Microsoft's Trustworthy Computing team today released its third video in the "Cloud Fundamentals" video series, Mark Estberg, senior director in Microsoft's Global Foundation Services, describes that there needs to be a partnership between customers and cloud service providers.
"Customers need to know that their cloud provider(s) are being responsible with the applications and data they entrust to them; this is especially true for organizations that have compliance obligations," said Estberg.
Estberg also notes that customers need to be mindful of their requirements and whether they are compatible with the deployment model(s) they are evaluating.
They can opt for periodic audits by some small number of trusted auditors in combination with some level of automated reporting, seems to be a reasonable model until innovations in the industry provide richer automated reporting becomes available.
According to Tim Rains, director, Trustworthy Computing, customers looking to try to put a "right to audit" clause into the service level agreements might not really get the transparency they want, for at least a few reasons:
- Transparency or Breach: If each customer of a cloud provider has the unrestricted right to audit the cloud operations and infrastructure, the audit activity of one customer might constitute a breach or policy violation for other customers sharing the same cloud infrastructure.
- Cloud is a Stack: Cloud providers typically leverage the services and infrastructure of other vendors during the course of providing services to its customers. For example, network services to and from a cloud provider's data center are likely provided by two or more network providers (for redundancy, load balancing, etc). Even if a "right to audit" clause provides visibility into a cloud provider's environment, it likely won't provide insight into the tiers of providers that constitute the cloud stack that the customer is leveraging. In other words, the "right to audit" clause won't transmit to all the carriers that are involved in potentially providing service for that customer.
- Audit or Innovate: If every customer in a multi-tenant environment periodically exercised a "right to audit", this would drive out many of the efficiencies that create potentially lower costs and greater business agility for those tenants. Cloud providers would spend more time responding to steady streams of audit requests than innovating and creating the efficiencies that customers are looking for.
Here are all the three videos of the series:
Introduction to the Cloud Fundamentals Video Series:
Cloud Computing & Business Agility:
Cloud Computing Requires Transparency: