After 25 years in high tech, I’ve seen a lot of hype, but some of the misleading verbiage that I’m reading these days still disappoints me. Its not surprising that as a technology approaches the top of the Hype Cycle, some of the vendors turn their Spin Cycle up to 11. I spend a lot of time reading between the lines of Cloud Service Provider (CSP) blogs, web brochures, and contracts, where SLA dissembling has become a core marketing competency. Hyperbole is par for the course in commercial communication, but I find it somewhat disconcerting that so many misleading messages are actually being believed.
Your data is encrypted: This usually translates to ”we use SSL to encrypt it in transit, but its still in clear text on the server where it can easily be seen by of our rogue admins or undetected hackers.”
Your data is encrypted on our server: In at least one recent case, security researchers have shown that this can mean “yeah, its encrypted, but we keep the keys on our servers, and we don’t protect them very carefully.”
We have a Recovery Time Objective of zero: I cannot translate this statement, because it is meaningless.
Our data center is SAS70-certified: This usually indicates “we don’t understand what a SAS70 attestation is,” but a useful working translation in a wide variety of instances would be “The company we sublet space from has shown an accountant that they keep the doors locked, the HVAC is reliable, fire suppression is in place, and there is plenty of Diesel oil in the generator fuel tank.”
Dereferenced data will be overwritten with other customer data over time: Translation “We don’t actually delete your data.”
We are committed to security: Translation “We want your money.”
Our security guards have Segways: Translation “Even our non-tech employees are cool.”
We use sophisticated proprietary technology: This roughly translates as “You don’t need useful evidence to accept that we are the superior choice.”
We have a robust change management system: This often means “We are constantly tinkering with our code and we’ll never give you any advance warning of when it might affect you.”
We are a leading provider of…..: Translation “we exist (at least for the time being).”
While I still think we’ve got a long ways to go on cloud computing transparency, there are certainly providers that do a better job than others of explaining their level of effort and the form of service you should expect. Unfortunately, an honest presentation of the realities of data protection can be less compelling than a hyped and obfuscated story. Until the spin cycle runs its course, there are going to be some disappointed buyers, especially those with high expectations for data encryption, and data recovery.
Category: Cloud IT Governance risk management security Vendor Contracts Tags: Cloud, cloud security, continuity, disaster recovery, information security, infosec, outsourcing, risk management, security, Security-Summit-NA, vendor risk