Many cloud storage providers are hiding behind smoke and mirrors to intentionally misrepresent their offerings, which only confuses customers. Why are they doing this? To increase profits, of course.
Some would argue that certifications are a means to get past these deceptions. However, in practice, many certifications are little more than vendor honor badges offered to loyal resellers. They first and foremost show an ability to sell lots of products and maybe show an ability to deploy a particular piece of technology, but they do not examine whether the technology is applicable, appropriate or viable for the intended use. In fact, many of the best vendor-specific implementers will not qualify for certification because they have policies against conflict of interest and therefore do not resell hardware or software.
The vendor certifications do not tell a client if the value-added reseller (VAR) or vendor is truthful, financially stable, or if it has the other requisite characteristics to build and, even more important, to manage a large-scale cloud solution. Certifications do not even determine if the communications infrastructure and disaster recovery plans implemented are adequate.
Fortunately, we are not just limited to vendor certifications. Nonvendor solutions are not without their own troubles, however. The most prolific nonvendor certifications are, in my opinion, misleading and broadly misapplied. For example, Statement on Auditing Standards No. 70 Type II (SAS 70 Type II), replaced by the Statement for Attestation Engagements 16 (SSAE 16), was designed to help banks verify controls placed on core banking applications and processes. It is often overused by the audited business to imply that a service or facility is bulletproof and secure -- but in fact, the SSAE 16 audit only touches on the periphery of the real issues, such as the outsourced insider threat, the lack of transparency on where data is housed or how it is treated, and the comingling of resources in a shared environment.
Even though the new SSAE 16 touches on some IT issues, a data center's major weakness remains: It's still able to make its own assertion on the design and effectiveness of the controls reviewed by the auditor. The most baffling aspect is that data centers do not have to pass the audit to claim that they have been audited.
The big problem is that there is no industry-prescribed standard for a meaningful measure of operating effectiveness. A data center or cloud service can essentially establish its own measurement criteria. It is true that every company that contracts for an SSAE 16 audit gets one, but reading the results is where the bits become bytes.
On several occasions, after organizations "passed an audit," I saw that it was really nothing more than lipstick on a pig. The answers may have been fudged or the issues were fixed only temporarily. In most audits, including all attestation engagements in SSAE 16, the organization being audited just makes a statement of its operating procedures. There really is no such thing as an SSAE 16 certification; it's a report of findings. This SSAE certification claim is just a manifestation of the data center and cloud-marketing people. The "certifications" generally allow the organization being reviewed to select which part of its operations will be audited, and then with clever marketing, they lead customers to believe that its entire operation was vetted.
Many IT audits generally do not delve deep. The audits are too often facilitated by people who do not understand what they are auditing and therefore must rely on what is presented rather than what they know. Having advised clients on the independent "audits" process, it would be almost amusing if it was not so scary how little some auditors understand. I have run into a couple of superstars, but they are certainly the exception.
Product vendors and large entities building their own clouds such as Amazon, Google and Microsoft make it even more difficult for end users and VARs to look under the covers. They are understandably very tight-lipped about how they construct their offerings and have a "trust me" approach to inquiries. Ronald Reagan's famous phrase, "Trust, but verify," certainly applies here. We must force them to disclose the details of their infrastructures if they expect us to trust our clients' futures with them.
Without regulations, what can be done? I am a proponent for small government, but this is one area where I believe that some standards in terminology, billing and configurations for security would be helpful. Short of that, though, we must be willing to truly educate the potential users of cloud storage services; we must turn on the big fan and show them what is really behind the smoke.
This requires the participation of open and honest professionals who are more concerned with the industry's reputation than other issues. We need a clearly independent body, such as CompTIA, to step up and get to the work of certifying the services, not just the technicians as they historically have done. To date, the closest thing there is to a certifying body is the Storage Networking Industry Association (SNIA), but when one looks at its voting board, it is a who's who of big vendors and all of the potential conflicts of interest they bring. It's worth noting that SNIA is working with CompTIA, so there is hope that CompTIA can drive the process to an independent conclusion.
I hope that its certifications will reach beyond individual technologies and professionals. Unfortunately, standards bodies cost piles of money to form and run, and only the people writing the checks get to decide the agenda. CompTIA Security Trustmark (combined with random onsite audits) would also be a good addition to the present auditing model because it maps well to the SSAE 16 but adds more prescriptive IT specificity.
The National Institute of Standards and Technology (NIST) could also expand its role and step into the arena of cloud-engineering certification. NIST could develop criteria and methods for cloud storage services and technology verification and set up an accreditation process for organizations wishing to do cloud-engineering audits. A trusted group of certified VARs could perform the audits.
A voluntary "VAR consumer reporting bureau" (similar to the Better Business Bureau) specific to cloud computing could allow those who have discovered falsehoods and anomalies or who have been wronged in some way to report their findings confidentially. The claims could be investigated and verified or determined to be without merit. If they are determined to have merit, the complaint could be arbitrated and the result posted publicly. If it is not settled through the bureau, then complainants could still take legal action if they desired.
There should also be proposal and billing transparency, as well as disclosure requirements, that allow a consumer to know in advance what they are buying and exposed to financially. Service-level agreements (SLAs) should be clearly defined. Some companies, such as Salesforce.com, do not provide SLAs unless you twist their arms. Others admit they do not have any way to cap billing when it gets too high.
Consumers should be able to understand what their bill means and control what they are spending. Many cloud storage services use intentionally ambiguous methods for listing charges or do not provide proper breakdowns of their bills. Clients often find themselves spending far more than they had imagined during the sales process.
With some form of agreed-upon standards for contracts and financial representation, as well as a viable accreditation process, the cloud storage services could grow more traversable for the average consumer and less of a playground for predators and pretenders.
Kevin McDonald is executive vice president and director of compliance practices at Alvaka Networks, a network services and security firm in Irvine, Calif.
This was first published in July 2012