SAN FRANCISCO–A panel of cloud providers and enterprise security professionals said that in order to make enterprise security teams feel more comfortable giving up their data, cloud providers need to be more transparent and open about the security measures and processes they have in place to protect that data. Those assurances , they said, need to go beyond the current point-in-time assessments and move to more meaningful continuous monitoring processes.
Cloud computing is continuing to gain ground in enterprises in many industries, as well as with smaller businesses that are eager to save money and off-load some of their work load to providers who may have more security expertise on staff. However, one of the common complaints among users is that they don’t have as much visibility into the way things work at cloud providers as they’d like, not only in terms of their own data, but also in terms of what the providers do to secure their infrastructures.
“Cloud providers are a black box. You can’t get visibility. Traditional technology transfer of security into the cloud is one of the gaps we need to focus on,” said Rich Tener, director of security at Zynga, during the panel discussion at the United Security Summit here Monday.
“The question is, which black box is more secure than the others? It’s a risk-tolerance game, depending on how secure they are, it’s a question of how much risk you can tolerate when you’re putting your data in there with them. We need a way to have a standard, controlled risk view of which providers are riskier than others.”
Google, which provides cloud service to millions of consumers as well as large enterprises, through a variety of offerings, spends a lot of time talking to those customers about the security of their data and what steps the company takes to ensure its availability and integrity, said Eran Feigenbaum, director of security for Google Apps. But, he emphasized that there’s room for improvement.
“Continuous monitoring is something we can improve on, I’ll be very honest,” Feigenbaum said. “Every customer deserves the highest level of security. Whether you’re a free Gmail user or a large enterprise that’s paying us millions of dollars, you get the same level of security. That’show it should be. “
Both Feigenbaum and Tener said that there are circumstances under which public cloud providers can provide a definite security advantage over traditional on-premises security services. But it’s not always clear to customers when that’s true.
“Cloud can be as secure, if not more secure, than what most organizations do today. The main difference is scale, the scale of doing things right and what happens if something goes wrong, because we have a lot of people’s data,” Feigenbaum said. “We try to have self-healing systems that don’t require human intervention. It’s expecting systems to fail and having systems in place to fix and heal those when it happens.”
“Public cloud providers can definitely be more secure, but it depends where they are in the security lifecycle,” Tener said. “The problem is, it varies. How are they doing security internally? You have to go through that vetting process. I judge the maturity of their security the same way I’d judge mine.”