For all its popularity today, cloud computing wasn’t considered as a viable option by established and large enterprises for a long time. The reason is surprisingly straightforward: how can customers of cloud computing trust that the cloud provider is not tampering or getting unauthorized access to their private and secure data?
To this date, there exists no technical limitation that stops a malicious internal actor (can be a cloud provider employee or contractor or an external agent breaching into the provider organization) to get access, copy, and sell customer information.
A cloud provider thus needs to assure its customers that there exist adequate internal processes that will detect, quarantine, prevent and fix further similar issues.
SOC 1/2/3, ISO 27001, PCI-DSS, HIPAA are all different sets of related and sometimes information specific control certifications that define how information is managed, secured, accessed and made available to customers by a cloud provider.
Once a cloud vendor is confident that they have adequate internal processes that satisfy these set of controls, they hire an outside neutral firm to audit them (their processes), and produce a certification report with any findings. This report is then shared with their customers. This audit is typically repeated on an annual basis to ensure continued adherence to controls.
I am a specialist in building and operating cloud vendor computing platforms, and one of my responsibilities is to work with both internal and external auditors to ensure adherence to these information controls.
If applied literally, these process controls are onerous for software engineer developer operators (devops is the commonly used industry acronym) and reduce development productivity dramatically. Furthermore, the processes will be brittle and prone to breakage.
Another way that large cloud providers (like for example Google) try to shield their developers are by having a separate set of site reliability engineering (SRE) teams focus on all aspects of information operability. This relieves their software development teams from addressing these and other concerns.
I consider these controls as engineering requirements for both the development and operational aspects of the cloud provider platform.
In further blog posts on the topic, I will discuss specific controls, and how we solved for them securely, reliably and conveniently for both customers and developers.