Gartner Blog Network


Cloud Security Monitoring: IaaS Conundrum

by Anton Chuvakin  |  February 7, 2012  |  42 Comments

As you learned from my previous posts related to security monitoring of public cloud assets, there are challenges related to monitoring data availability as well as data interpretation.

IaaS environments – such as the well-known ecommerce-retailer-turned-cloud-provider as well as other cloud service providers (CSPs) – offer an interesting challenge that I call “IaaS conundrum.” To remind, when procuring IaaS resources, the organization essentially buys an ability to deploy their own virtual machines on a public provider network. That means that the cloud customer controls everything from the OS up (and usually has no way of affecting the lower layers) while the cloud provider controls everything under the OS down (and usually does not mess with upper layers).

Herein lies the conundrum: as the cloud customer wishing to monitor the security of your IT assets, do you really NEED access to below-OS layers of the cloud stack?

Two possible answers are:

YES: in physical environments, the enterprise controls the data center, the hardware management and physical access control. The only people who can affect the server at the “below the OS” layers are essentially trusted system administrators. Public cloud deployments create an opaque layer that is not controlled (by definition) and thus MUST be monitored by the cloud customers. In addition, a new cast of characters with “superpowers” – CSP administrators – can affect your environment at the lower layers. These “superheroes” do not serve you – they serve their CSP masters.

NO: just as most security monitoring of physical assets starts at OS (think syslog, anti-malware, access control, application security monitoring), it is OK to accept that monitoring will start at the OS layer. Most of the monitoring tools – as well as security tools in general – have not yet grown to understand virtual and cloud environments, thus notions like “hypervisor security” or “cloud stack introspection” are essentially alien science to them. On top of this, it is challenging, if not impossible for a provider to de-multiplex security monitoring data from shared environments.

What do you think?

If you move anything important to the public cloud, would you require that your provider enable such access for ongoing monitoring?

Alternatively, would you prefer that the provider accept the responsibility for security monitoring of your assets?

Maybe, you have another party – think MSSP – that can take over such security monitoring responsibilities?

Previous cloud security monitoring related posts are:

Category: cloud  monitoring  security  

Tags: cloud-security  security  security-monitoring  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Cloud Security Monitoring: IaaS Conundrum


  1. Mike Lemire says:

    Ideally a cloud service provider which builds a PaaS or SaaS on top of another provider’s IaaS would have insight into the layers of the technology stack (network, physical, environmental, etc) in order to understand the full picture of the security of the environment. However, in the current real world of cloud computing this is not feasible; those logs and that infrastructure below the OS layer are shared with many other PaaS and IaaS vendors; providing transparency to has the potential to provide too much information about the IaaS provider’s other customers thereby decreasing security.

    NIST has addressed this to a degree with the FedRAMP initiative, presenting a model which could be leveraged with non-Federal cloud vendors. That is where there are shared responsibilities, or a handoff of responsibilities aka touch points, there needs to be clearly defined and documented security incident response and escalation procedures. In other words the IaaS provider needs to know when to contact a IaaS or PaaS provider or vice versa when an attack or anomaly is detected.

    Surely the security relationship between IaaS and PaaS/SaaS providers needs to improve and I have faith it will over time.

  2. \Ideally a cloud service provider which builds a PaaS or SaaS on top of another provider’s IaaS would have insight into the layers of the technology stack (network, physical, environmental, etc) in order to understand the full picture of the security of the environment. \

    Thanks for the comment – indeed a CSP that seeks to provide \secure\ PaaS (for some definition of the word) services over an insecure IaaS can build a lot and solve some of the problems. Still, the layers underneath might be sand, not concrete.

    And cross-customer information leakage is indeed an argument used by some CSPs to avoid providing the data to customers.

    Still, I also hope that in the future more providers will build secure foundations, with more visibility…

  3. […] background-position: 50% 0px; background-color:#222222; background-repeat : no-repeat; } blogs.gartner.com – Today, 12:05 […]

  4. […] Cloud Security Monitoring: IaaS Conundrum […]

  5. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  6. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  7. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  8. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  9. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  10. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  11. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  12. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  13. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  14. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  15. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  16. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  17. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  18. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  19. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  20. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  21. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  22. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  23. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  24. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  25. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  26. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  27. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  28. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  29. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  30. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  31. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  32. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  33. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  34. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  35. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  36. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  37. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  38. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  39. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  40. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  41. […] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← Cloud Security Monitoring: IaaS Conundrum […]

  42. […] Cloud Security Monitoring: IaaS Conundrum […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.