Gartner Blog Network

Are we Wildebeests or Are we Lemmings?

by Dan Blum  |  March 29, 2012  |  Submit a Comment

Last week I was closeted in our Cloud Adoption Contextual Research findings consolidation meeting. We were researching cloud adoption by the early adopters. We found a great variety of patterns, in some cases anti-patterns; nterprises are all over the map on risk management, for example. Perhaps this is only what one should expect from the cloud computing phenomena we’ve dubbed “the transformation of IT.”

The security non-findings were interesting. None of the large enterprises from our survey reports breaches. They’ve seen no major disasters. Implementation issues a-plenty, and some outages yes, but no “advanced persistent threat” activity. From the security perspective the migration seems to be proceeding smoothly. Concerns are holding some organizations back, but it’s just concerns. These concerns, implementation issues and architecture changes are extremely interesting in themselves – and you may expect to hear more from me on that – but they aren’t the subject of this particular blog post.

Part of me was looking for breaches, and that dog didn’t bark, at least among the 15 large enterprises we interviewed. I also looked at other information sources to see how enterprises are faring in cloud security. For example, a survey of attacks by Alert Logic reports that enterprises who use both premise-based applications and cloud-based ones are finding fewer attacks in the cloud. Does that mean the cloud is more secure than the enterprise, or just that the other shoe has yet to drop? As I’ve written before, I think some cloud service providers (CSPs) operate with stronger security controls than many enterprises, but they face a potentially more serious threat landscape long term due to the risk that’s aggregated in their volume of services. Thus, CSPs must be more secure than enterprises.

Clearly, the realization of higher cloud risk from the aggregation has yet to materialize for most large end user enterprise customers. (Notice the careful wording to exclude the likes of Sony Playstation Network, which is a service.) But one has to assume that as large amounts of sensitive and valuable IT reach the cloud they will be breached much as they are (continually) on premises. Perhaps breaches of enterprise security objectives will be less frequent in the cloud but when they happen they may be larger and more spectacular.

So far the breaches we’ve seen from Amazon, Azure, and others are mostly outages impacting our availability objectives. Bad enough in themselves, but not yet trampling enterprise confidentiality and integrity like Operation Aurora, Shady Rat, Night Dragon, and Zeus did. I mean to say that while we’ve seen forceful browsing or phishing vulnerabilities from Amazon, Google, Microsoft, and Salesforce these are still small potatoes that haven’t caused big losses. But it is inevitable that larger breaches of confidentiality and integrity will.

On the plains of the Serengeti wildebeests conduct their annual migration. Some are pulled down by predators, many survive. An interesting risk management question lies there: what is an acceptable loss rate?


Tags: cloud-security  risk-management  

Dan Blum
Research VP
19 years at Gartner
33 years IT industry

Dan Blum, a VP and distinguished analyst, covers security architecture, cloud-computing security, endpoint security, cybercrime/threat landscape, and other security technologies. Mr. Blum has written hundreds of research… Read Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.