Gartner Blog Network

Off in the Clouds – Securely

by John Pescatore  |  August 16, 2010  |  4 Comments

I’m taking a few weeks of vacation and have spent most of the past few weeks using the time between calls with Gartner clients to move along our upcoming “Securing and Managing the Cloud Spotlight” set of research notes that will be coming out towards the end of the month.

A lot of those client calls are around dealing with the issues of business unit desire to use the “cloud” or IT wanting to use “cloud.” But when you dig a bit deeper, the current business issues (not the hype) are really about (in order of currency and importance):

  1. Maintaining security when the data center goes virtual, both VMWare and SAN issues.
  2. Being told “We are going to consume ‘X as a Service’ – go make sure it is secure.”
  3. A narrower version of (2): “We are looking at Microsoft BPOS or Google Apps Premier Edition for email/office productivity as a service – is anyone like us doing that? If so, what about security?”
  4. User desire to use consumer-grade services, like free online backup or other advertising support online offerings.
  5. Questions about “true” cloud usage – actual offloading of computing and storage to infrastructure as a service. The vast majority of these are pure tutorial, no near term plans.

The spotlight will address all these issues, with about 7 new research notes and pointing to some other recently published notes on cloud security issues.

In the interim, my family and I will be looking at clouds from bicycles and boats for the next few weeks. Enjoy what is left of summer – with any luck, there will be a few more empty seats on airplanes for business travel as the vacation/holiday season ends…

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on Off in the Clouds – Securely

  1. […] example, a research note posted yesterday by Gartner’s John Pescatore surmised that many corporate customers he’s recently […]

  2. Imran Anwar says:

    Good topics to cover, John. Security, no doubt, is, and should be, a primary consideration. It’s something I also often write about. I was happy to see governance, risk and compliance topics get a boost with recent developments.

    Enjoy the real clouds with your family.



  3. […] that most businesses still didn’t get the cloud. They looked at it as a way to secure the virtual data center. We’d now call that a private cloud. That was then. This is […]

  4. Adrian takes a different angle in his conference reflections in Strata Standards Stories: Different Stores For Different Chores. He shares the latest in storage innovation, including Cloudera’s Kudu announcement.Good to see the area being questioned – you’re so right in saying it’s not sexy, therefore not spoken about at confz, and flies under the radar. Which is the main reason why toolsets are as bad as they are. There are no best practices, and certainly no Best Practices.There is room for innovation but not in the areas mentioned (fair play to the author, there is no assertion as such in the article).The unauthenticated space cannot improve apart from maybe throwing in better delta analysis and removing “heuristic” and other areas of radical guesswork from toolsets. So the unauthenticated space can improve by removing things, not adding them.The authenticated space is where there is huge room for improvement, in false negatives mainly, and lets stop providing managed services in this area where there are no big red warnings in upper case saying “we have your configs and root passwords”.This VM/VA thing is only about basics, and has been over-complicated. With cloud and ESX and app-centric’icities, we’ve drifted away from Operating Systems and configurations and tin. These are not 1998 concepts, they are still very real. Clouds are still made of tin, they are not ethers out there somewhere.The common approach to authenticated toolsets is basically “lets just code a CIS benchmark”. Has anyone ever read one of those things? they are free for a reason. No, but generally the extent of tests has to be improved, Windows is well-covered, others are not.So the motivation should be there to improve, because Oracle databases (that’s critical infrastructure and 40 of the global market) are not covered by VA/VM. Windows coverage is about 70 to 85 of where it should be, so boxes like DCs could have some critical misconfigurations that are currently invisible.Thanks for asking these questions, i loved the article.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.