There are many SaaS and Security SaaS cloud services out there, but they all lack one thing: full visibility. Why do these cloud services limit the ability to perform compliance auditing, forensics, and basic auditing against an organizations data retention, protection, and other necessary policies?  Why not just grant the “right to audit”, or better yet, build a way for each tenant to perform their own audit down to the hardware? Why limit this by leaving it out of contracts as well as the technology? It is all feasible.I recently participated in a cloud services discussion that hovered around everything but the legal aspects of using the service. When I asked about the ‘right to audit’, I was told they would have to get back to me. I am still waiting to hear back. I expect to not hear back, as most cloud services do not want to grant this level of transparency. Instead, they rather control every aspect of the service in order to deliver the highest level of  availability, integrity, and confidentiality. However, where is the proof that such is actually the case.

Without proof, when an organization is audited, say for PCI Compliance, they will fail whenever the cloud services are considered in scope. If it is not in scope, they may not fail. Wait they will fail, but the cloud service stated they were PCI compliant? Once more, where is the proof? This ends up being more of a discussion about trust, even so we need provable trust.

In another conversation, an IaaS based cloud was in the midst of another type of Audit, but the legalities of the contract actually refused the organization the ability to impose their own audit. Why would this be the case? It is not a common practice, it is actually the reverse, the ‘right to audit’ is common within most contracts between partners. Without the ‘right to audit’ and the technology to allow an organization to perform such an audit, the cloud will be severely limited. Granted there are works in progress such as CloudAudit and CSA STAR but these are just reporting frameworks. We really need the full ability to audit from the highest levels to the lowest levels. We need to be able to review anything that is in scope for the audit.

This is an age old problem that first popped up with counting houses, how can one prove the counting house did not make a mistake with an individuals money. They allowed the ‘right to audit’. Now we are in the 21st century and we are still hamstrung by the lack of technology to allow individual tenants to audit their instance of the cloud. Transparency becomes even more important when there is security software involved.

When offering cloud services, offer the ‘right-to-audit’, but also team up with your vendors to provide a technological method to audit down all layers without requiring undo personnel overhead to handle audit requests. If you are looking to be a tenant, require the ‘right-to-audit’ in order to be part of the cloud. Ultimately, auditing requires the tenant to know who did what when where how and when.

As The Virtualization Practice is looking to go to the cloud, we will require the ‘right-to-audit’ as a matter of course. However, what this means today will be spelled out in a contract which provides the legal team something to discuss based on our existing written policies. Why? Because cloud services may not provide or have the capability, built in today, to allow tenants to audit without the providers assistance.

One can hope unassisted audit-ability will be provided in the future.

Share this Article:

Share Button
Edward Haletky (381 Posts)

Edward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.

[All Papers/Publications...]

Connect with Edward Haletky:


Related Posts:

3 comments for “Offering Cloud Services: Why is it so Limited?

  1. May 15, 2012 at 10:19 AM

    Hello,

    I am unsure about this ping back? Why would this not be useful for attorney’s? Is this because of the law governing compliance, lack of knowledge, or something unenforceable in the court of law?

    Best regards,
    Edward

Leave a Reply

Your email address will not be published. Required fields are marked *


six + 8 =