If you are putting, or considering putting, your data into the cloud, then you’ll have thought about security considerations. But the way that you think about cloud data security may be very different from the way that you consider the same issues when it comes to data held on your own servers and computers.

Visiting a school once, we had a discussion about how secure data would be in a cloud data centre, and as we walked out past reception the Principal pointed out the desktop computer that had all of their student data on it – sitting right in the middle of a desk in the school reception office – within arm’s reach of anybody walking into the school. But, because they could see the computer with the data on it, they felt that it was much more secure than in somebody else’s datacentre.

The challenge with discussing cloud data security, especially in education, is that we are often dealing with the reality of perception ie that it’s often not about the real situation, but about the situation that people perceive to be real.

Although there are some frameworks for comparing relative risk between in-house and cloud data services, it’s still tricky today to do a proper comparison of data security between on-premise or cloud services, and between different cloud services. For example, it can be challenging getting information on the security practices used by cloud providers, and it can be challenging to use the information to compare and contrast the different services offered by these providers. There are at least a couple of factors making this type of comparison harder than it should be:

  1. There is no industry standard set of questions that cloud service evaluators can use to ask cloud providers about the security practices they use to manage their services.
  2. There is no industry standard format for cloud providers to provide answers to questions about the security practices they use to operate their service offerings eg different cloud providers might answer the same question in very different ways making comparing and contrasting them difficult

Which means that organisations evaluating cloud services often have to create their own evaluation criteria.  Some organisations have spent considerable time, resources and budget on developing their own evaluation criteria, or have paid consulting companies to do this for them. Of course, the duplication of effort is inefficient and expensive for both cloud evaluators and the cloud providers who are forced to interpret and respond to a myriad of different requests for information.

There is an industry initiative, the Cloud Security Alliance “Security, Trust & Assurance Registry” (STAR), which is designed to make it possible to compare security practices used to manage cloud services. The Microsoft Trustworthy Computing group has been working with the STAR programme to create standard Q&A’s to answer security questions about cloud services. The idea is to work across the industry, so that you can easily get answers to the standard questions across different cloud platforms.

For an overview, Tim Rains and Kellie Ann Chainier have recorded a short video of what’s happening:

 

For the back story behind this, there’s a series of short videos on Cloud Fundamentals:

Tomorrow, I’ll point you towards some of the information we’ve published on the different Microsoft cloud services.