Blog post

Is Cloud Secure? WTFC!

By Anton Chuvakin | March 13, 2012 | 0 Comments


“Is cloud secure?” Seriously, why are you asking this? Ask: is MY USE of cloud  computing secure? Or, if you want to be a bit fancy, you can add “… secure enough for my purposes?”

Do ask “is my provider doing a good job with security?”, BUT realize that it is NOT the most important question. What your provider does is important, but what you – your organization – do it even more so! Applying this to my main theme this quarter – cloud security monitoring – will make you realize that asking your provider “do you monitor for security issues?” is most definitely not the same as you actually doing such monitoring. The table below explains why:

Table 1. Enterprise Lens vs Cloud Provider Lens

Enterprise lens Provider lens
Keep their cloud resources secure

Comply with regulations relevant to the customer

Keep cloud infrastructure secure

Keep customer resources secure (to the degree sufficient to keep a customer)

Offer security services to customers (as an additional revenue stream)

Comply with regulations relevant to the provider

See what I mean here? Your cloud provider – even if SUPER-diligent with security monitoring, logging, log analysis, netflow, etc – may not even have a chance to perform security monitoring YOU need. Think of application monitoring on IaaS or detailed usage pattern analysis for SaaS – these are not something the provider typically WILL or even CAN do.  “What they monitor for” and “what you monitor for” might overlap slightly, or not so slightly, but they are unlikely to be the same!

Moreover, for some threat factors the situation turns dire: think of a malicious CSP system administrator (or a malware-infected one: if you just trust all CSP personnel … after all “they run The Cloud” Smile). The cloud customer cannot monitor his/her actions directly (not with our level of cloud platform development today), while cloud provider monitoring “lens” might not focus on some of his actions that a cloud customer would really care about …

You can get the best control attestation framework, you can even do continuous control assessment, but unless somebody monitors for such activities and their consequences, the security gap is still there.

What to do?

A telling analogy here is that of a bank finding a new location for a branch. If the bank rents a building from the landlord, the building must include the vault. But the vault – a secure CSP – is not all that is needed, the bank also needs an alarm system. Is one available for rent from the landlord? Can the bank install their own? Can they contract with somebody for alarm services? Upon getting a triple “No” answer to these questions, the bank has no choice but to look elsewhere.

Sorry to not give you the silver bullet here – the answer is still the same: build/buy/partner + use it.

(By the way, WTFC stands for “What the Top Factors Concerning it are?”)

Previous cloud security posts are:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed