Kicking the Virtual Tires of a Cloud Provider

Published: November 19, 2012

Author: Frnak Simorjay, Senior Product Marketing Manager, Microsoft Trustworthy Computing

Part of the car buying selection process may involve kicking the tires to ensure the car is sound and solid. It’s not a scientific method, but it may build confidence in the minds of consumers to trust the quality of a car.

Today, IT professionals are looking for objective information, facts, and resources to help evaluate the benefits of moving to the cloud and to determine the right cloud provider for their organization. To learn about cloud providers, IT leaders may conduct onsite data center visits and penetration testing.

From a cloud provider’s perspective, this approach may present challenges. Providers know they need to make the evaluation of their solution as simple as possible, but they must also ensure that they comply with security regulations and requirements. Something as simple as an onsite data center visit may seem reasonable in most circumstances, when in fact such a visit might violate a service provider’s physical security policy. As a result, potential customers might perceive that the provider is withholding information and not being truly transparent or forthcoming in their security practices. 

Cloud providers often consider ways to give customers information and evidence about their security practices by undergoing rigorous auditing and compliance efforts that demonstrate their security posture. This practice is both time consuming and costly, and may not help confirm that the cloud provider is a good fit for a specific organization.

Learning about your own IT environment and evaluating the benefits of moving to the cloud needs to be made as simple as possible. The Cloud Security Alliance (CSA) developed the Security, Trust & Assurance Registry (STAR) and the Cloud Control Matrix (CCM) to help simplify the process of evaluating a cloud service provider.

As the CSA announced, Microsoft has created a free Cloud Security Readiness Tool, which helps IT leaders assess their current IT environment with regard to systems, processes, and productivity, maximize their IT investment, and realize the potential of cloud computing. The tool also helps organizations better understand their potential to stay agile and helps ensure their alignment with current governance, risk management, and compliance (GRC) legislation and regulations.


Figure 1. Microsoft's Cloud Security Readiness Tool

Evaluating a cloud provider needs to be done with care, but the STAR, CCM, and the Cloud Security Readiness Tool make it simpler and easier to ensure that everyone can address the important factors of the cloud selection process – not just kick the tires.