Gartner: Long hard climb to high level of cloud computing security

It's still a long, hard climb to get to a high level of security in cloud computing, according to Gartner research vice president Jay Heiser, who said business and government organizations with sensitive data appear likely to hold back from cloud-based services until things improve.

"Finance tends to be more conservative about cloud computing than small business," said Heiser in his online presentation to Gartner clientele yesterday. In "Prepare for and Minimize the Security Risk of Cloud Computing," Heiser expressed the view that it's somewhat simpler to establish a security baseline when using infrastructure-as-service (IaaS) than it is for software-as-service (SaaS) if only because there's more flexibility and less dependence on the competence of the service provider. But overall, cloud service providers aren't as clear as they should be concerning matters such as their business continuity and disaster-recovery practices, making it hard to win customer confidence.

[RELATED: Gartner: 10 critical IT trends for the next five years]

[BACKGROUND: Evolving security standards a challenge for cloud computing, expert says]

"Gartner clients are almost universally disappointed" by what they regard as the incompleteness in cloud-computing contracts where they still don't see the level of specificity related to security they expect, said Heiser. "Cloud contracts are incomplete," he emphasized.

The struggle to define both technologies and legal obligations between the cloud and the customer is a topic that has been taken up by both the federal government in its FedRAMP program that seeks to certify cloud-service providers for government use, and the organization Cloud Security Alliance (CSA), which has several working groups pouring enormous effort into defining industry standards.

Heiser also pointed out that the American Institute of Certified Public Accountants (AICPA) has replaced its SAS70 certification with what's service provider certification called with SOC 1, and there's now a SOC 2 and SOC 3 as well to indicate service provider systems trust and security.

But while applauding all of these standardization efforts for security in cloud computing as significant, Heiser said FedRAMP, which is supposed to be operational next year, and the CSA standards are still early projects and their impact may be years away. Heiser had similar sentiments about the ISO/IEC 27017 cloud security standard and the 27018 cloud privacy standard. All of these cloud-computing security efforts are worthwhile but they will take somewhere between a year to five years to be considered mature, he says.

In the meantime, businesses and government have to pin down their requirements and evaluate potential cloud services and their security options as well as they can. The starting point should be looking at the sensitivity of the data going into the service, Heiser says. Companies have to ask questions such as what kind of impact would be the loss of it be, is it of critical competitive value, and is the data subject to regulatory concerns. "It comes down to determining the appropriateness of the service," he says.

The most mature and readily available security controls today in cloud computing are associated with identity and access management mechanisms and server-based encryption, he said. But cloud customers have to ask how encryption keys are managed and stored and if the risk is acceptable, he noted. Gateway-based encryption, or what's sometimes called a broker gateway or proxy, is another option, and it's changing quickly, he added. Forensics investigations are not really viable today, he noted, and in terms of overall security controls, it will probably take five to 10 years to really see a "solid set of technologies" for cloud computing.

The economic appeal of cloud computing is strong and sometimes it does appear economic benefits outweigh potential risks. Gartner is advising clients in general to allow low-sensitivity data to be considered for cloud services; but if it falls in the "medium" range of sensitivity, there's a strong need to conduct a risk assessment. And if the data is of high sensitivity, it should not be considered feasible or permissible for cloud services.

This process also means making sure that the business managers are engaged and realize they "own" the data, and are up to speed on the risks associated with cloud computing, says Heiser.

Nonetheless, cloud services providers rarely offer any indemnification against hacking, Heiser says. And SaaS remains more "mysterious" than IaaS in terms of making it clear how they really operate even as customers basically enter into a kind of supply chain cloud. Since one risk is that a cloud provider might go out of business, there needs to be assurance that the provider can return data or has a contingency plan for back-up. When the Mumboe SaaS went out of business two years ago, they gave customers two weeks to go get their data back, mentioned Heiser. That was a wake-up call of sorts that clouds sometimes do evaporate, and plans need to be made for these kind of downpours.

Even at some of the household names in cloud-computing today Amazon, Google, Microsoft there have been instances where data has disappeared, at least for a time, or never returned, says Heiser. "Restoration is not an easy process," he adds. "Put loss of service and availability at the top of your list." Live upgrades of services can lead to widespread data corruption, he pointed out.

IT managers have become accustomed to the idea they have control over what they can do in-house in terms of the application, services, servers, storage and network, and security. He says they need to fully realize that this accustomed level of flexibility isn't going to be there in cloud computing by its very nature.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags GartnersecurityCloudinternetcloud computingWide Area Network

More about Amazon Web ServicesCSAGartnerGatewayGatewayGoogleIDGISOMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts