Logiq3, for instance, uses Sentry Metrics Inc.'s security event management service, which monitors event logs, performs trend analysis and reports on anomalies. So the Sentry Metrics system could, for example, alert Logiq3 when a BlueLock administrator logs on but hasn't been given a specific job to do, Westgate says.
Customer control and monitoring of a carrier's cloud can only go so far, however, no matter what the type of service. So how do you ensure that sensitive data is adequately secured and protected?
Service-level agreements with monetary penalties don't cut it, says Pfizer's Anderson, especially for a Fortune 50 company, since "the small amount they get back is a pittance" compared with the cost of a major security breach.
Therefore, due diligence is critical, Anderson says. Pfizer uses SAS 70 Type 2 certification, in which an independent third party audits the service provider's internal and data security controls. Anderson also verifies the vendor's level of compliance with Europe's Safe Harbor privacy rules, and he checks Dun & Bradstreet research to make sure it's legitimate.
The ISO 27001 security standard, for its part, defines best practices for designing and implementing secure and compliant IT systems.
While such standards provide a useful starting point, their criteria tend to be generic, says Gartner's Heiser. Companies still need to match a service provider's specific controls to their specific requirements, he adds.
For example, after checking out BlueLock's SAS 70 Type 2 accreditation, Logiq3's IT staff did a further evaluation to "make sure the controls we require are supported by the controls they have in place," Westgate says. His team then followed up on discrepancies, identifying missing controls and working with the vendor on solutions. The company plans to repeat the process at least once a year, he says.
The Daisy Chain
Basic security tasks such as access control and rights management become even more complicated when, as often happens, a SaaS provider outsources its infrastructure or development platform to another cloud-based service provider -- adding yet another variable to the equation.
Take the case of Cloud Compliance Inc., which provides access control monitoring services for private cloud environments. The company entrusted its infrastructure to Amazon because it's the most proven service provider, according to Cloud Compliance founder Robbie Forkish. However, he acknowledges that the arrangement introduces potential security problems. "There are certain areas where we, as a consumer of their services, need to fill in security capabilities they lack" in order to meet Cloud Compliance's internal security requirements and to reassure its customers.