customers to go on site and actually touch the machines. So, where does that leave IT execs?
Nils Pulhman, former CSO at Zynga, suggested that IT execs grill prospective cloud service providers. "Play the role of a police investigator,'' he said. "Feel out how mature is the provider.''
In his experience, particularly with startups, "nine out of 10 fall apart'' when you ask the tough questions.
He said enterprises need to understand that the No.1 priority for cloud providers is minimising the impact of a security breach on themselves. Minimising the impact on the customer takes a back seat, so "customers need to build out controls too.''
"You've got to demand transparency from the vendors,'' added Patrick Foxhoven, vice president of cloud operations at vScaler. "Without transparency, you can't audit.''
But many in the audience pointed out that a single enterprise customer doesn't have much leverage against a large cloud provider that's not accustomed to opening up its security policies.
One attendee asked about the problem of trying to evaluate a SaaS provider that's on a different vendor's PaaS platform, that's hosted on a third vendor's cloud infrastructure. "Does that mean three times the work?''
Foxhoven also pushed back against enterprise customers and said that, as a provider, he gets hit with huge security-related questionnaires from potential customers and most of the questions aren't applicable to the way security is implemented in the cloud.
He said there's no easy answer, but one suggestion for IT execs is to talk to other customers and find out what their experiences have been with a particular service provider. "That's the unfortunate reality of where we're at today,'' Foxhoven said.