Blog post

Cloud IS Different: So Monitoring Must Be Different?

By Anton Chuvakin | February 16, 2012 | 1 Comment


I’m tired of hearing quotes like “cloud is completely different from traditional IT” as well as those that say “cloud is just like outsourcing, mainframes, etc.” Those who like the former quote will sometimes add that organizations should scrap all the tools they use for traditional IT and buy new tools for the cloud.  Those who like the latter quote would say that organizations just need to continue doing what they’re doing, with the same tools.

At this point, it should be clear to most of my enlightened readers that the truth is somewhere in between. Some tools and approaches will continue to work; some tools and approaches will not work while others will work depending upon the circumstances – such as what is being migrated to the cloud, how it is being migrated, etc.

Let’s review some of the things, which are known to be different in various public cloud models:

  • Transient assets that appear and disappear, go up and down, etc (for IaaS)
  • IP address means less for tracking of those transient assets
  • There are layers of the computing stack that are NOT under enterprise control
  • Remote environments, sometimes accessed via links of limited bandwidth
  • For SaaS and PaaS, lack of ANY traditional “IT infrastructure” such as OS
  • “Alien” operations model (sometimes) dissimilar from traditional data center management models

What does it mean for security monitoring? It means that the approach you take will not only depend upon the technical considerations, provider platform choice, application logs, security agents, etc. However, it would also depend on how the organization is moving IT capabilities to the cloud.

  • For a “forklift scenario," new applications or even “cloud-only” organizations, these differences will play A BIGGER ROLE in the choice of monitoring approaches, architectures and technologies.
  • For a “trickle scenario”, legacy application and “barely cloudy” organizations, these differences will play A SMALLER ROLE in the same choice.

Thus, you might not need any new tools for security monitoring of your cloud environment: your current SIEM, DAM/DAP, DLP, even NIPS (for virtual private cloud with sole route through your network) will work more or less fine.

Or, on the other hand, you might discover that most of your security tools that have to be replaced or at least augmented by tools that are optimized and tested in public cloud environments. New approaches (some mentioned here) such as cloud gateways, detailed application logs or hypervisor telemetry (provided by the CSP) will have to be used.

Thus, we have an ultimate triumph of “it depends” here!

Previous cloud security monitoring related posts are:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed

1 Comment

  • Every disruptive technology brings with it some changes. With cloud too, some methodologies and processes will change completely and some will remain as is. As you have rightly pointed out, the truth is somewhere in between. Enterprises can adopt cloud in various hues – building internal clouds or consuming public cloud services or moving towards a hybrid model. The challenges involved vary depending on the size of business, and the key lies in asking the right questions before formulating your cloud strategy.

    In fact, we are witnessing a \cloud burst\ in the Indian IT services industry. Read about it at