Gartner's state of Cloud security: Outages are bigger risk than breaches

Many enterprises are ill-prepared for Cloud outages and data loss

Security remains a chief inhibitor to enterprise adoption of Cloud computing resources and one Gartner analyst says the biggest concern should not be that data could be compromised in the Cloud, but rather that there may be a Cloud outage that could lead to data loss.

There's a perception, says Gartner Cloud security analyst Jay Heiser, that the most significant risk in using the Cloud is that sensitive data can be leaked. But there's been little evidence of that, he says. Sony suffered a compromise of potentially tens of millions of customers in 2011 related to its Cloud, and there have been a handful of other breaches of personally identifiable information being leaked from the Cloud.

But more common nowadays are Cloud outages and data loss, and Heiser says many enterprises are ill-prepared for those incidents.

RELATED: Nine security controls to look for in your Cloud contract

MORE CLOUD: 12 Free Cloud storage services 

MORE GARTNER: Gartner: How big trends in security, mobile, big data and Cloud computing will change IT 

Just look at some of the major outages from the past few years. Amazon Web Services, the market-leading Cloud provider, has experienced three major outages in the past two years. After an April 2011 Elastic Compute Cloud (EC2) outage, some level of data was irrecoverable, Heisler says. Evernote lost the data of 6,000 customers in 2010 and Carbonite lost a portion of its customer's backups in 2009, he says.

Many of these events are caused by errors following upgrades of systems, he points out. Amazon, for example, credited its most recent outage on a new piece of hardware being installed in its data center.

The outage led to Reddit, Imgur and other popular sites being down, and AWS issued credits following the incident.

These issues have happened over and over, so they're likely to happen again, Hieser said during a webinar hosted by Gartner this week. Despite this being one of the biggest concerns for Cloud users, Heiser says only half of companies recently surveyed by Gartner had a process to evaluate their business continuity processes. He adds that security breaches should not be ignored, but the more pressing concern is around business continuity.

The Cloud industry is slowly addressing these concerns, but vendors, users and third-party bodies that are attempting to push Cloud security improvements could all be doing more, he says.

Vendors have been reluctant to address security recoverability from data loss in service-level agreements (SLA), he says. "It remains a common complaint that Cloud service providers are being ambiguous around what they're specifically doing to protect customers," he says. Some providers may not divulge information because doing so could represent a security threat, they say. Providers many times claim a high level of availability and confidentiality of users' data, but Heiser says they provide little evidence for customers to verify those statements.

Buyers could do more too though, he says. One of the first things users need to do is classify which data really needs to be protected. Incomplete or nonexistent data classification is a common problem. "If the buyer doesn't know what the security requirements are for a specific piece of data compared to other data, it's difficult to assess whether the provider can meet provide adequate security," he says.

Third-party organizations are working to create standards and certifications for this area, but Heiser says those are still weak at this point. The Cloud Security Alliance, for example, has undertaken broad measures to address a variety of topics, but he questions how in depth those efforts have been at drilling down into specific areas.

RELATED: Amazon opens up about its Cloud security practices, joins CSA registry 

FedRAMP is a program by the federal government that seeks to have a common set of security criteria for each provider the federal government uses for Cloud computing, but it's in the early stages and may not be operational until 2014, he says. "We're beginning to get glimpse of what we need," Heiser says, but more work is needed to have standard controls, evaluation practices and global consensus. Buyers are in the best position to put pressure on vendors to be as transparent as possible on these issues, he adds.

So what's an enterprise Cloud user supposed to do? "Choose your battles over data control," Heiser says. The macro trend is that more data is going to more end-user devices, which makes controlling the data more difficult and creating more vulnerabilities. With a data classification scheme, organizations can prioritize which data needs to be heavily secured. For most organizations that extremely sensitive data will be less than 20% of data, and could be as little as 5% or less. That data should be given "heroic efforts" to protect it - encryption, tokenization, data loss prevention systems or keeping it on site and not in a public Cloud. Anti-virus, anti-malware and other security protections and controls should be in place to ensure the rest of data is not egregiously vulnerable. Ultimately, in today's world, the reality is, Hesier says that "most data will have to protect itself."

Network World staff writer Brandon Butler covers Cloud computing and social collaboration. He can be reached at and found on Twitter at @BButlerNWW.

Join the CSO newsletter!

Error: Please check your email address.

Tags Amazon Web ServicessecurityCloudcloud securityCloud outageAWS outagecloud computingsonyinternetGartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brandon Butler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place