San Francisco -- Despite the best efforts of cloud service providers and industry groups like the Cloud Security Alliance, cloud security remains a troublesome issue for IT execs.
At an RSA session devoted to cloud security, IT security pros complained about the lack of transparency among cloud providers and how that makes it extremely difficult to make informed buying decisions.
|Hottest products at RSA Conference 2013|
|Do enterprise security teams want "Big Data Security"?|
|Juniper's "device fingerprinting" security technology gets mixed reviews|
|HP unveils 'Big Data Security' strategy|
|Weatherford outlines 'cyber 9-1-1' plan|
Attendees in the audience pointed out that there's currently no certification for cloud security. And cloud vendors won't allow enterprise customers to go on site and actually touch the machines. So, where does that leave IT execs?
Nils Pulhman, former CSO at Zynga, suggested that IT execs grill prospective cloud service providers. "Play the role of a police investigator,'' he said. "Feel out how mature is the provider.''
In his experience, particularly with startups, "nine out of 10 fall apart'' when you ask the tough questions.
[FROM RSA: The hottest products at RSA]
He said enterprises need to understand that the No.1 priority for cloud providers is minimizing the impact of a security breach on themselves. Minimizing the impact on the customer takes a back seat, so "customers need to build out controls too.''
"You've got to demand transparency from the vendors,'' added Patrick Foxhoven, vice president of cloud operations at vScaler. "Without transparency, you can't audit.''
But many in the audience pointed out that a single enterprise customer doesn't have much leverage against a large cloud provider that's not accustomed to opening up its security policies.
One attendee asked about the problem of trying to evaluate a SaaS provider that's on a different vendor's PaaS platform, that's hosted on a third vendor's cloud infrastructure. "Does that mean three times the work?''
Foxhoven also pushed back against enterprise customers and said that, as a provider, he gets hit with huge security-related questionnaires from potential customers and most of the questions aren't applicable to the way security is implemented in the cloud.
He said there's no easy answer, but one suggestion for IT execs is to talk to other customers and find out what their experiences have been with a particular service provider. "That's the unfortunate reality of where we're at today,'' Foxhoven said.