Transparency is a great way for cloud providers to demonstrate and prove good security practices to their customers. Often times, however, the transparency stops when outages or service hiccups occur. During an incident, how a cloud provider communicates to its customers says a lot. In a guest post for the Cloud Security Alliance, I discuss why customers should expect clear, transparent SLAs from their service providers, what customers should expect during an incident and why transparency is so important from a security and trust perspective. Head over to the Cloud Security Alliance to read the full post.
With the growing movement of enterprises to the cloud, it’s more important than ever that service providers demonstrate and prove good security practices to their customers, in good times and in bad. During an incident, how a cloud provider communicates to its customers says a lot about its commitment to security. Sounds obvious, right? Well, three different times during the past seven months — and once while I was on a panel at the 2012 CSA Congress in Orlando — I’ve learned that it isn’t clear after all. As CSO at Okta, I work closely with our customers and they always ask, “What will you guys do if a breach occurs?”
When I tell customers that we’ll proactively reach out to them with written communication within hours of any important incident, they are surprised … which surprises me. We include transparent communication into every service level agreement (SLA), alongside availability guarantees and recovery point and time objectives.
SLAs exist so that customers have a means to measure the basic service performance of their providers. SLAs can sometimes be very complex and involve many components. But it’s the communication aspect that I see most commonly omitted. It’s important for cloud providers to incorporate communication protocols into their SLAs to ensure trust and transparency with their customers.
The most basic question that customers have for their cloud providers is finding out if there’s been a breach in service. During last year’s CSA conference in Orlando, the same question came up again and again: “How would I even know if the service is breached?”
Typically, when a large consumer-facing provider goes down the company posts a “We’re sorry” or a fail message on its homepage. This works for a service such as Google, which expects users will visit the site, see the service interruption and then wait for the site to come back online. Users might Tweet about how annoyed they are that Google’s down, but they wouldn’t expect a phone call from a Google rep explaining the problem and detailing the company’s plans to resolve the problem. Large, consumer services such as Google simply have too many millions of users.
But for enterprises that rely on cloud services to run their businesses, an impersonal “sorry” on the provider’s website is little consolation during an interruption or breach. They should expect, as part of the signed SLA, a proactive message alerting them to the problem and detailing the response.
Visit the Cloud Security Alliance blog to read the full article.