Many of you will recall one of President Ronald Reagan’s signature phrases, “Trust, but Verify.” Although not directly attributable to Reagan (it’s actually based on a Russian proverb), Reagan used this statement extensively to describe negotiations with the Soviet Union in the 1980s. The crux of the proverb: Consider information reliable, but perform additional research to verify.
The same advice has been used for years for buyers of information technology (IT) services. Buyers generally consider information in a request for proposal to be reliable, but as part of the agreement, clients build in audit rights to ensure the provider is adhering to the unique security requirements that were dictated as part of the contract.
This model has stood the test of time for one primary reason: Services have been built to specifications using dedicated hardware and software uniquely configured to meet the client’s security requirements. Because the services are dedicated to the client, there is (usually) no technical or contractual reason that the buyer can’t physically and/or logically audit the services.
The traditional “Trust, but Verify” model looks like this:
Enter multi-tenant cloud platforms. In this delivery model, the services are shared across thousands of clients (also known as “tenants”). Their data is isolated from other clients’ data using software, rather than hardware, resulting in clients sharing the same cage, rack and even server. Although this delivery model creates significant economies of scale for the provider, and enables much faster time-to-market for the client, it also creates a dilemma: How can a client audit the environment when it’s shared with other tenants? This question usually focuses around two major areas of concern for the provider:
- If I let a client try to break/break-into the service, that client may interrupt the service for other tenants, resulting in missed service levels.
- If I let a client enter the cage where that client’s tenant resides, I am likely to breach the confidentiality agreements of other clients.
In the world of multi-tenant services, the Trust, but Verify model still works; the way buyers verify, however, is very different:
In the new model, providers identify relevant industry standards and frameworks they choose to audit themselves against (e.g. SOC1, SOC2, ISO 27001, PCI) and hire external auditors to provide an attestation or certification against said standards and frameworks. The provider then shares these results to clients, usually under nondisclosure agreements, at regular intervals.
Although this all seems quite reasonable, it’s an epic shift for enterprise IT buyers who are accustomed to 1) dictating security requirements and 2) auditing those requirements themselves. This is especially the case with large enterprises that bring 50,000 to 100,000 users to a service provider. Until now, when a prospect came to the table with this sort of quantity, providers would do anything needed to win the business — including adopting to, and being audited under, the client’s unique security requirements.
This shift is still just in its infancy, but leading cloud providers are turning up the heat on enterprise buyers as they win more business under their standardized terms. The key message here: Make sure you trust who’s doing the verifying.0