Trust: Don’t Engage with the Boy Who Cried Wolf

My mother read many stories to me as a child. One of these stories was Aesop’s fable of the Shepherd Boy who Cried Wolf. While there are several morals taught in this story, one of them is that people have a low tolerance for untrustworthy people and organizations. Specific to business, people may trust and try a service or solution once or twice, but if they find it untrustworthy over time, they move on. Unfortunately, some cloud service providers have not lived up to their promises around reliability and security, rushing solutions to market without ensuring that they are ready for primetime.

Our “Cloud Computing Tipping Point” survey found that 52 percent of organizations would choose the cloud as its platform of choice over in-house or on-premises options for new business applications. However, another recent study showed that organizations worry about security (for 66 percent), governance and compliance (60 percent), and privacy (57 percent) as it relates to the cloud. While the vast majority of companies that I meet with plan to migrate to the cloud, there seems to be a common concern: Trust. They all want assurances that they are choosing a cloud service provider they can trust.


So, what should organizations be looking for when evaluating cloud service providers? 


Availability and performance

Availability is paramount when choosing a cloud service provider. I’ve written in the past about why multi-instance architecture results in fewer availability issues for customers. Organizations cannot afford to experience outages caused by upgrades or maintenance issues. Ensuring availability means that vendors must provide true redundancy. This is so important that it is one of the reasons we provide the industry’s only real availability dashboard that reports on all cloud instances.

With multi-instance cloud technology, each fully-redundant data center is always operational and active. And, if there are issues, instances will be moved instantaneously between data centers using automation technology – ensuring high availability of cloud data.

Security and assurance

Authentication, authorization and encryption are key to providing cloud security. Good security always begins with authentication. Cloud service providers should offer multi-factor user authentication and tools that provide additional layers of enterprise security. Authorization of user access is a second way to secure the cloud. When a user is logged into a cloud platform, his or her access to data should be based on role-based access control. Because of this, users only have access to information that they need in order to do their jobs and not more, providing a high level of security.

Encryption comes next, ensuring that only users that have access to data are able to see that data. This means that data cannot be read in transit across the internet because it is encrypted. Data should also be encrypted while at rest while stored in databases. While these three principles are required in every cloud implementation, cloud vendors may add others to a strong security architecture that provides for secure data handling and physical security. For example, security should be robust enough to protect against DDoS and other volumetric attacks.

Visibility and control

In order to make the enterprise cloud the platform that drives all enterprise workflow, cloud service providers must provide its customers with greater transparency into the visibility and the control they have in their own data centers. Organizations should be able to request and know the physical location of datacenters – where their service and data physically resides. An additional element of visibility is the level of granularity around availability metrics. Cloud service providers should deliver instant information around the availability of each of its customers’ instances vs. providing an aggregate metric based on all of its customer instances. It should also give its customers access to the root cause of incidents, transactions impacting customer instances and all associated details. When problems arise, they should be visible to the customer. A customer should be given information about the issues and insight into how the issues are being resolved.

Enterprises are used to running their own services, with the ability to monitor and see their data on a daily basis. They want complete control of their instances including when their service will be upgraded or when new features will be enabled. A cloud service provider should be able to provide its customers with full visibility and control over when services are being changed or updated.

Compliance

Cloud computing has made geopolitical barriers ambiguous and changed the way governments and businesses look at data. As a result, governments have put in place regulations that monitor the use, collection, and distribution of their citizen’s data. The new General Data Protection Regulation (GDPR) is one such regulation that establishes requirements for protecting and enabling the privacy rights of European Union (EU) citizens and residents.

It makes sense that governments have laws to protect the data of the consumers and organizations that reside within their boundaries. But enterprises may face regulatory action and other disruption if they do not put in place controls to properly process, handle and store regulated data.

Most organizations simply don’t have the time to navigate through the jungle of country-specific rules and regulations. It is complicated. This is one reason why the ServiceNow Community Site hosts ServiceNow CORE (Compliance Operations Readiness Evidence). CORE provides an extensive set of documentation that outlines how customers can address compliance and regulatory requirements for cloud services.

At ServiceNow, we are committed to delivering reliable and secure cloud services. We understand that earning your trust involves giving you confidence in our ability to prevent and mitigate security threats, protecting the privacy of your data, and helping you comply with a growing number of global mandates. We encourage all our current and potential customers to learn more about how our cloud services meet the most stringent standards for performance, scalability, security, privacy, and compliance by visiting our new ServiceNow Trust site.