Gartner Blog Network


Is Cloud Secure? WTFC!

by Anton Chuvakin  |  March 13, 2012  |  Comments Off on Is Cloud Secure? WTFC!

“Is cloud secure?” Seriously, why are you asking this? Ask: is MY USE of cloud  computing secure? Or, if you want to be a bit fancy, you can add “… secure enough for my purposes?”

Do ask “is my provider doing a good job with security?”, BUT realize that it is NOT the most important question. What your provider does is important, but what you – your organization – do it even more so! Applying this to my main theme this quarter – cloud security monitoring – will make you realize that asking your provider “do you monitor for security issues?” is most definitely not the same as you actually doing such monitoring. The table below explains why:

Table 1. Enterprise Lens vs Cloud Provider Lens

Enterprise lens Provider lens
Keep their cloud resources secure

Comply with regulations relevant to the customer

Keep cloud infrastructure secure

Keep customer resources secure (to the degree sufficient to keep a customer)

Offer security services to customers (as an additional revenue stream)

Comply with regulations relevant to the provider

See what I mean here? Your cloud provider – even if SUPER-diligent with security monitoring, logging, log analysis, netflow, etc – may not even have a chance to perform security monitoring YOU need. Think of application monitoring on IaaS or detailed usage pattern analysis for SaaS – these are not something the provider typically WILL or even CAN do.  “What they monitor for” and “what you monitor for” might overlap slightly, or not so slightly, but they are unlikely to be the same!

Moreover, for some threat factors the situation turns dire: think of a malicious CSP system administrator (or a malware-infected one: if you just trust all CSP personnel … after all “they run The Cloud” Smile). The cloud customer cannot monitor his/her actions directly (not with our level of cloud platform development today), while cloud provider monitoring “lens” might not focus on some of his actions that a cloud customer would really care about …

You can get the best control attestation framework, you can even do continuous control assessment, but unless somebody monitors for such activities and their consequences, the security gap is still there.

What to do?

A telling analogy here is that of a bank finding a new location for a branch. If the bank rents a building from the landlord, the building must include the vault. But the vault – a secure CSP – is not all that is needed, the bank also needs an alarm system. Is one available for rent from the landlord? Can the bank install their own? Can they contract with somebody for alarm services? Upon getting a triple “No” answer to these questions, the bank has no choice but to look elsewhere.

Sorry to not give you the silver bullet here – the answer is still the same: build/buy/partner + use it.

(By the way, WTFC stands for “What the Top Factors Concerning it are?”)

Previous cloud security posts are:

Category: cloud  compliance  monitoring  security  

Tags: cloud-security  security  security-monitoring  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.