Gartner Research

Determining Criteria for Cloud Security Assessment: It's More Than a Checklist

Published: 26 June 2013

ID: G00250701

Analyst(s): Daniel Blum, Erik Heidt

Summary

Enterprises need effective and efficient cloud security assessments. This document provides guidance on developing assessment criteria that leverages existing frameworks for public cloud computing and uses risk to prioritize assessment criteria.

Table Of Contents

Summary of Findings

Guidance Context

  • Problem Statement
  • Guidance Applicability
  • Related Guidance

The Gartner Approach

The Guidance Framework

  • Step 1: Understand Business and Security Context of Cloud Assessment and Use
    • What's the Same
    • What's Different
    • Issues and Limitations
  • Step 2: Model and Assess Risk of Cloud Use
    • Identify Inherent Risks or Potential Consequences of Use
    • Determine Residual Risk After Applying Compensating Controls
    • Determine CSP Trust Requirements
    • Develop Approved Patterns for Public Cloud Use
  • Step 3: Develop Assessment Criteria
    • Refine the Security Requirements for the Use Case
    • Study the Cloud Control Standards Landscape
    • Map Requirements to Assessment Criteria
  • Step 4: Perform Assessments and Monitoring
    • Leverage Third-Party Assessments
    • Conduct the Organization's Own Assessments
    • Perform Monitoring for Medium- or High-Trust CSPs
  • Revisit and Update Approach

Risks and Pitfalls

Conclusion

Recommended Reading

©2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.