Business use of cloud-based computing services is growing, and enterprise security programs need to evolve. This Spotlight presents research around securing use of the cloud and using the cloud to deliver new security approaches.
In our most recent Hype Cycle on cloud computing ( "Hype Cycle for Cloud Computing, 2011" ), Gartner positioned cloud computing firmly atop the Peak of Inflated Expectations — nearly identical to where we had it in 2010. While there certainly is an enormous amount of hype around cloud computing overall, Gartner has seen rapid adoption of software as a service (SaaS), early adopter clients testing Infrastructure as a service (IaaS) and platform as a service (PaaS), and strong growth in cloud delivery of security services. For these reasons, we've given this Spotlight on securing and managing cloud a "how to" focus, rather than the "What does it mean?" focus we took in our 2010 cloud security Spotlight.
Figure 1 shows why we think this is an important time to be thinking through how you will secure your business's use of cloud computing. Gartner has identified the typical stages that enterprises will go through, from data center virtualization, to private cloud, to hybrid cloud use, where "cloudbusting" to external cloud resources augments local data center/private cloud capacity. In Gartner's most recent survey of data center managers, close to half believe they will be using hybrid cloud (see "Design Your Private Cloud With Hybrid in Mind" ) by 2015, and almost one-third believe they will be delivering private cloud capabilities. In order to do either of these things, IT architectures and processes will need to change and extend — and the same is true for security capabilities. Now is the time to be planning how to ensure company and customer data can be protected when public and private cloud services are used and also how security policies and architectures can take advantage of cloud delivery to actually increase levels of security.
Source: Gartner (May 2012)
An important input to Gartner research is the constant stream of inquiries from Gartner clients, both direct to Gartner analysts and via searches of gartner.com. In "Top 10 Gartner Client Inquiries in Cloud Security," we look at the trends that data reveals. Gartner clients have moved from asking tutorial questions about cloud security to looking for ways to evaluate the relative levels of security of various cloud offerings. The demographics of the search data show early interest by the services and education industries, as well as small businesses.
Gartner also performs primary research, surveying industry IT decision makers on a wide variety of topics. In January 2012, we conducted a survey of information risk management professionals in the U.S., Canada, the U.K. and Germany. The survey population was 425 respondents with security or risk responsibility at firms with at least 500 employees and $500 million in revenue. "Survey Analysis: Assessment Practices for Cloud, SaaS and Partner Risks, 2012" shows the results of that survey compared to previous years. One of the key findings shows that organizations of all sizes are increasingly willing to place their data in the cloud, and while the percentage of those that have formalized processes for the assessment of the associated risk has increased, 50% still do not have such formalized processes in place.
One of the reasons it is important for enterprises to assess the risk of using cloud-based services is that they will always retain the ultimate liability for loss or exposure of customer information in the event of a security incident involving those cloud services. The only way to limit your liability is to have the appropriate clauses in your contracts with cloud service providers. "IT Procurement Best Practice: Nine Contractual Terms to Reduce Risk in Cloud Contracts" provides guidance on the critical contract language to include. "Best Practices for Limiting Data Protection Exposure in the Cloud" provides Gartner's recommendations for addressing liability around the loss of access to sensitive data stored or processed in cloud services.
The best way to limit your liability, of course, is to avoid security incidents by minimizing vulnerabilities and using effective security controls. Many organizations have made significant progress in increasing the security levels of their own infrastructures, and will need to extend those security processes out to cloud services. "Application Security Testing of Cloud Services Is a Must" lays out several models for assuring that cloud-based applications are fully tested for application-level vulnerabilities prior to operational use. Of course, there is no such thing as software that stays vulnerability-free over time, and patching of software will always be required. "Extending Patch and Vulnerability Management to the Cloud" details several scenarios for ensuring that SaaS, IaaS and PaaS offerings meet the requirements for patch management.
While vulnerabilities can enable external attackers to compromise systems and inflict severe business damage, accidental data disclosure attacks have been a constant problem. The cloud represents another potential path for unintended data leakage or loss. "Data Security Monitoring for the Cloud: Challenges and Solutions" describes the major issues around maintaining data-aware security controls when cloud services are used, and details recommended approaches for minimizing the risks.
Most enterprises will end up using a mix of cloud services across SaaS, PaaS and IaaS, along with a continuing inventory of internally hosted applications. Extending identity and access management across this array of services will require new security processes and new delivery mechanisms for authentication and authorization controls. When new employees join the company, they will now need to be provisioned into external cloud-based applications as well as into internal applications. More importantly, when their privileges change or when they leave the company, they will need to have their access rights modified or deleted across that increasingly complex array of applications. "A Guide to Making the Right Choices in the Expanding IDaaS Market" details Gartner's view of how identity and access management services will need to evolve to deal with this, while the recently published "Magic Quadrant for SOA Governance Technologies" compares products that are increasingly playing a role in supported identity federation across business partners and cloud services.
Every time IT adds new delivery mechanisms for applications, security needs to quickly add those same delivery mechanisms. This was true when we moved from mainframe to client/server, client/server to Internet, and so on — and it will be true as the move to adding cloud-based delivery grows. Cloud-based delivery of security will be required for most security controls — identity and access management as a service is an example of this. "The Growing Adoption of Cloud-Based Security Services" provides Gartner's projections for how rapidly other areas of security will add cloud-based delivery.
We have focused the majority of this Spotlight on securing the use of public cloud services, but private cloud services also require security processes and controls to evolve and adapt. For most organizations, private cloud will happen before any use of public IaaS or PaaS, so the security and management decisions made for private cloud can ease the path for secure use of public cloud. "Make Optimizing Security Protection In Virtualized Environments a Priority" provides guidelines for focusing on the best ways to roll out private cloud services as securely as possible. "How to Build An Enterprise Cloud Service Architecture" points out that both private and hybrid cloud services will require cultural and political changes inside the IT organization to enable the automation of predefined planning, policies, service levels and automated actions on the runtime environment, as opposed to the manual initiation of scripts or workflows.
To tie many of these concepts together, we've included a case study of the process a financial organization went through to implement hybrid cloud. "Case Study: Securing the Cloud" describes the security features that enabled a high-value application run on internal data centers to be "cloudbusted" to a public IaaS provider to support business demands for global, elastic service delivery.
Some documents may not be available as part of your current Gartner subscription.