Essential Guide

Browse Sections
Tip

Google tool signals move to greater cloud transparency

Access Transparency users can review the work Google admins did on their cloud accounts. It's a step toward greater accountability, but large organizations will want even more.

Although the cloud offers convenience, many organizations feel uneasy when they hand management of their computer systems to a third party.

Organizations use public clouds to offload maintenance of the infrastructure that underpins their business applications, but they also move one layer away from their business systems in the process. Enterprises want more public cloud transparency and control over how their applications are managed. To address this need, Google added Access Transparency so customers can examine one small piece of the provider's data center tools: its service logs.

Enterprises that build private clouds rely on multiple tools to manage, monitor, secure and track application performance. Data center technicians spend much of their days dug into system innards so they can perform tasks, such as pinpointing bottlenecks or determining if an outsider accessed confidential information.

Organizations that opt for public cloud services lose visibility. Historically, cloud vendors haven't provided customers access to any of their internal management, monitoring and security tools.

"Transparency has been a big issue with public cloud," said Torsten Volk, managing research director at Enterprise Management Associates.

Typically, cloud vendors generate service level-agreement reports and invoices about resources consumed, but clients cannot examine what actually happens inside public cloud data centers.

"Public cloud providers tell users, 'Trust us, we will put checking [in] place to protect your data,'" said Steve Riley, senior director and analyst at Gartner. "Some companies feel nervous about taking that step."

Google opens its logs

Organizations use Access Transparency to examine Google's internal data center logs pertaining to their accounts and to gain control over the vendor's related actions. Google admins occasionally access user content for a variety of reasons, including user support requests, system maintenance and audits to check for security, fraud and compliance with the terms of service.

The logs outline what steps an administrator took to address any issues that occur with the customer's service. Google must receive permission from the account manager to tinker with software or hardware that's tethered to any of the organization's workloads with sensitive information.

The service works with six Google Cloud Platform services: Compute Engine, App Engine, Cloud Storage, Persistent Disk, Cloud Key Management Service, and Cloud Identity & Access Management. Google plans to add support for more services in the future, including BigQuery.

It's also only available to customers with one of the following support packages: Gold, Platinum, Enterprise, four or more Development roles, four or more Production roles, or a combination of the two role-based supports.

Access Transparency helps customers to closely monitor Google's maintenance work. For example, if a customer previously opened a ticket with Google Support in response to slow user response times, it couldn't track what steps the vendor took to resolve the problem. Now, users have access to that information and a degree of cloud transparency.

Logs are vital to system security. Data center teams examine the logs for aberrant behaviors that may illustrate repeated attempts by an outsider to break into a system. If a breach occurs, the trail is usually in the logs, so the IT team can go back and determine how the intruder accessed its system.

An auditing aid

The feature helps companies with tasks such as system audits. Often, with an audit, a company has to produce reports that illustrate how its systems work and what steps it has taken to perform tasks, including the protection of confidential information.

These data center process reports have become more important as new regulations emerge. Standards, such as the Health Insurance Portability and Accountability Act, have been in effect for decades, but more recent regulations, like GDPR, have been added to the growing list of cloud reporting requirements.

It can take an organization months to create a report that illustrates that its system meets these various requirements, Volk said. An IT team needs to write software to pull the pertinent information from different systems and put it in a format that illustrates the organization's compliance with various regulations.

Noncompliant companies could face censure and fines, so customers will want automation to sort through the massive amounts of data these logs generate. To that end, enterprises can incorporate Cloud Access Transparency logs into their existing security information and event management tools.

 "Ideally, a company wants its system to be audit-ready so they can generate needed reports in a timely manner," Volk said.

Cloud transparency and the competitive landscape

Microsoft has a similar feature, Customer Lockbox, with its Office 365 service. The vendor asks for permission before it looks at or alters customer data. This feature is only available to high-priced Office 365 clients and not all of its customers, Riley said.

Microsoft also has a public preview of Customer Lockbox for Azure. Currently, AWS does not offer users access to any of its internal data center tools.

The various logging services available represent the first in a series of steps from suppliers. These logs provide large companies with a small glimpse into what happens when public cloud vendors run their applications. They can see what a system administrator did -- perhaps run a test to identify why a connection is running late -- but they can't monitor the test that was run or the actual results.

Ideally, customers that are accustomed to micromanagement of their data center assets want even more cloud transparency, including access to all the monitoring and security tools a vendor uses to support their services.

However, it will be a significant undertaking for cloud providers to offer even more transparency. They'll have to do considerable integration and development work, while still ensuring they don't create new security holes in the process.

"Google's data center is complex, and the company needs to ensure that clients access only their own service logs," Riley said.

Enterprises that want total cloud transparency won't get it overnight. It will take time, but Google has taken an important step in that journey.

"I expect that the public cloud vendors will provide customers with access to more of their operations information in the future," Volk said.

Dig Deeper on Cloud infrastructure design and management