How Public Cloud Providers Can Improve Their Trustworthiness

Written by

By Matthew Gardiner

When you meet someone you have never met for the first time, in a place you have never been to, do you trust him? Would you have him hold your wallet for you or would you share some sensitive personal information with him? Of course not. Obviously this person is not trusted by you at this point in time, but that doesn’t mean he never could be. Assuming you have good, trustworthy friends, it’s possible that this person could be trusted if you got to know him better. This analogy can be applied to the current state of security and trust with the public cloud.

The biggest barrier to broader and faster adoption of public cloud services (whether SaaS, PaaS, IaaS) is trust. Consider the results of nearly any survey on cloud adoption or talk with your friends and colleagues in IT, and you’ll find the message is the same; the public cloud has great promise and impressive early adoption, but there remains a nagging set of concerns that are proving hard to address. Many characterize these concerns as being about security. While I agree there are important issues around security that need to be resolved, such as how security can be managed jointly by the cloud provider and cloud consumer, I prefer characterizing the issue more broadly to be about trust. Overall though, it stands to reason that the greater the trust the greater the adoption.

Trust is about more than just security controls. Trust also emerges from good execution of “abilities,” such as reliability, availability, portability, and interoperability. Is the public cloud trustworthy for organizations’ more sensitive and mission critical applications and data? The only one that can ultimately decide this for you is you. While trust can be influenced by 3rd-parties it can only occur between two parties.

In order to improve their trustworthiness, cloud providers should:

  1. Avoid being a black box, in particular for security and “ability” related systems and processes. I am not saying public cloud providers should publicly disclose everything and risk elevating their vulnerability levels, but they should give as much control and visibility to their customers as possible over the customer’s own services, systems and processes that they are delivering for them. The systems and processes within their services should not be a secret. Control or visibility of the customers’ services should move all the way up the application stack – from the network, through the storage, servers, applications, and data. People tend to trust those that don’t appear to be hiding anything, and thus transparency by cloud providers can help foster trust. Audits can also serve as vehicles to gain trust – whether they are done by third parties or by the customers themselves.
  2. Improve trust by reducing technical lock-in. Portability will be high on the list of cloud consumers. Instead of keeping your customers through technical lock-in, put your head in your customers’ hands right at beginning of the relationship and make sure they have all the flexibility needed to swap vendors. Make sure that your cloud service, as appropriate, has data and application service portability that is crisply defined and free or inexpensive to invoke. Bend over backward to avoid causing customer technical lock-in, and strive to keep your customer through great service at a great price. In addition, offer clear SLAs with great warranties. In your SLAs put in clear financial penalties for missing aspects of your SLAs and maybe even some bonuses for surpassing them. In some senses I recognize that this maybe counter intuitive for some, but if the goal is enhancing trust this is a great way to do it.
  3. When things go wrong be open and honest about them. Said another way, keep your promises. And if you can’t, tell your cloud customers quickly and honestly about your mistakes and explain what you are going to do better next time. In fact, this should be part of your corporate philosophy, so that your prospective customers hear about it before they actually experience it. Just like with personal relationships, most good cloud provider/cloud consumer relationships can survive some broken promises.

We all know that trust is relative, as in “I trust that person (or service) more than that one” or “I trust this service more than I used to.” Mathematically I think of it this way: Trust = Performance x Time. As good performance accumulates over time overall trust goes up. And good performance over a short time period elicits some more trust, but not much more. For public cloud services to attain their prospective position as the next major IT service delivery architecture (following mainframe, client/server, and Web) it is imperative that the industry take proactive steps to improve their trustworthiness.

Matthew Gardiner is a director working in the security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM, cloud security, and other security-related topics, and is a member of the Kantara Initiative Board of Trustees. Gardiner has a BSEE from the University of Pennsylvania and an SM in management from MIT's Sloan School of Management. He blogs regularly and also tweets.

What’s hot on Infosecurity Magazine?