Gartner Blog Network

Security is the top Concern for Public Cloud, but What Does That Really Mean?

by Neil MacDonald  |  December 16, 2010  |  2 Comments

Survey after survey shows that the top issue that organizations have when considering the adoption of public cloud-based computing services is “security and privacy”.

Gartner’s own surveys show this:


The survey data above is from December 2009, we’ll be publishing the December 2010 survey data for clients over the next several weeks.

You all have seen similar charts from other survey data sources showing the same thing: security is the top of mind concern.

I believe that cloud-based computing has the potential to be more secure than what most organizations can deliver themselves, so I wanted to dig deeper. Security is such a broad term (encompassing infrastructure security, identity and access management, content security, application security, vulnerability management, etc,) – so, what exactly is it about security of the cloud that is the concern?

I asked this drill-down question in an audience survey last week at Gartner’s 2010 Data Center conference. If security is the number one concern, what is it specifically that is concerning them? The number one security issue identified was: “Lack of confidence in the cloud provider’s security capabilities”.

So how do we address this? We’ll start with diligence in our RFI and RFP processes as we consider and evaluate cloud-based services. We’ve published quite a bit of research to help our clients with these evaluations. Guidance is also available from the Cloud Security Alliance and other initiatives such as FedRAMP.

Of course, the providers can say anything they want in the RFP, so we need confirmation of these capabilities from an independent assessment. Many providers claim a SAS 70 type II certification. However, my colleague Jay Heiser has published research for clients showing SAS 70 Is not proof of security, continuity or privacy compliance. Other providers will take certification further with ISO 27001 certification. Microsoft and Google both claim FISMA certification for their cloud-offerings.

This isn’t a new concern that is unique to cloud. We overcame similar reservations about the security capabilities of outsourcers years ago (consider payroll outsourcing). Overall, I believe the concern is valid but addressable to a level of risk that is manageable – just like we have done with outsourcing – as we mature our RFI/RFP process discipline and as a level of ‘standards’ emerge for the certification of cloud providers.

Additional Resources

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research

Category: cloud  cloud-security  security-of-applications-and-data  vendor-contracts  virtualization-security  

Tags: cloud-security  gartnerdc  information-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Security is the top Concern for Public Cloud, but What Does That Really Mean?

  1. Adam Hils says:


    Nice post.

    Security concerns about any outsourcing arise from the very human need for control. Unfortunately, current certs don’t provide even baseline assurance for adequate cloud security. They are useful to customer only insofar as they demonstrate some level of security seriousness on the cloud provider’s part.

    For the same reason that parents audition potential nannies (sometimes with cameras to provide evidence of reliability/best practices), customers should demand to see security processes in the cloud, and to have their security experts try to exploit potential vulnerabilities.

    Cloud providers have the opportunity to prove their security credentials by demonstrating security controls and best practices to interested prospects. This approach is not scalable in the long run, but it is necessary today.

  2. Neil MacDonald says:


    Interesting observation on watching nannies with cameras. I’ve seen quite a bit of interest on the need for monitoring access to data and applications that are cloud-based (the cloud-equivalent of the nanny-cam).

    It’s more difficult to do real-time monitoring, but events can be aggregated, cached and downloaded periodically.

    Some cloud-providers offer this, with others at the IaaS level you would need to bundle your own monitoring with the workload.


Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.