Enterprises have become more comfortable with the security of cloud platforms and their ability to protect against outside attackers, but they remain concerned about a lack of transparency into how cloud providers use data related to their accounts.
AWS, Microsoft and Google have made some strides to increase visibility into the processes they use to support and access user workloads. Most notably, they’ve added guarantees to meet compliance standards like HIPAA, GDPR and PCI. Beyond that, however, some industry experts say the major providers aren’t doing enough around cloud transparency.
These critics want more reporting from cloud providers on how they use telemetry and metadata collected behind the scenes, and they want to see a continuation of a recent shift by some vendors to offer more tools to track direct interactions with user workloads.
Data access controls
All cloud providers offer some level of control over data protection in regard to compliance frameworks. Enterprises rely on this oversight to maintain an audit trail of how all data related to enterprise applications is accessed, edited or deleted.
“As a part of global expansion, cloud providers are increasingly certifying their environment, data protection and privacy against different regional regulatory standards,” said Hari Srinivasan, director of product management at Qualys, a cloud security and compliance solutions provider.
Certifications and standards, such as ISO 27018, which concerns the privacy of personal data in the cloud, verify that the cloud provider follows particular security principles. These standards put specific assurances into writing, such as guarantees that a vendor won’t share data with outside parties unless requested by the local authority with proper judiciary warrants.
Cloud providers also use third-party vendors for vulnerability assessments to ensure their internal systems are stable and devoid of security vulnerabilities, said Dinesh Varadharajan, vice president of product management at Kissflow, a workflow management platform. Enterprises should request these compliance reports to discover any security gaps that might be created when they move to the cloud. These reports help enterprises understand how storage and transmission encryption works, how data backup is managed and how data is disposed of at the termination of a contract.
However, Varadharajan believes that cloud providers need to be more transparent by publishing stats regarding data backup, lists of vulnerabilities addressed, internal audits and the results. This will instil more confidence among enterprises.
“In short, enterprises need a dashboard to continuously monitor the state of the data that is stored,” Varadharajan said. – Read more