The time has come for service providers and consumers to move to a security model better suited to the cloud computing era, says cloud-based content management and collaboration firm Box.com.

The firm has pursued transparency or openness as a key policy to establish trust with customers concerned about security in the cloud environment.

Customers are able to access all activity and transactions related to their content and even download that data to their security information and event management (Siem) systems.

They also have access to SOC1, SSAE16, SOC2, ISO27001 and internal audit reports and quarterly penetration test reports.

Box.com even allows customers to perform their own penetration tests.

In pursuit of greater transparency, Box.com has also achieved compliance with the US health sector HIPPA standard and is working on compliance with the US government FedRAMP cloud security assessment programme.

The importance of security At the same time, cloud providers must strive to make security a differentiator by building products that share the customers’ objective of fending off attackers and ensuring confidentiality, integrity and availability, said Somaini. Transparency around activity and transactions around content is a key component, he said, but many cloud providers still do not allow customers to access logs to see what is going on. Many also still do not have good security certifications or detailed audits to provide a level of transparency around how they are managing content. Without transparency there can be no trust, said Somaini, which is why he is forging a new security model that is aimed at enforcing this principle in the cloud services industry. “One of the things I am call for in the industry is a more detailed and prescriptive audit and certification specifically for cloud providers,” he said. For example, it should require cloud providers to supply all documentation on how they work instead of just a certification letter, and allow customers to view and download all transactions on their data. Other important questions would be around providers’ ability to assist in any e-discovery requirements, how they defend against advanced cyber threats, and how they deal with application security.