The near final draft of the NIST Cloud Computing Standards Roadmap has been posted. I submitted a lot of updates and this paragraph stood out to me in particular:

Auditing is especially important for federal agencies and “agencies should include a contractual clause enabling third parties to assess security controls of cloud providers” (by Vivek Kundra, Federal Cloud Computing Strategy, Feb. 2011.) Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. For security auditing, a cloud auditor can make an assessment of the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

It might not be wise for me to draw the attention of a man who pretends on TV to play Russian roulette with a nail gun, but the above paragraph indicates to me that Google’s cloud campaign spokesman may be headed for trouble.

Eran Feigenbaum, who is apparently also known as a Television magician or “mentalist”, has boasted on numerous occasions that customers do not get to audit Google. He has even said if customers need to audit an environment, Google is not the right place for them. Anyone who wants assurances about things like password protection is told to read their SAS 70.

So, I wonder…if Feigenbaum were selling houses made by Google would he say “you don’t get windows, you just get a list from us of what’s on the other side of this wall: tree, grass, bird…it’s all there, trust us”? They appear to be floating a non-standard definition of transparency.

We’ve been very transparent about our FISMA authorization. Our documentation has always been readily available for any government agency to review, and dozens of officials from a range of departments and agencies have availed themselves of the opportunity to learn more about how we keep our customers’ data secure.

What does it mean to be “availed of the opportunity to learn more”? I had to look up Feigenbaum’s experience with compliance and information audit to get some perspective. His public profile says little other than he spent a couple years as a sales engineer before jumping to a CISO title at a consulting firm and then Google. Surprise. Not transparent. Did I avail myself of the opportunity to learn more?

So, it will be interesting to see if/how cloud providers will change their messaging around audits if NIST avails themselves of this opportunity to push through their draft definition:

…agencies should include a contractual clause enabling third parties to assess security controls of cloud providers.

Amazon has adjusted itself already to the PCI DSS, which requires auditors on-site. Can Google catch up?