Cloud provider assurance: Trust but verify
by Mike Small - Analyst at KuppingerCole - Thursday, 11 October 2012.
Can an organization trust an IT service provided through the cloud? A survey by KuppingerCole showed that “Cloud security issues (84.4%) and cloud privacy and compliance issues (84.9%) are the major inhibitors preventing organizations from moving to a private cloud.”

Using a cloud service means moving from a “hands on” management model to one of indirect governance. How can an organization use an indirect governance to assure trust in the service provided? The answer can be found in the old Russian maxim, which was often quoted by US President Ronald Regan: “trust but verify.”


The risks associated with cloud computing depend on both the IT service model and the delivery model adopted. Some of these risks are new but many of the risks are already found with any outsourced IT service.

The risks can be divided into three general categories; policy and organizational risks, technical risks and legal risks. Examples of these risks include:

Ensuring compliance - Many organizations have invested heavily to ensure compliance with laws and regulations. Will using a cloud service affect compliance?

Business continuity - The recent reported outages of major cloud services show that 100% availability may not be guaranteed. How does using a cloud service impact business continuity?

Data security - What are the risks to data held remotely within the cloud provider’s infrastructure?

Using the cloud may outsource the IT service but it does not outsource responsibility. The cloud user remains responsible for the security of their information and for the continuity of their enterprise. When moving to the cloud, it is essential that steps are taken to manage these risks.

Manage risk through understanding needs

The first step to assuring trust is to understand what the business requirements are. Everything follows from these requirements:
  • Classify data and applications. Some applications are more critical than others and some kinds of data are more sensitive than others.
  • Develop scenarios to understand the benefits and risks. Use these to determine the requirements for controls and the questions that need to be answered. This helps you to decide the appropriate response to the risks based on your enterprise’s risk appetite.
  • Understand what the certification and accreditations offered by the cloud provider mean and actually cover and how these support your needs. Assurance frameworks can help with this.
  • Finally, monitor the service provided using the agreed controls to assure that it is conforming to what was agreed.
Assurance frameworks

There is no shortage of advice on how to manage risk to both cloud service providers, as well as cloud customers. The following list summarizes the most prominent frameworks and sources of advice:
  • ISO/IEC 27001-27005
  • AICPA/CICA Trust Services (SysTrust and WebTrust)
  • Cloud Security Alliance Controls Matrix
  • BITS Shared Assessment Program
  • Jericho Forum Self-Assessment Scheme (SAS)
  • CSA Shared Assessments
  • ENISA Procure Secure
  • German BSI Security Recommendations for Cloud Computing Providers.
  • NIST Cloud Computing Synopsis and recommendations
However, a survey by ENISA of SLAs across EU Public Sector in Dec 2011 showed that, while 60-70% of respondents had adopted standards like ISO27001 and ITIL for internally produced IT services, only 22% required external IT providers to adhere to the same standards.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th