Tuesday, January 24, 2012

I’ll tell you what I want, what I really, really want from a Cloud Provider

If you want my business, you better make it fast
Self-service: 7x24 add, remove, change resources, workloads, and connectivity
Elastic: scale up or down automatically within the limits I set
Available: stand up to hurricanes, DDOS, and replication storms. Your mistakes should never be my problem.
If you want my data, you better make it secure
Auditing: network and management
Network – I need to audit and or inspect all the traffic between my systems. This includes but is not limited to traffic between users, systems, and applications even where they share the same physical host and virtual switch.
Management – I need to see all management events that may impact the security or configuration of my systems. This includes but is not limited to privileged access to my systems or data through the hypervisor or cloud management APIs.
Control: policy and assurance
Policy – I need to express and apply security policies via a method that is both human understandable and translatable into a machine-interpreted language.
Assurance – I need to know when an event or incident occurs that violates a policy and I need a method for testing that controls exist and are effective for enforcing my policies.
Metrics: continuous and interoperable
Continuous – Per our agreed standards of measurement I must be able to quantify the security attributes of my system. This may include but is not limited to measurements for: vulnerability, configuration, performance, incident detection, incident response, and incident containment.
Interoperable – All security relevant data and events must be available in a documented machine-readable format. It should either comply with standards such as Cyberscope and SCAP or my preferred GR&C system.
If you want my money, you better not ask for much
Value – Not just cheaper than if I do it myself. Your services should give my organization new capabilities to meet our objectives. These capabilities could include user experience, logistic support, and accessibility …
No lock-in – I should be able to easily move my data and workloads back inside my enterprise or to one of your competitors.

No comments: