To what degree do you trust a cloud provider's capability to keep your information private?

I don't believe trust is the appropriate model here. Trust implies that the cloud service provider would take malicious or incompetent actions that would lead to your data being compromised. Unfortunately, we don't know what we don't know, such as what attacks some hacker may dream up tomorrow or what accidental holes some operating system or application may introduce.

This is a defense-in-depth requirement. Under optimal conditions, even if your cloud service provider was compromised, your data should be compartmentalized and encrypted to a level requiring years even with supercomputing power to crack. Your service provider should ensure that the systems maintaining those keys are not directly accessible through a trusted connection to the systems that may have been compromised.

A basic audit of the CSP's security architecture will let me know if they understand the basic premise of defense-in-depth and that they are implementing the appropriate controls to ensure maximum protection as we know it today.

Maurene,

From my perspective I would say that trust is directly tied to transparency. You would need visibility into all of the facets of their solution to know how much control they can even have over the security of the data. Who has physical access to the devices that process and store the data? Who has virtual access to these? What contractors are used that may have access? Do these contractors use sub-contractors? Is this data replicated to another provider and if so all of the same questions apply.

You can find cloud solutions that can go 7 layers deep of contractors and sub-contractors or sites that replicate their data to a contractor who stores that data with someone else. To trust your provider they should be able to answer to the cradle to grave chain of custody of the data and identify everyone who is granted access. Once you know this information you can then inquire about the anti-penetration tactics taken at each physical and logical step your data takes. Once you actually know where your data goes and who can handle it, you can then begin to have some trust in your provider.

Thank you, Erica, Andrew, JP and Steve, for your thoughtful responses. I tend to use a lot of cloud services--for business and for personal data. Like Andrew, I follow the news about vendors that I use. And as Erica said "due diligence belongs to the data owner." That said, I also only put data in the cloud that is not sensitive. For example, I use Dropbox. When it's data security was called into question, I decided to keep Dropbox because: 1) I have a copy of my Dropbox data, so data loss wasn't a consideration; 2) The data is being used by a committee for collaboration purposes...none of which is sensitive.

I agree with you, JP, that service providers don't take malicious or incompetent actions--it would be viability foolish. As with any business, though, stuff happens. Steve, I would look at the items you mention if I were using a business-level service. For consumer-based, that type of information is not easily available and most people wouldn't understand it anyway.

One more item to consider before using a service provider (free or for-fee) is to read through their privacy policy. Every vendor has an "I accept" the terms box. However, I suspect that most folk scroll to the bottom, without reading the terms, and click "I accept" so they can move on with the install.

There are various models available and some of these - problems, questions to ask are brought out in the NIST and other Security sites. The key to this is transparency of the vendors to questions put out by the prospective client. The client has to know what he wants - the cloud provider is not going to educate him.

A bigger problem to address is the one where the cloud provider may decide to drop you unceremoniously - right from the fact that he does not like your face to pressure from the powers that be. Your information then becomes "private" from you also.