Assessing Security in the Cloud

The challenge for existing cloud users and those considering adoption is that there is no single cloud security approach.

While some organizations still aren’t ready to embrace cloud computing, 80% of them indicate a propensity to increase investments in cloud computing in years to come, according to the Gartner global cloud adoption survey in 2014. Infrastructure as a Service (IaaS) and software as a service (SaaS) are the most widely used cloud services.

The challenge for existing cloud users and those considering adoption is that there is not one single cloud security approach, according to Ruggero Contu, research director at Gartner, in his session, Security in the Cloud: Consider Different Risks and Opportunities at the Gartner Security & Risk Management Summit. “Each cloud model requires a separate strategy. Whether you embrace it or not, you need to understand the reality and shadow IT. Security, whether you like it or not, must cater to the cloud security problem,” he says.

IaaS: You’re in charge
With IaaS, the security professional is in charge. The IaaS provider covers network and hypervisor security but the review of implementation details is on the organization’s security team. Consider, who owns security, IaaS, you or both parties?

SaaS: Beware of Apps
For SaaS, the provider usually controls security yet watch out for application security, which is a major vulnerability and the area of concern. The biggest breaches aren’t from the SaaS provider but from the applications that were exploited by hackers. Security professional should consider what types of applications their employees access and whether they can recover data. Also, consider the inappropriate access by authorized user and unauthorized outsider.

Rethink the Security & Risk Strategy

Why leaders must embrace modern cybersecurity practices

Download Free eBook

PaaS: Security and availability are critical
For Platform as a Service (PaaS), data security and system availability are critical issues. PaaS allows developers to focus on coding, but in an outsourced environment risks exist. While encryption is an option, there are issues with key management and impact to performance.

Ruggero Contu, Gartner
Ruggero Contu, Gartner

Overall, Contu recommends that it’s important to investigate IaaS providers’ audit test claims and evaluate against the organization’s specific security needs. For SaaS, analyze the types of SaaS applications being used, and identify the risk associated with this usage. Also, have a sound IAM strategy in place and note that Identity as a Service (IDaaS) is in growing demand. Strike the right balance to get the best of what cloud provides but ultimately security is the responsibility of the subscriber. They cannot, and should not ever fully delegate that responsibility.

Video replays from the Summit are available at Gartner Events on Demand.

Get Smarter

Gartner Security & Risk Management Summits

The latest insights on IT trends, evolving security tech and the ever-changing threat landscape.

Explore Gartner Conferences

2019-2021 Emerging Technology Roadmap for Large Enterprises

We gathered expertise from IT professionals across 198 organizations to benchmark adoption stages and risk and value factors for 108 infrastructure and operations technologies for this year. The emerging technologies profiled are spread across six technology buckets: compute and storage, compute and storage (cloud), digital workplace, IT automation, network and security.

Read Free Gartner Research

Webinars

Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching