Archive for August, 2009

Security Accountability in the Cloud

August 28th, 2009 Comments off

Microsoft Azure has the potential to be a great long-term infrasture bet for my company. But I have to ask the question – will my clients sign-on for having their applications, and particulary their data in the Microsoft cloud. We service a lot of financial services clients. I spend a significant part of my time responding to current and future client requests for information about our security and infrastructure. This runs the gamut from a one pager summary to a 20 page document, to on-site visits and penetration testing.

I will be interested to see how much detail Microsoft is willing to provide, and to whom about its datacenters, physical and data security and where my data would actually reside. It’s a bit of a Catch 22. A situation we run up against is a client wants to see a copy of the SAS 70 Type II audit of the datacenter, but depending on the datacenter security policy, they may consider it a security breach to show the report to another third party.

They will provide documented evidence of their general security practices and audit confirmation but not the details. In reality, distribution is restricted, not eliminated, so if you’re a big volume client at an individual datacenter, then you can work something out. But when you go out to a large cloud, you become a much smaller fish in a bigger pond. The cloud provider can’t go around giving out a lot of information about its operations to anyone who asks – where do you draw the line (though the whole argument about security through secrecy vs. open peer reviewed information probably applies as much to physical security as it does to code security).

So we’ll see how this develops. It will be interesting to see how successful providers are at luring different types of client companies, and how much information they will disseminate about their practices.

Categories: Uncategorized Tags: