I’ve focused a significant amount of effort in 2011 in assisting our clients through assessments of various cloud providers, namely at the IaaS level. The topic has been so popular in fact, that I presented an “Evaluating Cloud Providers” session at our Gartner Catalyst 2011 conference as well as a free Gartner webinar (which is available on replay).
We have several pieces of research in the works that we are excited will further assist customers in evaluating cloud providers in early 2012.
However, I would be remiss if I did not call attention to the fact that a very encouraging announcement was recently made by the Cloud Security Alliance. I’ve personally been an advocate for the CSA and the effort they’ve put into improving security standards within cloud computing. The recent announcement is in regards to a public cloud provider registry named STAR. The intent of STAR is to provide a publicly accessible registry where cloud providers publish the security controls that they offer in their service.
Most cloud providers in my recent experience have become quite good and open in sharing their security controls with prospective clients, but it is very time consuming for clients to hop from provider to provider, ask to see these controls, and document the controls for comparison. Furthermore, many of the providers still require a signed NDA with the client to share the controls.
My hope with STAR is that most providers opt in, as this is exactly the type of registry and knowledge sharing location that customers want. However, there is one potential risk. The CSA is a member-driven organization, and many of the public cloud providers are key members. There is a risk that the members will tune the security criteria over time to best match their capabilities. Yet I have faith that the consensus opinion of many providers (i.e. competitors) will triumph over collusion and we as Gartner will keep a close eye on this. It is a positive sign that the CSA does not require a cloud provider to be a CSA member in order to be listed in STAR. As a result, there really is no excuse for a cloud provider to not opt in. If you are a significant customer at a major cloud provider and you also believe in this, encourage your provider to participate.
This entire entry is my own personal opinion, not an official position from Gartner.