Gartner analyst John Pescatore said it's simply not possible to know whether Google's technique of "hiding the data in a million places" is good security or not since there's no way to evaluate it. Speaking at the Gartner security conference, he said SAS-70 certification of any public cloud provider may be considered adequate for some customers, and not others. "SAS-70 is pretty meaningless from a security level, but it makes auditors happy."
Organizations with certain kinds of sensitive data are simply unlikely to find public cloud computing a right fit until the day comes when they can be sure their favorite security mechanisms are running in their cloud environment, Pescatore said.
Cloud computing challenges traditional notions about auditing and security, and it's possible a new way of auditing needs to evolve.
"If your service provider won't give you information about security processes and plans in order to do what's necessary, you shouldn't trust that provider," said Andreas Antonopoulos, an analyst with Nemertes Research.
The old idea of "security by obscurity," which suggests you can defend your security position best by keeping mum about everything, is misguided, he said. "It doesn't work. There's always someone who knows," Antonpoulos said. If you hear someone try to get your business by uttering that phrase, "run far and fast."
Analyzing the fine print
Legal experts took notice when the City of Los Angeles posted its contract with Google related to the city's migration to Google e-mail and collaboration services with the help of IT services firm CSC..
David Navetta, an attorney at Information Law Group, recently completed an analysis of the lengthy contracts with Google and CSC to determine how each side fared in defining responsibilities related to a potential data breach and indemnification of damages.
He note Google is defined in the arrangement as a CSC "subcontractor," and "therefore, as respects indemnification for a breach of confidentiality obligations or for lost City Data, CSC would be responsible to pay for Google's act or error." However, he thinks the term "lost data" should have been defined more clearly in the contracts.
Speaking in general about the job of evaluating and approving cloud services contracts, Navetta said it's common to encounter a rushed environment where cloud service providers insist they don't have time to discuss details and don't want to make changes.
"The usual line is 'we can't do this one change for one customer,'" Navetta said. Security and legal are typically "on the same side of the aisle," while the IT department wants to get something done quickly to save money. He said cloud providers often don't want to "let people truly look under the hood" and using them "constitutes a trade-off because you're losing control." Not surprisingly, large companies and government agencies can be expected to obtain more concessions from cloud-service providers.
Sign up for CIO Asia eNewsletters.