October 10, 2019
October 10, 2019
Contributor: Kasey Panetta
Gartner offers recommendations for developing a cloud computing strategy and predictions for the future of cloud security.
Cloud security breaches consistently make news headlines. Yet, the stories of these breaches are often framed with vague explanations — a “misconfigured database” or mismanagement by an unnamed “third party.”
The ambiguity that surrounds cloud computing can make securing the enterprise seem daunting. Concerns about security have led some CIOs to limit their organizational use of public cloud services.
Download IT roadmap: Cloud Migration
However, the challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data.
“CIOs need to ensure that their security teams are not holding back cloud initiatives with unsubstantiated cloud security worries,” says Jay Heiser, Vice President Analyst, Gartner. “Exaggerated fears can result in lost opportunity and inappropriate spending.”
CIOs must change their line of questioning from “Is the cloud secure?” to “Am I using the cloud securely?” Use these recommendations for developing a cloud strategy and predictions for the future of cloud security to find the right answers to this question.
First, obtain consensus from the leadership team. All members need to agree that cloud computing has become indispensable and that it should be governed through planning and policy. This is the most significant step to ensure appropriate levels of cloud security.
Organizations that make explicit executive decisions on their cloud strategy are providing far more guidance to the business and IT. Increased guidance allows for:
The enterprise strategy should outline the organizational expectations for the form, significance and control of public cloud. This gives CIOs a clear mandate to influence the use of public clouds on behalf of business units. The strategy should also include guidance on what data can be placed into which cloud under what circumstances.
Read more: 5 Questions to Answer When Building a Cloud Strategy
There is no such thing as perfect security protection. Accepting some risk is necessary for leveraging public cloud services, but ignoring these risks can be dangerous. When formulating a cloud computing strategy, organizations must make calculated decisions about what they will and will not do to mitigate cloud risks based on budget and risk appetite. This should be part of the overall cloud strategy.
A risk treatment model can provide a transparent view into cloud risk levels, helping IT leaders make appropriate decisions around the use of cloud. The risk model for public cloud should be based on five domains:
Using these domains as a framework, carefully weigh the risks versus the benefits before presenting any cloud decision. This will help CIOs set expectations with the rest of the leadership team around the security of the cloud. Accepting cloud risks is a legitimate business decision, but only if it is done consciously, with explicit acceptance of the responsibility.
Cloud strategies usually lag behind cloud use. This leaves most organizations with a large amount of unsanctioned, and even unrecognized, public cloud use, creating unnecessary risk exposure. CIOs must develop a comprehensive enterprise strategy before cloud is implemented or risk the aftermath of an uncontrolled public cloud.
Questions around the security of public cloud services are valid, but overestimating cloud risks can result in missed opportunities. Yet, while enterprises tended to overestimate cloud risk in the past, there's been a recent shift — many organizations are now underestimating cloud risks. This can prove just as detrimental, if not more so, than an overestimation of risk. A well-designed risk management strategy, aligned with the overarching cloud strategy, can help organizations determine where public cloud use makes sense and what actions can be taken to reduce risk exposure.
CIOs can combat this by implementing and enforcing policies on cloud ownership, responsibility and risk acceptance. They should also be sure to follow a life cycle approach to cloud governance and put in place central management and monitoring plans to cover the inherent complexity of multicloud use.
Connect with the world’s leading security and risk management leaders with Gartner experts to establish an agile security program and deliver business value.
Recommended resources for Gartner clients*:
A Public Cloud Risk Model: Accepting Cloud Risk Is OK, Ignoring Cloud Risk Is Tragic by Paul Proctor, Daryl Plummer and Jay Heiser.
*Note that some documents may not be available to all Gartner clients.