Prove to us that cloud is really secure says auditor

Cloud security

Security and compliance are two barriers to adopting the cloud, but one information security expert has said all users need is some proof of what is in place before they deploy the technology.

Presenting at the RSA Europe conference in London today, Davi Ottenheimer began by saying the issues around security and compliance in the cloud are not much different to those surrounding legacy systems.

"The cloud is an extension of everything we have learned before [and] we should apply those lessons we learned over time," he said. "What is [new] is in terms of technology, [namely] the automation, elasticity and measurement of cloud."

The underlying factor of moving to cloud systems, however, comes down to "fear and trust," claimed Ottenheimer.

"A lot of the cloud brought fear, with people saying compliance and security stopped them from moving to the cloud," he said. "It is actually that they are looking for proof; they don't think cloud doesn't have any compliance or security but they want to see the proof [first]."

As an auditor, it is Ottenheimer's job to go to the cloud service providers and dig out the evidence. The problem with the current crop of vendors, however, is they expect you just to trust what they say is fact.

"When I walk in, [cloud service providers] say they are responsible and think that they are off the hook," he said.

"I have to push for the answer cloud providers say you can trust us, that's not good enough for me. I need to see mathematical [evidence] or I will pull my customers out. I have pulled customers out of [deals] with providers before."

Ottenheimer advised users to ask for more from their cloud providers to make them feel safe, be it extra layers of encryption or more policies. However, it seems it is down to the big guns of the cloud world to open up more and explain how exactly they are keeping our data safe.