Securing the Cloud: We Get It

We understand: customers are particularly concerned about security when it comes to cloud services.
No problem. That’s why we’ve invested considerable sums in annual 3rd-party audits by Moss Adams to verify that we do what we say we do.
Recurring SOC 1, 2, and 3 Type 2 audits. A rigorous 21 CFR Part 11 audit.
Trust AND verify. See the data and believe.
Article by research analyst Peter ffoulkes from 451 Research.
Emphasis in red added by me.
Brian Wood, VP Marketing

Securing the cloud: What are the top concerns?

With security being cited by 37% of respondents as the biggest pain point when implementing cloud computing architectures, it isn’t surprising to find that security is a major consideration when selecting a cloud provider. Seventy-three percent (73%) considered security to be extremely important, 19% rated security as very important, and 8% as important, leaving no respondents who considered security to be anything less than important.
Trust and verify
Cloud security issues are not really about whether Amazon Web Services, Microsoft Azure or any other cloud provider has good security. The preponderance of evidence suggests that the established providers have high levels of security, but the question for cloud consumers is how do they establish an acceptable level of trust, and how do they verify that the security levels meet their organization’s requirements? Data privacy and security tops the list of concerns, cited by 41% of respondents, followed by access and control at 35% and auditing and compliance at 32%. Control of data, security models and toolsets, and contractual/legal issues were raised by between 15% and 26% of respondents.

Security is a very personal thing, and each organization has individual requirements, which presents a challenge for cloud providers to address with standardized offerings. The availability of APIs, and a range of popular toolsets together with appropriate access privileges is one possible approach, but no provider stands out today as having cracked the code in a way that satisfies a wide number of consumers.
Anecdotal commentary illustrates the range of concerns expressed by TheInfoPro’s respondent community:

  • “Data leakage/privacy breaches. For us it’s all about the data and securing it. Intellectual property loss would be far less damaging than losing customers’ data.” – MSE, Services: Business/Accounting/Engineering
  • “Marrying together internal roles, policies and security clearances with what is available in your cloud vendor.” – LE, Financial Services
  • “Multi-tenancy is unproven, no audit trail.” – LE, Telecom/Technology
  • “Federated security models.” – MSE, Public Sector
  • Auditing. We have to be audited, making sure the external companies are doing their own audits and being able to provide that data to us and being able to do our own audit. A lot of companies say ‘we’re PCI or HIPAA compliant’; we say we’d like to see the data, they say ‘no.’” – LE, Financial Services
  • “We’re trusting someone else with our information. So we have less visibility to their security, short of what they tell us on paper or PowerPoint slides. It’ll come down to contractual agreements – if we put any data out there that requires SOX or PCI controls, they’ll have to sign documents to indemnify themselves, we aren’t gonna fail an audit because of their failure of hygiene.” – LE, Transportation