Some thoughts on transparency in the cloud

Lessons learned from a cloud expert on the important of transparency, accountability, trust and other important factors of a cloud agreement.

David Lingenfelter from Fiberlink is on enough working groups about “Cloud” to float away, if he so desired. From the Cloud Security Alliance to NIST Cloud groups, the man knows the players on the circuit.

He recently gave a talk about cloud. I know, another talk about the bloody cloud. Will they ever stop?

David’s talk was better than most, though. He didn’t treat his audience like idiots, and he showed some real insight into the problems and pitfalls of cloud. Yes, he showed the benefits, but it was tempered with reality to a nice degree.

My favorite graphic of the preso was this one.

He shows that transparency between the cloud pieces/providers/entities is the only way to generate true trust between the entities and the consumers of cloud. With usable transparency, I can believe that the cloud entities that house, carry, manage, and audit my data are working for me with appropriate levels of controls, with proper communication, and without duplication of effort and cost

Without transparency:

  1. No confirmed chain of custody for information.
  2. No way to conduct investigative forensics.
  3. Little confidence in the ability to detect attempts or occurrences of illegal disclosure.
  4. Little capability to discover or enforce configurations.
  5. No ability to monitor operational access or service management actions (e.g., change management, patch management, vulnerability management, and so on).

Trust, transparency, accountability, geographic legal differences, forensics, monitoring. All these issues carry a lot of weight in cloud, or any kind of outsourcing. Whether you send your credit cards off so you don’t have to deal with that pesky PCI, outsource your call center so you don’t have to deal with those pesky CSR’s, or outsource your data center to the cloud so you don’t have to deal with those pesky servers, you have to know your limits, your needs, your budget, your control requirements, security measures provided, etc. The list is long.

Using the resources provided by the various organizations, such as the CSA, NIST, among others, is a way to answer these questions in the short term, before you might have to answer them in front of the board. I realize that many readers are already conversant and using cloud, but I strongly recommend checking out the presentation. I’ve requested that David post the preso on Fiberlink’s site, but if he can’t, email me and I’ll get you a copy.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.

IT Salary Survey: The results are in