Posts by markheathcote

hey, lets down vote this guy just to be ironic.

Re: "Large cloud services are in secure data centres to which access is strictly controlled"

Also, the Patriot Act trumps everything, at least for now, and I believe applies to any US (Cloud) company and data they host anywhere. i.e. the US Gov can in theory gain access to confidential corporate data.

Regarding InfoSec trust - it is essential to ensure the vendor applies the same level of diligence that you apply to your own data (otherwise, why bother yourself?). I have worked across a multitude of enterprises, and have NEVER seen the correct diligence applied to vendors except where I have done it myself. Further, cloud vendors themselves are quite often guilty of misleading CIOs etc by stating things like 'our DCs have SAS70 certification' - no they don't, there is no such thing as SAS70 certification. "SAS70 is not intended to purport that a service organization has achieved an objectified defined standard for a system".

The only way to ensure such diligence is to get your requirements in the contract, audit them regularly, make them fill in a security questionnaire, and monitor them. Good luck trying to get a global Cloud provider to agree to this. The closest you might get is for them to show you an ISO:27001 certificate.

That said, most enterprises have many lower level services which don't process confidential data and therefore could be ripe for 'clouding'. Just be careful with your crown jewels.