Gartner identifies cloud security risks, opportunities

Organisations migrating applications to externally-hosted services face security challenges well beyond fears around data sovereignty, according to analyst group Gartner.

Gartner analyst Andrew Walls told IT security professionals at the analyst's Sydney Symposium today that security is "in the midst of a transition in computing that mirrors when the internet kicked off."

Traditional IT security processes inside the LAN, he said, are no longer key concerns for CIOs.

"We have reached a high level of maturity in a lot of our security infrastructure - in our secure web and email gateway, in our endpoint protection suites," Walls said.

"A few years - before 2007 - security was in the top three of CIO priorities as surveyed by Gartner - this year it comes in at number nine. Money is still being spent on core security priorities - that spend hasn't changed.

"But is security different and challenging enough to require CIO attention? Their answer is no. The CIO expects security has been operationalised, embedded in our systems and processes. As it should. By in large it should be organically embedded in everything we do."

CIOs, he said, are focused instead on new delivery mechanisms - virtualisation, cloud computing and Web 2.0.

The focus now is "what happens when our data steps out of the bounds of our control" into the cloud, Walls said.

Gartner has created a chart which categorises enterprise approaches to cloud security.

For applications with low security pressures, Walls said, customers tend to accept whatever security tools come embedded in the cloud service.

"Organisations use what comes with VMware and accept the vendor's claims as to the robustness of that security tools," he said.

But for higher risk applications, Walls said a new breed of security service is required.

There is very little due diligence organisations can do to assess and monitor the security postures of some of these providers.

"Google are not going to give you a physical inspection of their data centres," he said. "The only thing you have is a contract. But if you look at the standard contracts, they have plenty of get out of jail cards in there.

"Contracts are not controls," he said. "They are sticks for beating people with. Sure, you get some money back if something goes wrong, but if you've lost all your data, is that small amount of money going to make you feel better?"

What is required, he said, is not just internal audit of the cloud services but the use of third parties to provide an added level of assurance.

"There needs to be a security service from outside of cloud infrastructure that inspects the cloud provider," Walls said. "It would be analogous to a third party audit of a service provider. It would study and monitor the cloud service provider and provide reports. We are starting to see security as a service popping up to provide that."

Walls also warned against relying exclusively on the major IT infrastructure vendors as they swallow up these smaller security service providers.

He noted HP's acquistion of Fortify, ArcSight, Tipping Point; Symantec's buys of VeriSign and PGP and Intel's recent purchase of McAfee as part of a "perennial" pattern that doesn't necessarily lead to better outcomes for end user organisations.

"Remember ISS?" he asked. "IBM brought them, and the brand is eroding in the market. I'm not saying the products aren't good, it's just that large IT infrastructure vendors struggle to deal with the highly differentiated products of smaller providers."

"What usually happens is that the actual impact of the security product diminishes steadily.

"Its still important to look for independent controls that study the products of those infrastructure vendors like HP and IBM. You need a separate product that studies their infrastructure. Inherently, security works better with a strong independent product that isn't welded in to the major vendors."

Frequent challenges

Walls outlined some key challenges organisations that have already taken apps to the cloud have faced.

He said he is very frequently asked for advice from customers using Google Apps about how they can use Active Directory identities developed in-house to give privileged access to specific data on Google Apps.

It isn't a question he has an answer to yet.

"Beyond not being able to touch the box, we still want to manage access to it - even if its just for reporting and monitoring," he said. "We don't want to manage ten different repositories of user data. In this sense, identity access management in the cloud is very immature, nascent at best."

Back inside the LAN, he expects the biggest challenge in 2011 to be dealing with botnets and malware.

As IT becomes further "consumerised" and employees bring their own smartphones, tablets and other devices into the corporate network, Walls sees risk.

"You can expect the number of botnet infections on your network will explode," he said.