Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Cloud Computing can be More Secure

by Neil MacDonald  |  March 31, 2012  |  7 Comments

In multiple Gartner surveys, security is cited as the number one inhibitor to the adoption of Cloud-based computing. Many IT professionals have a preconceived notion that cloud computing will be less secure than what they can deliver themselves on premises. This is a mistake.

An absolute statement that cloud computing will be less secure is as wrong as an absolute statement that cloud computing will be more secure.

Both can and will be true.

How could cloud computing be more secure? There’s a variety of reasons – 15 to 20 that I have researched. I presented on this very topic and explored many of these reasons in detail at Gartner’s US Fall Symposium 2010 conference in a session titled “Why Cloud Computing Could Be More Secure Than What You Have Today”. 

If (and that’s a big “if” and currently places a large amount of due diligence on our part to ensure this) the cloud service provider does their job right, they will deliver at least as secure of an operating environment as what most enterprises can deliver.

Recently I saw a report (The State of Cloud Security) from Alert Logic with data from a survey they initiated to back up the notion that cloud computing can be more secure. Disclaimer – Alert Logic provides solutions for cloud service providers as well as some enterprise customers so (as I do with an vendor-sponsored study) you have to take the results with a grain of salt. I’ll keep my eyes open for independent surveys that either support or disprove the assertion that cloud computing can be more secure. Take a look at the chart below:

image

 

The interesting thing about the data is that Alert Logic has both traditional enterprise and cloud service providers as its customers, so the survey was able to compare across these. At least for Alert Logic’s customers in this survey, the percentage of customers experiencing security incidents was lower across the board in all categories for service providers than it was for their on premises enterprise customers.

Don’t make the mistake of automatically believing the conventional wisdom that cloud based computing will be less secure. Well managed cloud service providers won’t be.

7 Comments »

Category: Cloud Cloud Security Next-generation Security Infrastructure     Tags: , , , , ,

7 responses so far ↓

  • 1 Sharon   March 31, 2012 at 11:45 am

    Cloud computing providers are aware of organization fears of security breaches and take every means required to overcome these issues. Since security fear is what is standing between them and their potential clients, and when the media is celebrating any reported case related to cloud computing security breach, cloud computing providers are on the path of implementing security architectures that would protect the assets of their customers such as banks.

  • 2 Martin   April 1, 2012 at 6:30 pm

    It’s easy to understand why there would be fewer reported incidents in the cloud. Cloud apps tend to be newer and are not appliances. Most hacks happen to old, legacy apps that are no longer supported and were built without security in mind. They also tend to be against unpatchable (or at least unpatched) vendor-supplied appliances. So, the population in the cloud is easier to secure. In addition, since so many do not trust the cloud, more attention is paid to security in the first place.

  • 3 Jeff   April 2, 2012 at 10:21 am

    Yeah, and availability was also a very important criteria for clouds, until Amazon failed so deeply.
    https://aws.amazon.com/fr/message/65648/

    Next challenge was security, and it seems that clouds are turning into hackers’ playgrounds very soon.
    http://www.snyping.com/misc/cloudworm/cloudworm-ms12-020.txt

    What’s the next cloud’s benefit after these? Apart from being fancy and fashion?

  • 4 Neil MacDonald   April 2, 2012 at 4:55 pm

    @Jeff,

    Yes, Amazon had an outage. So do enterprise systems. Well designed and critical applications should design for resilience. Putting something in the Cloud doesn’t automagically enable this. You have to design for this.
    http://blogs.gartner.com/neil_macdonald/2011/05/09/since-we-still-need-diesel-generators-for-backup-power-are-utilities-useless/

    Will bad guys attack the cloud? Sure, just like they attack virtualization, mobile devices, wireless, etc etc – any new technology platform will be attacked.

    Will bad guys use the cloud to attack us in new ways? Sure, just like some early attacks on hypervisors showed. And likewise, we’ll use the Cloud to defend us in new ways – e.g. DDOS, community-based antimalware detection, distributed web application firewalling, secure web gateway services and so on.

    Not sure the cloud is any different than any new technology platform that IT has adopted over the past 20 years in that respect.

    Neil

  • 5 Neil MacDonald   April 2, 2012 at 4:59 pm

    @Sharon,

    You make a good point that because security is the number one concerrn of their potential customers, they are more more risk aware than most enterprises – comparable to financial services institutions. Ideally, this awareness or risk translates into a maturity in how they go about designing security controls and processes – which, for now, we assess via a well structured RFP.

    Neil

  • 6 Neil MacDonald   April 2, 2012 at 5:04 pm

    @Martin,

    Agree and disagree. New apps will have vulnreabilities too and older apps have the benefit of being time tested (and patches hopefully released).

    It would make sense that a cloud service provider would test their applications statically and dynamically for vulnerabilities – so require proof of this type of testing in the RFI/RFP process.

    I do agree that cloud SaaS are designed to support constant change and that this includes the rollout of patches ensuring a more consistent and up-to-date platform for customers than on-premises software that the enterprise may or may not keep up to date and patched.

    Neil

  • 7 QA Thought Leaders   April 10, 2012 at 10:14 pm

    Thank you for sharing this post. I was keen to know more on Cloud testing and cloud computing aspects, this post has provided me with immense information on security aspects.Very well articulated and very informative.