Publication Date: 3 June 2008 ID Number: G00157782
Assessing the Security Risks of Cloud Computing
Jay Heiser, Mark Nicolett
Organizations considering cloud-based services must understand the associated risks, defining acceptable use cases and necessary compensating controls before allowing them to be used for regulated or sensitive information. Cloud-computing environments have IT risks in common with any externally provided service. There are also some unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance and auditing. Key Findings • • The most practical way to evaluate the risks associated with using a service in the cloud is to get a third party to do it. Cloud-computing IT risks in areas such as data segregation, data privacy, privileged user access, service provider viability, availability and recovery should be assessed like any other externally provided service. Location independence and the possibility of service provider "subcontracting" result in IT risks, legal issues and compliance issues that are unique to cloud computing. If your business managers are making unauthorized use of external computing services, then they are circumventing corporate security policies and creating unrecognized and unmanaged information-related risks.
• • • • Organizations that have IT risk assessment capabilities and controls for externally sourced services should apply them to the appropriate aspects of cloud computing. Legal, regulatory and audit issues associated with location independence and service subcontracting should be assessed before cloud-based services are used. Demand transparency. Don't contract for IT services with a vendor that refuses to provide detailed information on its security and continuity management programs. Develop a strategy for the controlled and secure use of alternative delivery mechanisms, so that business managers know when they are appropriate to use and have a recognized approval process to follow.
© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.
Gartner defines cloud computing as "a style of computing where massively scalable IT-enabled capabilities are delivered 'as a service' to external customers using Internet technologies." From a security and risk perspective, it is the least transparent externally sourced service delivery method, storing and processing your data externally in multiple unspecified locations, often sourced from other, unnamed providers, and containing data from multiple customers. This model provides cost savings through economies of scale, but it not only introduces the same risks as any externally provided service, it also includes some unique risk challenges. The word "cloud" suggests something big and accessible, but externally opaque. You can't see into the cloud — you just assume that it works. Obviously, a service provider has far more flexibility by avoiding specifics about its location, staff, technology, processes or subcontractors. Increasingly, service is being offered by a chain of providers, each invisibly offering processing or storage services on behalf...