buchachon - Fotolia
Enterprises have become more comfortable with the security of cloud platforms and their ability to protect against outside attackers, but they remain concerned about a lack of transparency into how cloud providers use data related to their accounts.
AWS, Microsoft and Google have made some strides to increase visibility into the processes they use to support and access user workloads. Most notably, they've added guarantees to meet compliance standards like HIPAA, GDPR and PCI. Beyond that, however, some industry experts say the major providers aren't doing enough around cloud transparency.
These critics want more reporting from cloud providers on how they use telemetry and metadata collected behind the scenes, and they want to see a continuation of a recent shift by some vendors to offer more tools to track direct interactions with user workloads.
Data access controls
All cloud providers offer some level of control over data protection in regard to compliance frameworks. Enterprises rely on this oversight to maintain an audit trail of how all data related to enterprise applications is accessed, edited or deleted.
"As a part of global expansion, cloud providers are increasingly certifying their environment, data protection and privacy against different regional regulatory standards," said Hari Srinivasan, director of product management at Qualys, a cloud security and compliance solutions provider.
Certifications and standards, such as ISO 27018, which concerns the privacy of personal data in the cloud, verify that the cloud provider follows particular security principles. These standards put specific assurances into writing, such as guarantees that a vendor won't share data with outside parties unless requested by the local authority with proper judiciary warrants.
Cloud providers also use third-party vendors for vulnerability assessments to ensure their internal systems are stable and devoid of security vulnerabilities, said Dinesh Varadharajan, vice president of product management at Kissflow, a workflow management platform. Enterprises should request these compliance reports to discover any security gaps that might be created when they move to the cloud. These reports help enterprises understand how storage and transmission encryption works, how data backup is managed and how data is disposed of at the termination of a contract.
However, Varadharajan believes that cloud providers need to be more transparent by publishing stats regarding data backup, lists of vulnerabilities addressed, internal audits and the results. This will instill more confidence among enterprises.
"In short, enterprises need a dashboard to continuously monitor the state of the data that is stored," Varadharajan said.
Concerns about telemetry and meta data
Many cloud services collect telemetry data in order to improve application performance. This has raised cloud transparency concerns among enterprises and governments worried about compromises to personal or business information. For example, schools in the German state of Hesse are prohibited from using Microsoft Office over such concerns. In the Netherlands, Microsoft worked with the Dutch Ministry of Justice and Security to address eight high-level data protection risks concerning telemetry in order for the service to be cleared for use there.
Confidential computing promises better controls
Down the road, cloud providers may provide better data controls to enterprises through more secure computing services. Microsoft, Google, Intel and others created the Confidential Computing Consortium, which aims to make it easier to run computations in enclaves protected from hardware, OSes and other applications.
This work is still in its early days, particularly since these workloads tend to be more cumbersome to manage. But it could provide better security and greater assurances for enterprises concerned about workload protection. Google already offers the Asylo confidential computing framework. Microsoft provides Azure confidential computing for running workloads securely.
Additionally, none of the cloud vendors provide transparency into how they use service-level metadata. Cloud vendors track the anonymized usage and metadata from their customers to spot gaps in their service and identify other user interests that could then be productized, Srinivasan said.
But a provider's access to this metadata could also be a major concern for customers that compete in other business segments, said Erez Berkner, CEO and co-founder of Lumigo, a serverless monitoring platform. Even if an enterprise encrypts its data, cloud providers still have access to information about VM volumes and transactions per second, which are significant indications of usage and the success of a product or service hosted on their platforms.
Cloud providers could use that information for their own advantage, such as offering competing services or acquiring companies, said Venkat Ramasamy, chief operating officer at FileCloud, a file sharing, sync and backup vendor. As such, they should produce transparency reports on data and metadata access.
Another protection for users would be a virtual barrier akin to what's done in the financial industry, Ramasamy said. In this scheme, an investment banking division with material, non-public information about companies is isolated from equity analyst groups in order to prevent conflicts of interest. If this were applied to the cloud, internal product teams would be walled off from the department that runs cloud marketplace for ISVs.
Cloud vendors improving access transparency
Despite some of the worries, there are signs that cloud providers are willing to tackle transparency concerns, particularly around how they access user data.
Google Access Transparency enables enterprises to receive a log that generates a trail of all Google staff interactions with an enterprise's data. This can be helpful for providing a system audit and can facilitate reports that confirm compliance with various types of regulations, like HIPAA and GDPR. Additionally, Google Access Approval enables enterprises to approve or deny Google engineers' requests to access customer data on Google Cloud services. However, Google reserves the right to access data, regardless of the setting, when required by law in response to a security incident.
Microsoft offers a similar service for Office 365 called Customer Lockbox. It recently rolled out a public preview of Customer Lockbox for Azure, which provides enterprises better control of how all data related to Azure is used.