This is a great article that I believe effectively summarizes the state of maturity of Cloud Computing security from Dark Reading. I agree with the author on his assessment.
Given the state of maturity of Cloud Computing, there are only two ways to adequately manage risks. These will certainly change over time, but below are the best ways for managing risk today:
- Articulating service level requirements at a granular level with quantifiable metrics.
- Ensuring that as an IT Security professional you get a real personal level understanding and awareness of the architecture and security controls in place.
I would also add that with the Cloud, you can't assume "standard" Service Level Agreements (SLAS) are going to suffice. SLAs will in all likelihood need to be revised or enhanced beyond the standard SLAs for most vendors.
You can learn more about Cloud Computing Security at this blog, Cloud Security, dedicated to the topic.
The reality in establishing effective agreements with Managed Service Providers(MSP) is it is almost never ideal for you to insist that the MSP implement your particular set of IT General Controls. (Key: Who's Responsibility is IT? - At the end-of-the-day you report to your shareholders.
First you need to define your own internal set of policies and procedures and convey those requirements to the MSP.
Second, you need to confirm their stated policies and procedures in relation to your own internal requirements, prior to an agreement.
The Third step is that you MUST BE ABLE to audit theirs, and have the authority to do so on an ongoing basis.
The Final condition prior to signing is that they assume some type of risk related penalties(i.e. "Quantifiable Metrics"
I strongly recommend that you ensure within your SLA that you actually have the necessary authority for you(or a designated 3rd party) to audit their internal policies and procedures.
If you don't, I would insist that you have made an insufficient arrangement on behalf of your organization.
P.S. Always include RISK as a key factor in evaluating IT Outsourcing!
Christopher Peterson
Mainstream Networks Ltd.
Vancouver, BC
www.mainstreamnetworks.ca
Posted by: MainstreamIT | December 02, 2009 at 01:15 AM
Christopher,
Thank you for your post. I wholeheartedly agree with your comments on being able to audit. Without audit provisions, you will never be in a position to understand what is happening with your managed service provider and won't be able to effectively ensure the management of your information risks.
When establishing audit provisions, you must clearly articulate the details that will ensure you have adequate access to the managed service providers staff, technical environment, documentation, and processes. I would also add within the audit provisions the ability to change the provisions to address either previously unknown risks or new risks that emerge.
Audit provisions can also help a company renegotiate SLA elements in the future, because conducting audits can provide critical data to support requests for service level changes from the managed service provider.
Ultimately, effective audit provisions and their execution, will help ensure that you have the necessary knowledge and understanding over time to drive actions by the service provider to managed information risk.
Mark Brooks
Posted by: Mark Brooks | January 09, 2010 at 06:06 PM