Cloud computing has brought tremendous opportunities to the IT world. Startups to large enterprises view the cloud as a desirable option, thanks to the advantages of resource sharing, on-demand provisioning, and the pay per use model. As we all know, the cloud represents a large pool of resources unified through virtualization, which is capable of scaling up with the requirements and accessible from anywhere anytime. Cloud also brings in increased efficiency and rapid deployment of services within a matter of minutes rather than months for the clients without them even worrying about the underlying infrastructure or maintenance costs. However, despite these opportunities and benefits, the trust concerns are holding back many global CXO’s from aggressively moving into the cloud bandwagon. The concerns regarding trust and security start arising as soon as the organizational data leave the designated internal firewall and move towards a public cloud domain. In short, trust management and information security have become a major challenge in this age of advanced technologies and anywhere-anytime connectivity.
Trust in the cloud is a very fuzzy concept for which there is no globally accepted definition. When it comes to the cloud environment, trust involves two aspects- the trust management for the service provider and for the cloud service requester. Trust is a factor that ensures a reliable experience for the users without them getting concerned about the security of their assets in the cloud. On the service provider side, the trust covers the factors like the credibility of the service, data security, performance, and availability. In addition, cloud vendors expect that cloud resources to be protected and to be utilized by trustworthy customers. The weak links in the trust chain for example if the vendors subcontract the work without informing the customer or lack of proper information on contractual terms can create serious implications for the client organization. In short, Trust becomes the most crucial factor in deciding whether the engagement is right between the cloud service provider and the service requester.
How to build a trusted cloud ecosystem?
Creating confidence and trust in the cloud is significant for both the cloud service provider and service requester equally. For this, organizations should frame a comprehensive and well-organized cloud strategy secured with proper checks and balances keeping future requirements in mind, while allocating a cloud infrastructure to the customers or receiving a service from the provider. This helps organizations to assess, monitor, improve, and enhance their operations in the cloud environment and thereby efficiently deal with the trust issues, if any, within the cloud. Cultivating a trusted cloud environment helps organizations to address the client concerns in a healthier way and can transform the general concerns around the cloud into new opportunities. From a customer point of view, organizations have to consider the full range of risks involved in their on-premise environment with externally hosted cloud environments. This approach will enable them to maintain a similar risk exposure particularly as data and functions are moved from an internal to an external environment.
Let us examine the key factors that contribute to a trusted cloud environment.
Privileged access: Who has access to what on what level?
As information moves to cloud service providers, the end-users would require different levels of access, both from internal or external data centers via remote access, to perform their tasks associated with various roles. Lack of proper access control policies and guidelines can result in unauthorized access and mishandling of sensitive data, especially in this age of revolutionary concepts like Bring Your Own Device (BYOD). A centralized access management solution that is affordable, secure, easily manageable, and always available is required. This allows authorized end-users and service providers’ in accessing any cloud device or platform securely. Information stored in the cloud environment must be secured and access to the information must be limited to resources on a ‘need to know’ basis. Organizations must give emphasis on reviewing the access control policies in a timely manner and dedicate enough time to increase awareness around access control policies and concepts around privileged access management, segregation of duties, ‘need to know’ etc. All these measures will help in reducing trust violations and improve trust among cloud customers.
Data Handling: Are appropriate controls including encryption and proper segregation in place?
For building trust in the cloud, both the service provider and the service requester should have a clear understanding of the data stored, processed, and accessed in the cloud. In order to ensure trusted data handling within a cloud environment, all information must be properly classified, segregated and access to the information or resources must be limited by enforcing policies that grant privileged access to data only on a ‘need to know basis’. Organizations must give enough focus on data handling, where a customer’s requirements around data handling within the cloud are taken care of, and also respective regional regulations on how data is stored and handled are taken care of.
Technology: Is the technology foolproof enough to rely on?
The technology base that the cloud is built upon is significant for both service providers and requesters for keeping the data assets safe. If the virtualization technology or the third-party data center technologies are not secure enough to store and handle customer data, it will impact the trust factor. From a technology point of view, cloud service providers should maintain compliance with proper technical controls, industry certifications, and foolproof virtualization technologies for the customers. They should monitor vulnerabilities and provide audit reports at regular intervals. The service requesters must evaluate a cloud service provider based on factors including infrastructure management, scalability, security controls, and encryption in place.
IT Operations: Are IT operations clear and transparent?
While providing cloud services the cloud service providers have to provide a complete picture of their policies, infrastructure, support/maintenance procedures, and DR strategies as part of the IT operations. They should outline potential risks if any and mitigation measures to address them. With transparency and appropriate communication on both sides, enterprises can deploy better cloud solutions to address complex technology problems.
Governance: Does it adhere to a proper governance model?
To build trust in the cloud, organizations need to have a proper governance model in place comprising of cloud infrastructure, third party entities, and in-house resources. The cloud service providers should ensure that the users are educated on the significance of adhering to the cloud governance model. The regular evaluation must be done on people, process, and technology. They should establish periodic assessments with consumers to review the contractual terms and discuss the risks or any potential issues that may affect the service.
Audit and Compliance: Does it meet the audit and compliance standards?
It is highly critical to meet the audit and compliance standards in the cloud environment. Cloud customers must adopt the service after analyzing the history of the service providers in terms of security policies. To ensure trust, the service providers must adhere to and comply with the cloud and data security regulations pertaining to a country. They should administer third-party audits with regular reviews and assessments to identify whether there are any issues in the established policies or contractual terms. They should document and keep reviewing and updating the legal, statutory, and regulatory compliance as well.
A 2016 Gartner report says “By 2020, a Corporate “No-Cloud” Policy Will Be as Rare as a “No-Internet” Policy Is Today”. Despite all the concerns regarding privacy, security, and trust, the Cloud model will continue to evolve in the coming years. Organizations have to adapt and improve ways to protect the information stored in the cloud and keep building trust around this disruptive business model.