Introduction
Once upon a time, most organizations believed that everything behind the corporate firewall could be trusted. Authenticated users, devices and applications were implicitly trusted once their credentials were issued. But that belief was shattered by an onslaught of successful cyberattacks targeting that blind trust – and with them, the rise of so-called 'zero trust' architectural concepts. A similar lesson in trust has taken place with cloud and managed service providers. Finding service providers that can be trusted has become a key concern for enterprises, particularly as cloud and service providers play an increasingly larger and critical role in enterprise strategies. At the same time, service providers are fervently working on ways to prove they warrant trust from their customers. But maybe, in all these cases, it really isn't about trust. Maybe what enterprises are looking for is proof.
The 451 Take
Organizations need to know how their digital assets are protected, where those assets reside, how and why their assets are being accessed, and that services are functioning properly. They want to verify, on demand, that service providers are doing what they said they would do. According to a recently commissioned study and 451 Research's Voice of the Enterprise: Cloud, Hosting & Managed Services, Workloads and Key Projects 2019 survey, data privacy, security and loss of control are among the top barriers to enterprises leveraging cloud and service providers to a greater extent.
The ability for organizations to inspect and verify creates a lofty standard for service providers – a standard based on proof, not just promises. This level of transparency and verification not only builds trust between service providers and enterprises, but also provides a compelling incentive for service providers to maintain a high standard of operational excellence. However, providing this level of transparency and validation is a difficult task for cloud and service providers. While some efforts have been made toward deeper transparency and provability, there is ample opportunity for these capabilities to become competitive differentiators for cloud and service providers.
The ability for organizations to inspect and verify creates a lofty standard for service providers – a standard based on proof, not just promises. This level of transparency and verification not only builds trust between service providers and enterprises, but also provides a compelling incentive for service providers to maintain a high standard of operational excellence. However, providing this level of transparency and validation is a difficult task for cloud and service providers. While some efforts have been made toward deeper transparency and provability, there is ample opportunity for these capabilities to become competitive differentiators for cloud and service providers.
Context
Enterprises are increasingly consuming services from cloud and managed service providers of all shapes and sizes – from global providers offering a broad portfolio of services to regional and local boutique providers focused on serving a specific vertical or offering a unique set of specialized services to a broader audience. Consuming IT as a service offers enterprises an abundance of benefits, including scalability, flexibility, agility, access to a broad range of skills and expertise, cost optimization, and increased efficiencies. These benefits often come at a cost, however.
As cloud and service consumption increase, organizations are steadily surrendering control and visibility of their overall IT ecosystems. But enterprises are losing faith in the traditional 'black box' approach of many service providers. With the rise of high-profile attacks on local and global cloud and service providers, a gap in trust between service providers and enterprises may be growing.
Trust in cloud and service providers is dependent on proof, not promises. Enterprises are now insisting on the ability to inspect and monitor service providers first-hand, rather than relying exclusively on third-party point-in-time attestations. Enterprises are seeking to confirm that their data, applications, systems, and users are protected against loss, outages, threats and breaches. On a more fundamental level, enterprises want to know if the tools, controls, processes, procedures and safeguards a service provider has in place are working as intended, and that service providers are delivering on their promises.
As cloud and service consumption increase, organizations are steadily surrendering control and visibility of their overall IT ecosystems. But enterprises are losing faith in the traditional 'black box' approach of many service providers. With the rise of high-profile attacks on local and global cloud and service providers, a gap in trust between service providers and enterprises may be growing.
Trust in cloud and service providers is dependent on proof, not promises. Enterprises are now insisting on the ability to inspect and monitor service providers first-hand, rather than relying exclusively on third-party point-in-time attestations. Enterprises are seeking to confirm that their data, applications, systems, and users are protected against loss, outages, threats and breaches. On a more fundamental level, enterprises want to know if the tools, controls, processes, procedures and safeguards a service provider has in place are working as intended, and that service providers are delivering on their promises.
The Quest for Proof
The Russian proverb 'trust, but verify' was made famous by US president Ronald Reagan in the late 1980s. That same phrase is frequently used in information technology and cybersecurity to describe the due diligence organizations should take when leveraging services and cloud-based technologies. However, for many organizations, that approach often fails in today's fast-paced digital world. For a growing number of organizations, it is not about trust at all; it is all about being able to verify. And with breaches becoming so prevalent and devastating, the new proverb for many organizations is quickly becoming 'never trust, always verify… then verify again.'
Enterprises want confidence that cloud and service providers are delivering an ecosystem that has the right controls in place, and that those controls are operating effectively and consistently to safeguard and protect the organization's assets. While service providers are increasingly advertising and boasting about increased transparency in their services, enterprises report that service providers are not delivering the level of transparency they desire. Organizations are increasingly seeking answers to questions like:
Enterprises want confidence that cloud and service providers are delivering an ecosystem that has the right controls in place, and that those controls are operating effectively and consistently to safeguard and protect the organization's assets. While service providers are increasingly advertising and boasting about increased transparency in their services, enterprises report that service providers are not delivering the level of transparency they desire. Organizations are increasingly seeking answers to questions like:
- Who has accessed my data and systems, both physically and virtually – why and when? Enterprises are calling for cloud and service providers to prove that access has been permitted according to policy, has been vetted, and is not abused. Service providers need to make certain that they can provide fine-grain proof about access to customer systems and data: Who is accessing the asset, where are they connecting from, is it a safe connection, do they have privileges that are in-line with their normal pattern of access, are they accessing the asset within an expected time window, and what did they do while they had access?
- Where is my data located right now? Having a choice in data residency is common among public IaaS cloud providers to meet a growing number of regulatory and privacy requirements. While many cloud providers do not disclose in which particular datacenter an organization's data may reside, they often attest to the region or country in which the data is located. However, as data may move within a region or country at the service provider's discretion, enterprises are beginning to ask for real-time and historic location-specific information concerning their digital assets. Data-residency options tend to be less common with SaaS providers and managed service providers, but are increasingly requested by enterprises.
- In the event of a security incident, when was the incident detected, who performed the analysis, how long did it take before triage began, and what is the current state of investigation and remediation? While cloud providers are more likely to detect compromises in the cloud infrastructure or platform, managed service providers will – or should – most likely detect incidents in the infrastructure, applications and data under their management. Regardless of the provider, enterprises report that they only see what is escalated to them, typically without any context or explanation, leaving the organization in the dark for hours, days or even weeks after an event. Even after an event, many enterprises are still unsure about what happened and the extent to which they are affected. MSSPs, in particular, are singled out by enterprises in this regard, stating that security investigations are often performed in a black box with little to no visibility into ongoing investigations, the rationale or the methods used.
Enterprises are also seeking to verify operations around areas like data deletion, data collection and sharing, encryption, privacy, and performance. This may be particularly relevant in industry verticals such as healthcare, where compliance with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) may be required.
The ever-evolving IT ecosystem and threat landscape of today's modern enterprises has made the 'trust, but verify' approach to IT obsolete. Many enterprises are shifting strategies to a zero-trust model that explicitly distrusts everything and everyone by default – every user, device and application, including cloud and service providers. Provable cybersecurity controls and IT service delivery are quickly becoming a mandate for enterprises. Cloud and service providers that can provide organizations with expanding abilities to inspect and investigate the promises of the services being delivered should find themselves at a competitive advantage in the marketplace.
The ever-evolving IT ecosystem and threat landscape of today's modern enterprises has made the 'trust, but verify' approach to IT obsolete. Many enterprises are shifting strategies to a zero-trust model that explicitly distrusts everything and everyone by default – every user, device and application, including cloud and service providers. Provable cybersecurity controls and IT service delivery are quickly becoming a mandate for enterprises. Cloud and service providers that can provide organizations with expanding abilities to inspect and investigate the promises of the services being delivered should find themselves at a competitive advantage in the marketplace.
Aaron Sherrill
Senior Analyst, Information Security
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation and disruption in the Information Security channel with an emphasis on service providers. Aaron joined 451 Research after serving as Vice President of Information Security and Chief Technology Officer for two of the largest, pure-play managed service providers in the market.
Scott Crawford
Research Vice President, Security
Scott Crawford is Research Vice President for the Information Security Channel at 451 Research, where he leads coverage of emerging trends, innovation and disruption in the information security market. Scott is also a member of 451 Research’s Center of Excellence for Quantum Technologies.
Aaron Sherrill
Senior Analyst
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation