Life in the cloud would be so much easier if there were only some sort of ‘cloud risk seal of approval’. Most public cloud services seem to offer a reasonable risk proposition, but its extremely difficult to provide defensible evidence of this. A comprehensive and well-accepted ‘standard’ would go a long way towards bridging this gap.
Working towards the revision of the Hype Cycle for Cloud Security (which will be published in July), I wrote the following text: “Current standards only have a relatively small amount of material relating to the design, build and test phases of technology, which means that they are not yet able to fully address all risk-relevant aspects of a provider’s offering.”
In our internal peer review process, analyst Khushbu Pratap noted “This is because the move to cloud was meant to get rid of this headache. The service beneficiaries continue worrying about assurance in these areas. Cloud has taken away the whole implementation and maintenance piece but outsourcing cloud assurance is still a risky bet.”
I think that very neatly summarizes the inherent dilemma of using a commercial cloud service provider.