What sort of security information should a buyer expect from a service provider?
In April, Google uploaded a marketing video to YouTube, Security and Data Protection in a Google Data Center. This 7 minute piece explains that interior doors are protected with biometric sensors, and that scooters are provided for the guards. Take a silent moment to try to visualize the sort of infosec security failure that would be solved with scooters. Is there some sort of Google security training camp where security staff are taught advanced scooter incident response techniques? Instead of Mall Cop Two, can we anticipate Google Cop?
Just before (and continuing after) Irene struck, Amazon’s AWS service health dashboard included the reassuring news “We are monitoring Hurricane Irene and making all possible preparations, e.g. generator fuel, food/water, flashlights, radios, extra staff.” Laying in some extra staff to temporarily beef up the inherently lean personnel of a cloud service sounds like a great idea, but shouldn’t a provider always have enough generator fuel to outlive unforseen power failures, let alone scheduled hurricanes? Why wouldn’t they always have some MREs on hand to tide their admin crew through a snow storm or civil emergency? How about a deck of cards, or a board game, too? Once they get to the point where they need flashlights and radios, the extra staff will need something else to do while waiting for the power and the Internet to come back up.
Taking a more minimalist approach, Dropbox is sticking with the marvelously ambiguous position “We use the same secure methods as banks.” Does that mean the same methods that banks use to prevent robbers from getting into your safety deposit boxes, or the same methods that UBS uses to monitor for fraud?
Best practice for determining if a service provider is fit for purpose remains an open topic. I do have some ideas on what a buyer should be told, and I’m confident that this sort of information is not it.