According to Jay Heiser, Gartner’s research vice president, achieving a high level of security in the cloud is still a “long hard climb” and organizations with sensitive data will likely restrain from cloud services until the situation improves.
On April 11, in an online presentation to Gartner customers, Heiser said, “Finance tends to be more conservative about cloud computing than small business.” In preparation to reduce the security risks in the cloud, Heiser believes if there’s more flexibility and less reliance on the capability of the service provider, with infrastructure-as-service (IaaS) it is rather easy to create a security baseline as compared to software-as-service (SaaS).
Heiser further added that Gartner’s clients are “almost universally disappointed” as they consider cloud computing contracts as incomplete in terms of the security specifications they expect. He stressed that “cloud contracts are incomplete.”
To standardize cloud security, he added that the American Institute of Certified Public Accountants (AICPA) has changed its SAS70 certification with SOC 1 service provider certification. There are SOC 2 and SOC 3 certifications as well to show trust and security of service providing systems.
Heiser appreciated the efforts made to ensure the security of cloud computing, but believes they will take a span of about one to five years to get fully matured. He said that FedRAMP and CSA standards are still premature projects whose impacts will take years to get visible. He expressed similar views about ISO/IEC 27017 , cloud security standard and the 27018 cloud privacy standard.
While the cloud computing security efforts are in the initial stages, businesses and governments need should narrow down their requirements and assess the likely cloud services and security settings. Heiser said that this can be initiated by observing and examining the sensitivity of data entering into service. Companies have to inquire about the possible impact of data loss, is it of critical competitive value or subject to regulatory issue. Ultimately it all comes down to determine the appropriateness of the service.
As per Heiser, security in cloud computing now is connected with identity and access management means server-based encryption, but the potential cloud customers need to question, how these encryption keys are stored and managed. He added that there are other available options as well, i.e. Gateway encryption and forensics investigations, The former is changing quickly while forensics does not seem practical today and will probably take 5 to 10 years to become a “solid set of technologies,” he added.
Heiser is of the view that usually the economic benefits outweigh the potential risks associated with cloud technology, and that is why, Gartner is suggesting potential clients to opt for cloud technology with less sensitive data, and if the data falls under medium sensitivity,, effective risk assessment is highly recommended. Moreover, data with the greatest sensitivity isn’t feasible to be used in the clouds at all.
Heiser explained that in case of a cyber attack, cloud vendors usually don’t offer any compensation to its clients, however there is a need of a back-up plan such that customers can recover their data. Even with big names like Amazon, Google and Microsoft, there are instances when data disappeared, at least for a bit, which never got recovered.“Restoration is not an easy process, but all stakeholders should put loss of service and availability at the top of your list.”