Once upon a time, most organizations believed that everything behind the corporate firewall could be trusted. Authenticated users, devices and applications were implicitly trusted once their credentials were issued. But that belief was shattered by an onslaught of successful cyberattacks targeting that blind trust – and with them, the rise of so-called 'zero trust' architectural concepts. A similar lesson in trust has taken place with cloud and managed service providers. Finding service providers that can be trusted has become a key concern for enterprises, particularly as cloud and service providers play an increasingly larger and critical role in enterprise strategies. At the same time, service providers are fervently working on ways to prove they warrant trust from their customers. But maybe, in all these cases, it really isn't about trust. Maybe what enterprises are looking for is proof.
The 451 Take
The ability for organizations to inspect and verify creates a lofty standard for service providers – a standard based on proof, not just promises. This level of transparency and verification not only builds trust between service providers and enterprises, but also provides a compelling incentive for service providers to maintain a high standard of operational excellence. However, providing this level of transparency and validation is a difficult task for cloud and service providers. While some efforts have been made toward deeper transparency and provability, there is ample opportunity for these capabilities to become competitive differentiators for cloud and service providers.
As cloud and service consumption increase, organizations are steadily surrendering control and visibility of their overall IT ecosystems. But enterprises are losing faith in the traditional 'black box' approach of many service providers. With the rise of high-profile attacks on local and global cloud and service providers, a gap in trust between service providers and enterprises may be growing.
Trust in cloud and service providers is dependent on proof, not promises. Enterprises are now insisting on the ability to inspect and monitor service providers first-hand, rather than relying exclusively on third-party point-in-time attestations. Enterprises are seeking to confirm that their data, applications, systems, and users are protected against loss, outages, threats and breaches. On a more fundamental level, enterprises want to know if the tools, controls, processes, procedures and safeguards a service provider has in place are working as intended, and that service providers are delivering on their promises.
The Quest for Proof
Enterprises want confidence that cloud and service providers are delivering an ecosystem that has the right controls in place, and that those controls are operating effectively and consistently to safeguard and protect the organization's assets. While service providers are increasingly advertising and boasting about increased transparency in their services, enterprises report that service providers are not delivering the level of transparency they desire. Organizations are increasingly seeking answers to questions like:
- Who has accessed my data and systems, both physically and virtually – why and when? Enterprises are calling for cloud and service providers to prove that access has been permitted according to policy, has been vetted, and is not abused. Service providers need to make certain that they can provide fine-grain proof about access to customer systems and data: Who is accessing the asset, where are they connecting from, is it a safe connection, do they have privileges that are in-line with their normal pattern of access, are they accessing the asset within an expected time window, and what did they do while they had access?
- Where is my data located right now? Having a choice in data residency is common among public IaaS cloud providers to meet a growing number of regulatory and privacy requirements. While many cloud providers do not disclose in which particular datacenter an organization's data may reside, they often attest to the region or country in which the data is located. However, as data may move within a region or country at the service provider's discretion, enterprises are beginning to ask for real-time and historic location-specific information concerning their digital assets. Data-residency options tend to be less common with SaaS providers and managed service providers, but are increasingly requested by enterprises.
- In the event of a security incident, when was the incident detected, who performed the analysis, how long did it take before triage began, and what is the current state of investigation and remediation? While cloud providers are more likely to detect compromises in the cloud infrastructure or platform, managed service providers will – or should – most likely detect incidents in the infrastructure, applications and data under their management. Regardless of the provider, enterprises report that they only see what is escalated to them, typically without any context or explanation, leaving the organization in the dark for hours, days or even weeks after an event. Even after an event, many enterprises are still unsure about what happened and the extent to which they are affected. MSSPs, in particular, are singled out by enterprises in this regard, stating that security investigations are often performed in a black box with little to no visibility into ongoing investigations, the rationale or the methods used.
The ever-evolving IT ecosystem and threat landscape of today's modern enterprises has made the 'trust, but verify' approach to IT obsolete. Many enterprises are shifting strategies to a zero-trust model that explicitly distrusts everything and everyone by default – every user, device and application, including cloud and service providers. Provable cybersecurity controls and IT service delivery are quickly becoming a mandate for enterprises. Cloud and service providers that can provide organizations with expanding abilities to inspect and investigate the promises of the services being delivered should find themselves at a competitive advantage in the marketplace.
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation and disruption in the Information Security channel with an emphasis on service providers. Aaron joined 451 Research after serving as Vice President of Information Security and Chief Technology Officer for two of the largest, pure-play managed service providers in the market.
Scott Crawford is Research Vice President for the Information Security Channel at 451 Research, where he leads coverage of emerging trends, innovation and disruption in the information security market. Scott is also a member of 451 Research’s Center of Excellence for Quantum Technologies.
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation