This content is part of the Essential Guide: A CIO's guide to cloud risk management
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Offsetting cloud security risk requires provider, customer cooperation

When it comes to cloud security, one question prevails: Who is responsible for protecting information in the cloud -- the provider or the customer? The answer is "both," according to Patrick Gilmore, CTO at data center services provider Markley Group.

Gilmore was part of a 2014 MIT Sloan CIO Symposium panel discussion titled Security and Privacy in the Digital Enterprise, where he and other speakers debated modern businesses' data protection concerns. Following the panel discussion, Gilmore sat down with SearchCompliance Editor Ben Cole to discuss both providers' and customers' role in cloud security maintenance.

What are some of the biggest cloud security risks for companies? Also, whose responsibility is cloud security? Is it the customer, the provider, is it a combo?

Patrick Gilmore: Security is everybody's responsibility. I have a full staff taking care of security, and we're going to do it in ways that I honestly think are better than our customers because we're hiring people they're not, and we're the people being attacked all the time. Customers only have themselves to worry about. We have a thousand people using our cloud infrastructure; any which one of those could be attacked. We are a little bigger of a target, so we tend to spend more attention to this.

But it also has to be the customer's responsibility, because there are things that we cannot protect against. I don't care how good my security focus is, I don't care how good the people I hire are, if the customer has a crappy password, guess what? That data's getting lost.

I also lie awake at night worrying about, for instance, the hypervisor. Is it as secure as people say? We spend a lot of time looking at that to make sure there's no leakage between customers, to make sure that there's no way in from the outside world. We're convinced right now that there isn't, but this is a moving target.

The customer should be taking care of their own cloud security. For instance, we have customers who won't put anything on our system that isn't pre-encrypted with a key that we, the provider, do not have. That's a good way to make sure that even if we are breached, your data is secure. We spend a lot of time making sure that our customers are secure in ways that they wouldn't even think of.

We also have special products and security apparatus, shall we say, so that we can create a virtual data center that is not reachable from the Internet, so it cannot be hacked, can't be de-docked. It can only be reached through a private piece of fiber to the customer's data center, and that gives them some additional security, and additional feeling that they are not reachable from the outside world.

But security is not a silver bullet. There's no one thing that can stop all attacks. You have to have that defense in depth, you have to have layers. We're constantly looking at the next layer that we can put in.

Do you work with your customers on cloud security risk? Do you give them advice on to ensure their cloud data is secured?

More on cloud security

Cloud Security Alliance releases new assessment standards

Businesses turn to hybrid tools in quest to maintain cloud GRC

As cloud GRC regulations evolve, providers and customers are forced to adapt

Gilmore: We always try to work with customers. Some of them will work with us, some of them will say, 'Oh, we're fine.' To be clear, this is something that costs extra money. The guy who's renting 12 hours a month on one of our virtual machines and swiped his credit card on the Web, we're not going to have a five-hour conversation with our security architects on how to make his data more secure. It's just not a viable business model.

But the customers that have a real amount of data or a real amount of CPU time, or a real amount of revenue being generated, then we absolutely, proactively go to each one and say, 'Let us talk to you about security.' We also talk about other things, but security is first and foremost. How can we make this more secure, what is your model, what can we do to do this? Some of them are very open to it.

Unfortunately, the ones that are very open to it tend to be the ones that already thought about security. There's stuff we can do, but there are not amazing amounts of things that we can show them. The ones that don't want to talk about it tend to be the ones that are least secure, because they're not thinking about security from the ground up. There's not much we can do about this, but at least we give it a shot.

At the end of the day, somebody's paying you an X amount of money a month; if they get breached -- even if it was their own password -- they're still going to be upset with you. We make the effort to try and avoid that. Sometimes it works, sometimes it doesn't.

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.