Kyle HilgendorfI’ve focused a significant amount of effort in 2011 in assisting our clients through assessments of various cloud providers, namely at the IaaS level. The topic has been so popular in fact, that I presented an “Evaluating Cloud Providers” session at our Gartner Catalyst 2011 conference as well as a free Gartner webinar (which is available on replay).
We have several pieces of research in the works that we are excited will further assist customers in evaluating cloud providers in early 2012.
However, I would be remiss if I did not call attention to the fact that a very encouraging announcement was recently made by the Cloud Security Alliance. I’ve personally been an advocate for the CSA and the effort they’ve put into improving security standards within cloud computing. The recent announcement is in regards to a public cloud provider registry named STAR. The intent of STAR is to provide a publicly accessible registry where cloud providers publish the security controls that they offer in their service.
Most cloud providers in my recent experience have become quite good and open in sharing their security controls with prospective clients, but it is very time consuming for clients to hop from provider to provider, ask to see these controls, and document the controls for comparison. Furthermore, many of the providers still require a signed NDA with the client to share the controls.
My hope with STAR is that most providers opt in, as this is exactly the type of registry and knowledge sharing location that customers want. However, there is one potential risk. The CSA is a member-driven organization, and many of the public cloud providers are key members. There is a risk that the members will tune the security criteria over time to best match their capabilities. Yet I have faith that the consensus opinion of many providers (i.e. competitors) will triumph over collusion and we as Gartner will keep a close eye on this. It is a positive sign that the CSA does not require a cloud provider to be a CSA member in order to be listed in STAR. As a result, there really is no excuse for a cloud provider to not opt in. If you are a significant customer at a major cloud provider and you also believe in this, encourage your provider to participate.
This entire entry is my own personal opinion, not an official position from Gartner.
Category: Cloud CSA Evaluation Providers Tags: Cloud, CSA, Evaluation, Providers
2 responses so far ↓
1 Pat O'Day December 16, 2011 at 9:00 pm
Good post Kyle. This makes sense. One of the challenges with this approach is that vendors will may list the security controls they have as an organization that may (or may not) apply to their actual cloud environment. Perhaps this could be security-washing your cloud offering?
I’m not sure at this point how the CSA will address this. Gartner itself has done a good job applying effective filters to their vendor evaluation criteria so hopefully you’ve already shared your experiences with them.
2 Kyle Hilgendorf December 16, 2011 at 9:47 pm
Pat, Great catch. It will be unfortunate if providers take this approach of describing overall security controls, especially if they don’t relate to the cloud service. I’ll see if I can reach out to the CSA and talk further about this.
The industry might have to collectively call out and challenge any provider that takes this approach.