Gartner Blog Network


Securing the Cloud

by Neil MacDonald  |  March 9, 2011  |  3 Comments

The cloud isn’t one thing, so securing the Cloud won’t be one thing either.

The industry has settled on a layered framework for understanding, comparing and selecting cloud-based services. Gartner’s model has these high-level layers (with subcategories in each layer):

  • Infrastructure as a Service (compute, storage, etc)
  • Platform as a Service (middleware-like services such as database, queuing, identity services, etc,)
  • Software as a Service (finished applications such as salesforce.com)
  • Information/Data as a Service
  • Business Process as a Service
  • Security and Management as a Service

According to Gartner research, the fastest growing segment of all of these layers is IaaS.

In this research note just published for clients, my colleague, Lydia Leong, and I talk about the security considerations for IaaS services. We provide a framework for looking at the provider’s security capabilities as well as thoughts on strengthening the self-defending capabilities of your workloads.

From the research note:

Ultimately, you are responsible for the security of the workloads and data placed into IaaS. More than with any other layer of cloud-based computing services, organizations have flexibility of security controls with IaaS offerings, as the security and compliance of data and workloads is a combination of the service provider’s capabilities and the security controls placed within the workloads themselves, such as a local firewall and host-based IPS.

If you want the workload you place up in the IaaS provider’s infrastructure (e.g. Amazon’s EC2) to be protected, you’ll need to think about what local host-based security software you might include within the workload. Alternatively, you might use a virtual appliance-based version of a security control that is coupled with the workload and placed into the IaaS provider’s infrastructure. For raw storage, it’s the same thing. If you want the storage encrypted, you’ll need to think about doing that before the information is stored, or by using an agent in the workload you place in the Cloud.

Category: cloud  cloud-security  virtualization  virtualization-security  

Tags: cloud-security  defense-in-depth  next-generation-data-center  virtual-appliances  virtualization-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio


Thoughts on Securing the Cloud


  1. Lani Refiti says:

    “The industry has settled on a layered framework for understanding, comparing and selecting cloud-based services”

    Good point above. The old adage of “layered defence” or “defence in depth” still holds true in the sense that not one piece of technology can secure the Cloud. The challenges I see are going to be;

    1. Inability to accurately quantify/qualify Risk. There are some unknowns when it comes to identifying things like threats/vulnerabilities, particularly if Cloud providers are not forthcoming with disclosure type info.
    2. Management of the different “layers” of defence. If consumers of Cloud services take a layered vendor approach, then how to unify/correlate the technologies so it’s effective?

  2. Neil MacDonald says:

    @Lani,

    Agree – “defense in depth” remains a foundational principle of information security in the Cloud as well. Note that implementing defense-in-depth doesn’t have to mean spend-to-death as I talk about here:
    http://blogs.gartner.com/neil_macdonald/2009/03/04/defense-in-depth-doesnt-mean-spend-in-depth/

    But it is important to note that our security strategy for each layer will be different because our ability to place security controls at each layer is different..

    On risk – honestly, it is just as hard to quantify risk in our own data centers? What’s the probability of a breach? Tough to answer. I do agree that liability is quite unclear in the cloud. Who is responsible if the provider doesn’t do what they say they do?

    On management – agreed. What I hope to see are security and management tools that span physical, virtual and cloud-based controls:
    http://blogs.gartner.com/neil_macdonald/2010/03/12/intelligent-hybrid-security-is-the-future/

    Neil

  3. Lani Refiti says:

    In terms of Risk, yes I agree it’s just as hard to quantify Risk in a simple datacenter. But IMO it’s the underpinning of business decision making, otherwise as you put it organisations tend to “spend-to-death” in terms of technology to secure their assets.

    IMO risk assessment has never been 100% accurate, it never can be particularly when you look the threat landscape. However, 90% or even 80% is better than nothing. I always look to insurance companies, they are fantastic @ risk assessments, have been doing it for centuries. They could not operate with out the concept.

    A bit off topic but what have you seen from an API security perspective ie, API’s provided by Cloud providers being insecure.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.