Focus on Three Areas of Cloud Security

CISOs continue to struggle with their cloud strategies and hundreds of apps used across the enterprise.

Security professionals continue to face a cloud security problem: Most organizations hesitate to use cloud service providers, however, employees often use hundreds of applications, particularly Software as a Service (SaaS).

“Are you the goldilocks of cloud security?” asked Jay Heiser, research vice president at Gartner, at the Gartner Security & Risk Management Summit. Often, no corporate cloud policy or security project feels “just right.” Cloud computing creates a lot of complications for the whole enterprise,” he said. “From a security and risk management point of view ambiguity is especially difficult to deal with.”

Read related article: Assessing Security in the Cloud

One of the main dilemmas with introducing official policies on cloud computing, is that no one can agree what cloud computing actually means. While Chief Information Security Officers (CISOs) view cloud computing as a style of computing, other parts of the enterprise view cloud computing as “things accessed over the internet.”

Gartner IT Symposium/ Xpo®

Objective insights, strategic advice and practical tools to help CIOs and IT executives achieve their most critical priorities

Learn More

Three areas of cloud security

Regardless of how groups define cloud computing, it is essential to have a strategy and policies for how to use the cloud.

Enterprises should focus on the three primary areas of cloud security concern.

  1. Multitenancy
    Multitenancy, where enterprises share space with other customers, provides limited flexibility in services, With data out of the physical control of the enterprise, security becomes a concern. In fact, 38% of companies who don’t plan to use the public cloud cited security and privacy as the main reason.However, companies may be using security/privacy as a scapegoat for fears about relinquishing control over data and a major shift in the status quo of how enterprises are used to operating.There’s been no correlation between security failure and the degree of multitenancy,” said Mr. Heiser. He noted that sometimes hybrid is a way that some organizations can become more confident in how to explore using the public cloud model.
  2. Virtualization
    Virtualization requires different vulnerability management and patching processes for the cloud environment. Organizations will use different tools to manage virtual machines. Plus, its complex, dynamic, and distributed nature means that there is no physical indication for safety such as the traditional “blinking lights.”
  3. SaaS
    SaaS applications offer an increasing level of security and control functionality. However, they are mostly under the control of end users, offer minimal transparency, and offer no customization. To add to the complexity, many enterprises often have at least 200 and up to 1,000 SaaS applications in use.

Pick your SaaS battles

At the end of the day, CISOs need to pick their battles and decide where time and resources are best spent when dealing with the risk context of this SaaS-scape. With this is mind, divide SaaS apps into three tiers.

Tier 1: Realistically, 80% of the market is in 100 cloud services. These are proven options, and though not without some risk, organizations should dwell on whether they are secure, but use them securely, said Mr. Heiser.

Tier 2: These companies, typically large brand names that are experimenting with cloud services, haven’t provided them as their main business for more than five years. Often vertically-oriented strategic apps, they lack third party evaluation. This is where CISOs should focus company resources and evaluation.

Tier 3: With over thousands of tier 3 cloud computing apps, these are practically noise, said Mr. Heiser.  Don’t assume a tiny cloud service provider (CSP) is secure, or financially solvent. This may be an acceptable risk, but use Tier 3 CSPs carefully.

More detailed analysis is available in the Gartner Special Report “Cybersecurity at the Speed of Digital Business”, a collection of research that addresses the new reality where IT organizations have little direct infrastructure and their biggest security concerns will come from services outside their control. Learn more in the complimentary Gartner webinar “Special Report: Cybersecurity is a Foundation for Digital Business.”

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Gartner IT Roadmap for Cybersecurity: A Resilient Strategy

Gartner IT roadmap for cybersecurity based on unbiased research and...

Learn More


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching