Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Securing the Cloud

by Neil MacDonald  |  March 9, 2011  |  3 Comments

The cloud isn’t one thing, so securing the Cloud won’t be one thing either.

The industry has settled on a layered framework for understanding, comparing and selecting cloud-based services. Gartner’s model has these high-level layers (with subcategories in each layer):

  • Infrastructure as a Service (compute, storage, etc)
  • Platform as a Service (middleware-like services such as database, queuing, identity services, etc,)
  • Software as a Service (finished applications such as
  • Information/Data as a Service
  • Business Process as a Service
  • Security and Management as a Service

According to Gartner research, the fastest growing segment of all of these layers is IaaS.

In this research note just published for clients, my colleague, Lydia Leong, and I talk about the security considerations for IaaS services. We provide a framework for looking at the provider’s security capabilities as well as thoughts on strengthening the self-defending capabilities of your workloads.

From the research note:

Ultimately, you are responsible for the security of the workloads and data placed into IaaS. More than with any other layer of cloud-based computing services, organizations have flexibility of security controls with IaaS offerings, as the security and compliance of data and workloads is a combination of the service provider’s capabilities and the security controls placed within the workloads themselves, such as a local firewall and host-based IPS.

If you want the workload you place up in the IaaS provider’s infrastructure (e.g. Amazon’s EC2) to be protected, you’ll need to think about what local host-based security software you might include within the workload. Alternatively, you might use a virtual appliance-based version of a security control that is coupled with the workload and placed into the IaaS provider’s infrastructure. For raw storage, it’s the same thing. If you want the storage encrypted, you’ll need to think about doing that before the information is stored, or by using an agent in the workload you place in the Cloud.


Category: Cloud Cloud Security Virtualization Virtualization Security     Tags: , , , ,

3 responses so far ↓

  • 1 Lani Refiti   March 9, 2011 at 6:38 pm

    “The industry has settled on a layered framework for understanding, comparing and selecting cloud-based services”

    Good point above. The old adage of “layered defence” or “defence in depth” still holds true in the sense that not one piece of technology can secure the Cloud. The challenges I see are going to be;

    1. Inability to accurately quantify/qualify Risk. There are some unknowns when it comes to identifying things like threats/vulnerabilities, particularly if Cloud providers are not forthcoming with disclosure type info.
    2. Management of the different “layers” of defence. If consumers of Cloud services take a layered vendor approach, then how to unify/correlate the technologies so it’s effective?

  • 2 Neil MacDonald   March 11, 2011 at 5:35 pm


    Agree – “defense in depth” remains a foundational principle of information security in the Cloud as well. Note that implementing defense-in-depth doesn’t have to mean spend-to-death as I talk about here:

    But it is important to note that our security strategy for each layer will be different because our ability to place security controls at each layer is different..

    On risk – honestly, it is just as hard to quantify risk in our own data centers? What’s the probability of a breach? Tough to answer. I do agree that liability is quite unclear in the cloud. Who is responsible if the provider doesn’t do what they say they do?

    On management – agreed. What I hope to see are security and management tools that span physical, virtual and cloud-based controls:


  • 3 Lani Refiti   March 12, 2011 at 1:16 am

    In terms of Risk, yes I agree it’s just as hard to quantify Risk in a simple datacenter. But IMO it’s the underpinning of business decision making, otherwise as you put it organisations tend to “spend-to-death” in terms of technology to secure their assets.

    IMO risk assessment has never been 100% accurate, it never can be particularly when you look the threat landscape. However, 90% or even 80% is better than nothing. I always look to insurance companies, they are fantastic @ risk assessments, have been doing it for centuries. They could not operate with out the concept.

    A bit off topic but what have you seen from an API security perspective ie, API’s provided by Cloud providers being insecure.