Technology, Cloud

Lack of Transparency in Public Cloud

Blog-post by,
HP Blogger

Discussing with industry colleagues the other day, I got challenged when I pointed out cloud services were lacking transparency. I actually realized that my statement was probably too broad as private clouds remain under the responsibility of their owners. So let me restate this a little more clearly, focusing on public cloud services, and let me describe what I mean.

Beyond IaaS, cloud services often require a “supply chain” to deliver the service. Indeed, the company advertising a service may rely on other companies to provide the infrastructure, some service functionality included in the service etc. To quote a well published example, Apple ‘s I-Cloud seems to use Amazon and Microsoft Azure services. How do we know that, because some curious journalist investigated the web addresses used when accessing the I-Cloud service.

When, last April, Amazon EC2 went down, people tracked the companies that got problems. The list can be found here. I did not check them all, but none of the ones I checked have any mention they run on Amazon EC2.

This is the tip of the iceberg, the facts we can trace. But this means in practice there is NO way at the moment to know who is actually participating in the delivery of a public cloud service. There is no obligation of transparency in the delivery.

You remember, a couple years ago, the T-Mobile/Microsoft/Danger data loss? It may not have been a cloud computing issue, but rather a failure to follow standard IT processes. But frankly, this does not matter. It demonstrates that the service is as well managed and secured as its weakest link. The issue? We have no way to assess that weakest link as we have no visibility in who is participating in the delivery of the service.

And I could continue this way. Now, you will tell me these are services developed for consumers, not for enterprises. And as 90+% of services are developed for consumers and SMB’s you are probably right. However, the boundaries are blurring between consumers and enterprises for two reasons. The first is that business people, not receiving appropriate service from their IT department, increasingly use external services (including facebook, dropbox, yousendit etc.) We call this “shadow IT”.

The second is that a new generation, known as the millennial generation, enters the workforce. They are very familiar with IT and use it all the time to stay connected with friends and family. They expect the same in their work environment and do not understand why they need to use other tools for work than for private life.

On top of that an increasing amount of “free” services, originally developed for consumers, are moving up the stack, delivering “premium” services to businesses. Both often run on the same platform and use the same environments.

But what are the dangers of this lack of transparency. In my mind they are twofold. On the one hand, we have no visibility of the processes and procedures used by the players in the service supply chain. So, for example, what are the levels of security guaranteed by each of the partners? But also what are the guarantees at the integration points between the partners. How are duties distributed, and are all aspects addressed?

The second element has to do with the location of data and its association with the now well-known Patriot Act.  Where does my data resides? Let me take a simple example. YouSendIt runs two datacenters in the US and now has a brand new location in the UK. But where will my data actually be located? There is no way to point out you want your data in a particular geography.

I understand from talking to some lawyers of American IT companies the Patriot Act may in essence not be that different from criminal legislation in other parts of the world, but as pointed out by ZDNet in their series on the subject, it is, in my knowledge, the only legislation that applies outside the boundaries of the initiating country without interaction with country jurisdiction. At the moment no Patriot Act related case has been brought in front of justice, so no case law has been established yet.

So, how could we address these issues and provide the user of services with the appropriate information to allow him/her to decide what service to use with a full understanding of the implications.

I would make following suggestions:

  • At the minimum, obligation to include in the description of the service, the name of all players in the service supply chain
  • Ideally, provide the user with an objective assessment of the quality of the processes and procedures established for delivering the service. This should include security, redundancy, disaster recovery and data location at least. This could be done through formal certification, through a categorization of levels (eg. Star system) or any other appropriate mean. The objective is to allow the user to quickly and easily understand what he/she is actually getting.

As far as the Patriot Act is concerned, I would also urge the European Union to make a clear statement as how enterprises can be compliant with both the EU Privacy Laws and the Patriot Act. There is a feeling of uncertainty in the market at the moment and that does not help the business.

Would you like to comment on this content? Log in or Register.
Paul Calento 255 Points | Fri, 11/25/2011 - 21:32

There seems to be too much control on the cloud provider side and not enough on the customer side. Is demand for cloud services so great that the customer can't control what they need? Clearly, as Rafal notes below, lack of transparency is leading to serious enterprise security challenges.

--Paul Calento

(note: I work on projects sponsored by and HP)

Rafal Los 111 Points | Tue, 11/22/2011 - 16:12

Christian, as always you are dead on. My concern is that we're talking about 'transparency' on different levels. I've been hearing information security folks talk about transparency in a different way - that of 'auditability' of the 3rd party's actions. So in other words, as the consumer I need transparency from my vendor to see what actions they are taking on my environment, who performs those actions, and when help me determine how compliant and auditable I am; and to give me, the customer, assurance that I've got a sane enviornment. Brilliant, thought-provoking piece of writing, I'll see you in Vienna and we can talk more on this topic for the podcast!

Pearl Zhu 90 Points | Fri, 11/18/2011 - 18:27

Hi, Christian, thanks for sharing, service transparency is the quality the cloud vendors should deliver, especially now the whole cloud eco-system is growing bigger and more complex, it's also part of GRC strategy the IT and vendors should work on the same page for the more trusted partner relationship, thanks