Skip Links

What should cloud providers know about their customers?

Vetting processes are limited by practical considerations, experts say

By , Network World
April 11, 2012 10:10 AM ET

Network World - When customers sign up for an infrastructure-as-a-service (IaaS) plan from one of the number of vendors in the market, usually a name and credit card is needed before data is stored in the provider's cloud. But just what are public cloud providers doing with that information?

Security remains one of the chief concerns users have related to deploying the cloud, studies have suggested, and various providers seem to tout their security features for protecting data in the cloud. IBM, though, may take that even a step further by not just protecting data that's in the cloud, but regulating which customers use their cloud services.

WHICH IAAS IS RIGHT FOR YOU? 10 most powerful IaaS companies 

HP'S REVAMPED PUBLIC CLOUD PLAY: HP takes aim at Amazon with public cloud, virtual network components 

A blog post from Microsoft community website Redmond Channel Partner recently reported an interview with an IBM executive who was quoted saying, "An individual can't simply sign up with a credit card" to use IBM services. Rich Lechner, vice president of cloud for IBM's Global Technology Services unit, notes that IBM monitors the identity of each customer using its cloud service so that they know "who is in the building," he says.

Are IaaS providers vetting data from individual customers before allowing it to be stored in their cloud? For most IaaS providers: Fat chance, says Alan Shimel, managing partner at the CISO Group, a consultancy.

"Do you really think they're doing a customer-by-customer review of who you are and what data you're putting up there on an ongoing basis?" Shimel asks. "Most likely not. The very nature of the elasticity of the cloud would make that nearly impossible, or at least cost-prohibitive." Shimel notes that he's not familiar with the security policies of each individual cloud provider, and those may change from vendor to vendor. But some of the large public cloud IaaS providers, he says, can't possibly keep tabs on all their customers.

A spokesperson for IBM would not comment on the company's policies beyond what Lechner was quoted as saying in the blog post. But, Shimel suggests that another potential reason for IBM's wanting to know the identity of individual customers is because their clouds are aimed at enterprise users and the company may tailor services to meet their needs.

Other IaaS providers were more vague regarding their strategies. A spokesperson for Rackspace wrote in an e-mail that, "Maintaining customer trust and the security of customer data are top priorities for us." She did not provide details of efforts the company takes to identify customers or if they vet data before it is stored in the company's managed hosting or cloud environments though.

Amazon Web Services, seen by many as the market leader in the IaaS category, provided some additional details. "We do not inspect customer data," wrote AWS spokesperson Kay Kinton in an e-mail. But, she went on to say that the company uses "sophisticated screening up front to protect against fraud and abuse before customers are allowed to consume our services and then to scale." AWS requires customers to submit an e-mail address, phone number and credit card information before using its offerings, then it sends a PIN to customers granting access to the service.

Our Commenting Policies
Cloud computing disrupts the vendor landscape


Latest News
rssRss Feed
View more Latest News