Thales eSecurity Blog

All Cloud Service Providers are NOT Created Equal

Tips for Buyers and Security Essentials

Dominating the cloud computing zeitgeist, no one should be surprised to learn that Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (heretofore referred to as AMG) continue to maintain or grow their share of the market according to a July press release from Synergy Research Group. Synergy’s research also reveals that other cloud service providers still operate as much as 50% of cloud workloads. And there’s a reason for that: self-service (as provided by AMG) is awesome, but plenty of buyers need or can benefit from some hand-holding while their migrating workloads to the cloud.

For the purposes of this blog and based on Synergy’s data, I will assume that among the 50%, at least 25% are software-as-a-service (SaaS) providers, which I am not blogging about here. Remaining are a global ecosystem of perhaps thousands of Cloud Service Providers, or CSPs. CSP’s have a lot to recommend: locality, personalized service, and technical expertise, among other attributes. And they can be quite cost effective, for many workloads.

However, choosing among hundreds of CSPs for a particular workload can be quite challenging. In addition to so many from which to choose, security is a top concern, evidenced by the 2017 Thales eSecurity Data Threat Report Advanced Technology Edition, which reveals that data security and availability concerns are still front-of-mind for over half those surveyed, including experienced cloud buyers. So, a CSP buyer must first answer questions like: What type of data will I store in the cloud? What data protection regulations govern our industry? How do I protect data stored in the cloud?

All Cloud Service Providers are NOT Created Equal

Unbiased Starting Point

A fundamental data security resource for any cloud customer is the Cloud Security Alliance (CSA). The CSA publishes the Cloud Controls Matrix (CCM) designed both to provide cloud vendors with essential security principles and to educate prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA also publishes the Consensus Assessments Initiative Questionnaire (CAIQ), which is aligned with the CCM and is intended to be completed by cloud services vendors.

One thing to keep in mind: cloud providers offer ranges of capabilities that you want to match to a specific workload or service you need. Each workload you’re considering for cloud has its own security, risk and compliance requirements. You can only compare cloud provider security services, using the CAIQ, for similar workloads or services. That is, you want to use the CAIQ to compare apples to apples or orange to oranges, not apples to oranges.

How to Protect Data

Among the many sections of the Cloud Controls Matrix we find the following mandate:

EKM-04 Platform and data-appropriate encryption in open and validated formats and standard algorithms shall be required.

That just about says it, right?

Finding CSPs That Provide Encryption

If you have the time to do some digging, you can hand each of your candidate CSPs a copy of the CAIQ and then look for their answers to EKM-04.1, -04.2, -04.3, and 04.4 and tabulate the scores. This process is effective, but labor intensive.

Another choice is to visit the Thales eSecurity Cloud Partners Page. On that page, you will find leading global Cloud Service Providers such as Rackspace, a leading provider of hybrid clouds, who recently announced a new Privacy and Data Protection Offering. You will also find, for example, Virtustream, another leading cloud innovator offering cloud solutions to enterprises, governments and service providers.

Any provider (other than AMG) that you find on our Cloud Partners Page offers Vormetric Transparent Encryption (VTE) to protect your data in their cloud with data-at-rest encryption, access controls and data access logging without re-engineering applications, databases or infrastructure. VTE meets the basic requirements or recommended best practices for almost all compliance and data privacy standards and mandates, including PCI DSS, HIPAA/Hitech, GDPR and, of course, the Cloud Controls Matrix.

Why, in the previous paragraph, did I write “other than AMG”? In my next blog, I will tell you why you want to bring your own encryption, or BYOE, to those providers.