Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Security is the top Concern for Public Cloud, but What Does That Really Mean?

by Neil MacDonald  |  December 16, 2010  |  2 Comments

Survey after survey shows that the top issue that organizations have when considering the adoption of public cloud-based computing services is “security and privacy”.

Gartner’s own surveys show this:

image

The survey data above is from December 2009, we’ll be publishing the December 2010 survey data for clients over the next several weeks.

You all have seen similar charts from other survey data sources showing the same thing: security is the top of mind concern.

I believe that cloud-based computing has the potential to be more secure than what most organizations can deliver themselves, so I wanted to dig deeper. Security is such a broad term (encompassing infrastructure security, identity and access management, content security, application security, vulnerability management, etc,) – so, what exactly is it about security of the cloud that is the concern?

I asked this drill-down question in an audience survey last week at Gartner’s 2010 Data Center conference. If security is the number one concern, what is it specifically that is concerning them? The number one security issue identified was: “Lack of confidence in the cloud provider’s security capabilities”.

So how do we address this? We’ll start with diligence in our RFI and RFP processes as we consider and evaluate cloud-based services. We’ve published quite a bit of research to help our clients with these evaluations. Guidance is also available from the Cloud Security Alliance and other initiatives such as FedRAMP.

Of course, the providers can say anything they want in the RFP, so we need confirmation of these capabilities from an independent assessment. Many providers claim a SAS 70 type II certification. However, my colleague Jay Heiser has published research for clients showing SAS 70 Is not proof of security, continuity or privacy compliance. Other providers will take certification further with ISO 27001 certification. Microsoft and Google both claim FISMA certification for their cloud-offerings.

This isn’t a new concern that is unique to cloud. We overcame similar reservations about the security capabilities of outsourcers years ago (consider payroll outsourcing). Overall, I believe the concern is valid but addressable to a level of risk that is manageable – just like we have done with outsourcing – as we mature our RFI/RFP process discipline and as a level of ‘standards’ emerge for the certification of cloud providers.

2 Comments »

Category: Cloud Cloud Security Information Security Vendor Contracts Virtualization Security     Tags: , ,

2 responses so far ↓

  • 1 Adam Hils   December 16, 2010 at 3:37 pm

    Neil,

    Nice post.

    Security concerns about any outsourcing arise from the very human need for control. Unfortunately, current certs don’t provide even baseline assurance for adequate cloud security. They are useful to customer only insofar as they demonstrate some level of security seriousness on the cloud provider’s part.

    For the same reason that parents audition potential nannies (sometimes with cameras to provide evidence of reliability/best practices), customers should demand to see security processes in the cloud, and to have their security experts try to exploit potential vulnerabilities.

    Cloud providers have the opportunity to prove their security credentials by demonstrating security controls and best practices to interested prospects. This approach is not scalable in the long run, but it is necessary today.

  • 2 Neil MacDonald   December 17, 2010 at 9:22 am

    Adam,

    Interesting observation on watching nannies with cameras. I’ve seen quite a bit of interest on the need for monitoring access to data and applications that are cloud-based (the cloud-equivalent of the nanny-cam).

    It’s more difficult to do real-time monitoring, but events can be aggregated, cached and downloaded periodically.

    Some cloud-providers offer this, with others at the IaaS level you would need to bundle your own monitoring with the workload.

    Neil