Kicking the Virtual Tires of a Cloud Provider
Published: November 19, 2012
Author: Frnak Simorjay, Senior Product Marketing Manager, Microsoft Trustworthy Computing
Part of the car buying selection process may involve kicking the tires to ensure the car is sound and solid. It’s not a scientific method, but it may build confidence in the minds of consumers to trust the quality of a car.
Today, IT professionals are looking for objective information, facts, and resources to help evaluate the benefits of moving to the cloud and to determine the right cloud provider for their organization. To learn about cloud providers, IT leaders may conduct onsite data center visits and penetration testing.
From a cloud provider’s perspective, this approach may present challenges. Providers know they need to make the evaluation of their solution as simple as possible, but they must also ensure that they comply with security regulations and requirements. Something as simple as an onsite data center visit may seem reasonable in most circumstances, when in fact such a visit might violate a service provider’s physical security policy. As a result, potential customers might perceive that the provider is withholding information and not being truly transparent or forthcoming in their security practices.
Cloud providers often consider ways to give customers information and evidence about their security practices by undergoing rigorous auditing and compliance efforts that demonstrate their security posture. This practice is both time consuming and costly, and may not help confirm that the cloud provider is a good fit for a specific organization.
Learning about your own IT environment and evaluating the benefits of moving to the cloud needs to be made as simple as possible. The
Cloud Security Alliance (CSA) developed the
Security, Trust & Assurance Registry (STAR) and the
Cloud Control Matrix (CCM) to help simplify the process of evaluating a cloud service provider.
As the CSA
announced, Microsoft has created a free
Cloud Security Readiness Tool, which helps IT leaders assess their current IT environment with regard to systems, processes, and productivity, maximize their IT investment, and realize the potential of cloud computing. The tool also helps organizations better understand their potential to stay agile and helps ensure their alignment with current governance, risk management, and compliance (GRC) legislation and regulations.
Figure 1. Microsoft's Cloud Security Readiness Tool
Evaluating a cloud provider needs to be done with care, but the STAR, CCM, and the Cloud Security Readiness Tool make it simpler and easier to ensure that everyone can address the important factors of the cloud selection process – not just kick the tires.