Should cloud providers review customer information?

User names and credit cards are generally required to store data in a provider's cloud before the user and the market pick a vendor to sign an IAAS (infrastructure-service) contract. But what does a public cloud provider do with this information?

Security remains a major concern for users when deploying cloud applications, the study found. Each provider seems to be advocating the security of protecting data in the cloud. However, IBM will take further steps not only to protect data in the cloud, but also to monitor which users use their own cloud services.

Microsoft Community website Redmond Channel Partner recently published a blog post about an interview with an IBM executive. "A single person cannot use a credit card to register for IBM services," says Rich Lechner, vice president of cloud operations at IBM's Global Technology Services Division, Richie Lechina. IBM uses cloud services to monitor each user's identity, so IBM knows who is in the building. ”

Does the IaaS provider audit individual user data before allowing user data to be stored in its cloud? Alan Shimel, executive partner of the advisory Body CISOs Group, said the hope for most IaaS providers was slim.

Schiermeier asked, "Do you really think that they will be reviewed in real time by user-by-person, examining who you are and what data you are putting into the cloud?" Probably not. The nature of the elasticity of the cloud makes this impossible, or at least the cost is not allowed. Schiermeier points out that he is unfamiliar with the security policies of each individual cloud provider. Each provider's security policy is different. However, some large public cloud IaaS providers cannot track all of its users.

In addition to what Lechina has posted on blogs, IBM spokesmen are reluctant to comment on the company's policies. However, Schiermeier says another potential reason for IBM to understand personal user identities is that IBM's cloud services are geared toward enterprise users. IBM may want to tailor some services to meet the needs of users.

Other IaaS providers are vague about their strategy. "Maintaining customer trust and customer data security is our top priority," Rackspace said in an e-mail. "She did not provide details of the company's identity, nor did it review the data before it was stored in a host or cloud environment managed by the company," she said.

Many people believe that Amazon Web Service (AWS) is the market leader for IaaS. AWS provides some extra detail. "We do not check user data," said Kinton, an AWS spokesman Kei Kenton. "She went on to say that we have to conduct advanced reviews to prevent fraud and misuse of services before we allow users to use our services and then expand the scale of their use." AWS requires users to submit an e-mail address, phone number, and credit card information before using their services, and then send a pin (personal identification code) to the user to authorize access to the AWS service.

But, Schiermeier says, customers do not have to ask their IaaS provider exactly what their users are. Once the data is stored in the provider's cloud, the more important security concern is to protect the data, he said.

Schiermeier said that if there were strict security measures, the provider would be able to ensure that even if unwanted data were not in the cloud it would not cause harm. The best way to do this is to isolate the user's data. This seems to be something that providers are more willing to discuss openly.

For example, Kenton said, AWS points out that each user instance has its own firewall that can block the intrusion of other instances in its cloud. AWS uses packet-level isolation measures for network traffic and supports industry-standard encryption. For users who are particularly concerned about security, AWS provides a virtual private cloud (VPC) that provides users with a dedicated IP address if they wish to have such an address. Kenton added that Amazon has certificates such as ISO 27001, FISMA, SAS-70 and PCI.

The cloud and managed service provider Virtustream, senior vice president of the solution architecture, Shawn Jennings (Sean Jennings) agrees that it is unrealistic to expect providers to audit individual user data. "I think they are taking credit card cards and generally not doing it," he said. "However, this situation varies according to the provider." For example, community clouds are increasingly popular for specific vertical industries, such as health care or finance. As a community cloud, providers collaborate more closely with individual customers to familiarize themselves with what types of data will be placed in the cloud in order to better optimize the products that are used by customers in the vertical industry.

Virtustream itself is a public cloud provider. Jennings said the quarantine data was the most worrying issue for his company and most other cloud providers. In Virtustream, each customer has a dedicated virtual LAN input to the data center. There is a firewall around and there is also a virtual switch layer. These measures guarantee that no malware can access the data center for whatever reason, and that malware cannot be propagated. Virtustream monitors traffic in the datacenter and marks suspicious behavior. However, Jennings said that even in a dedicated private cloud environment, there may be some core network devices that are shared by multiple data centers and customers, such as core enterprise switches and routers.

Overall, says Jennings, don't expect providers to audit users and their data, and users should be obligated to verify the security features of their IAAS providers before putting data in the cloud. (Compiled/Populus euphratica)

(Responsible editor: The good of the Legacy)