Cloud security concerns are starting to dissolve away as security technology and risk management practices mature in cloud and virtualized environments. But there's still one niggling barrier that won't go away if cloud providers aren't more proactive in tearing it down: transparency.
According to a recent IDG Enterprise cloud report, cloud service providers that insist on treating their architecture, their practices and their technology stack as a black box are going to lose out in the long run. Even though three-quarters of IT managers today say that they're confident in the security of information in the cloud, six out of ten of these decision makers say they can't fully get on board with cloud deployments until providers open the security kimono.
This shows that these days it's not necessarily a matter of security that's standing in the way of broader cloud adoption. It's actually a matter of trust.
"It can be said that the main barriers to adoption of cloud computing come from lack of trust, which is generated by the perceived lack of clarity in service level agreements (SLAs) and security or privacy policies, standard terms and conditions, and sometimes in the immaturity of cloud services," argued Daniele Catteddu, Cloud Security Alliance managing director for Europe, the Middle East and Africa last month.
"Transparency of cloud service providers in their approach to information security is the key to building trust in their services.
As things stand, 61 percent of the total IT environment is still-non cloud, and just 15 percent of IT assets are utilizing public cloud, according to the IDG report. Clearly, there's still room to grow into cloud architectures. The survey showed that 63 percent of organizations report that cloud is increasing IT agility, 58 percent say it is improving access to critical data and applications and 61 percent say it is increasing IT innovation.
Catteddu argues that in addition to third-party assessments like ISO 27001 and attestation statements like SOC2, specific security parameters in cloud service level agreements (secSLAs) can go a long way to adding better visibility and accountability for cloud customers from their service providers.
"Unfortunately, the conspicuous lack of relevant cloud security SLA standards is a barrier for their adoption," he says. "The benefits related to the specification of standardized security elements in cloud SLA are clear as the usage of secSLA seems to be the missing piece on the cloud customer’s security assurance and transparency puzzle."
He reports that CSA is working with the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) on just such a proposition. Enterprises and providers alike should keep their eyes peeled for visible progress on the front sometime next year.