Less Trust, More Security: The New Model Of Cloud Operations

Less Trust, More Security: The New Model Of Cloud Operations

To be able to trust cloud computing, you need to be able to trust it less. Here’s a look at the cloud/trust paradox, and what your business can take away from it.

Google Cloud zero trust security BeyondCorp external key manager confidential VMs
Trusting in cloud computing and your cloud provider is easier if more control is put into your hands.

At their core, many discussions about cloud security—and, in fact, cloud computing—ultimately distill to one major theme: trust. Being able to trust your cloud provider is a much bigger issue than cybersecurity, or that of security, privacy, and compliance combined.

This trust may involve geopolitical matters focused on data residency and data sovereignty. Or it may even be about emotional matters—something far removed from the digital domain of bits and bytes. As Gartner analyst Jay Heiser noted in the opening passage of this report, “CIOs need to ensure their security teams are not holding back cloud initiatives with unsubstantiated cloud security worries.”

In the decade since the rise of cloud computing, a lot of research has been generated on the topic of cloud trust. Today, the very concept of “using public cloud” is inseparably connected to “trusting your cloud provider.” One of the clear paradoxes that has emerged is that to be able to trust cloud computing, you need to be able to trust it less. Here’s a look at what that means, and what your business can take away from it.

The cloud/trust paradox: A hypothetical (but illustrative) example

To help understand this paradox, let’s go through a simple thought experiment. Imagine you are vetting two different cloud providers:

  1. One has a lot of well-designed data security controls.
  2. One has a lot of well-designed data security controls as well as the ability to let you, the customer, hold the encryption key for all your data without the provider seeing the key.

While security, privacy, and compliance controls certainly contribute to your ability to trust in cloud computing and your cloud provider, it is still easier to trust if the trust barrier is lowered—meaning, more control is put into your hands. 

Moreover, there is additional magic in this: I bet that simply knowing that a provider—such as the one in example #2—is working in the direction of reducing the amount of trust you need to place in them will probably make you trust them more. This is true even if you don’t use their specific tools that help to lower the trust barrier. 

At Google, actual examples of these tools include Google Cloud External Key Manager, which allows a customer to keep encryption keys on premises and Google will never see them, and Confidential VMs that keep sensitive data encrypted and unreadable during processing (a good read on this topic can be found here). I think this logic also applies to cases where a public cloud environment is measurably more secure than an on-premise environment built using older technology—even though an on-premises environment somehow feels easier to trust.

Related: Learn more about how Google Cloud creates trust through transparency. Get a clear and detailed understanding of our process and approach to security.

Specific examples: How lowering the trust barrier can help address threat scenarios

However, such technologies are not only about the notional trust benefits—let’s speak more concretely about defending against threats. This approach of lowering the trust barrier also helps to address specific threat scenarios such as:

  • Accidental loss of encryption keys by the provider (which would make your data unreadable)—a very unlikely occurrence in real life.
  • A mistake made when configuring cloud security that leads to the loss of an encryption key.
  • Theft of a key from a cloud provider environment by a criminal.
  • Intentional or unintentional acts by employees that lead to data disclosures or breaches.
  • A scenario where pressure is placed on a cloud provider to disclose an encryption key that can lead to customer data disclosure without a customer’s permission and even knowledge.

In real life, an organization will apply such trust reduction (or, better: “trust externalization”) for some of the data that is truly the most sensitive.

Keep your company in control: More benefits of less trust

Technologies that lower the trust barrier do more than mitigate security threats. Their contribution to compliance is also significant. For example, because you have complete control over your encryption keys, you can also meet compliance mandates to keep them separate from data.

Having direct control over key access also enhances trust because it gives you the strongest levels of control over your data stored in the cloud. Retaining control of the keys gives your IT teams the ability to cut off data processing in the cloud in case there is a risk of that data being disclosed without authorization. This is important for actual threats (like a compromised administrator account), unauthorized disclosure (such as to law enforcement), and for demonstrating proof of compliance and security diligence.

A provider can create trust through transparency, so knowing how a technology is built, implemented, and operated helps you to decide whether to trust it.

Lastly, here is an interesting case to consider: you may trust your cloud provider, but have concerns about the laws under which they operate. This is where trust again moves outside of the digital domain into a broader world. Google’s trust-requirement-reducing approach works here as well—after all, if nobody outside of a customer has the keys, nobody can compel any third party (including a cloud provider) to reveal the keys and, hence, the sensitive data.

Now, a trick question: won’t there be a challenge of needing to trust the provider to build the “trust reducing controls” correctly? Yes. However, we think there is a big difference between “just trust us” and “here is the specific technology we build to reduce trust; trust we built it correctly because of these reasons.” This illustrates another point about trust quite well: A provider can create trust through transparency, so knowing how a technology is built, implemented, and operated helps you to decide whether to trust it. In other words, “trust us because we let you trust us less.”

The bottom line

In summary, be aware that trust is much broader than security, compliance, and privacy. And while it is easier to trust a cloud provider that enables you to trust them less, remember that specific threat models still matter—increased trust alone probably won’t make people adopt new technologies. Finally, choose cloud computing providers that allow you to benefit from the full power of cloud computing without needing to place a substantial amount of trust in them.

Read more