I am a podcast junkie. I like listening to and creating podcasts. I listen to many podcasts on many different topics.The Virtual Security Round Table #74 provides great arguments around cloud security. They argue that cloud providers can claim they have all the industry security certifications in the world, but they won't divulge the details and scope of those certifications. There is no way to tell whether the scope of, say, the PCI certification matches your needs or plugs into your processes. The podcast producers would like to see providers settle on the Cloud Security Alliance certification, which provides transparency and visibility into those certifications.
Imagine that you have deployed company assets into the cloud and then get hacked. You have no way of knowing whether you did something wrong or whether the cloud provider left a vulnerability open. Customers can not see the audit logs. When signing up for service, customers sign-away all responsibility the cloud provider may have. You have been hacked, you have lost data, and you are responsible for that loss even if it isn't your fault and even if you have no way of performing root cause analysis. You might have no way of determining whether the exploit is fixed or if you'll get hacked again tomorrow.
Suppose the cloud provider makes a configuration mistake and allows another client onto your virtually secured private subnet. You would have almost no way of knowing, almost no way of proving the problem, and probably no way to seek damages from the cloud provider.
To make matters worse, you are responsible for securing your cloud deployment, but most cloud providers will not permit you to run a scan (such as a Nessus scan) in the cloud. Therefore, you have limited means by which to determine whether or not the cloud implementation is secure.
This has created a no-win security scenario for customers. Customers can't see the details of cloud certifications. They can't see into logs and configurations that would assure proper security. They can't perform root cause analysis against security problems. They can't perform security scans that make sure their implements are safe. Yet the customer is fully responsible for security.
