NATIONAL HARBOR, Md. -- There are a multitude of security factors for enterprises to consider when they move operations to cloud environments, but according to a trio of Gartner analysts, enterprise cloud customers should make contracts the focal point of their transition efforts. Otherwise, they risk not having the security and control provisions they need.
There are no guarantees. The notion of the 100% guarantee doesn't exist.
research vice president, Gartner Inc.
In multiple presentations at the 2013 Gartner Security and Risk Management Summit, Jay Heiser, research vice president at Gartner, highlighted how enterprises lose varying degrees of control over their IT systems and data as they move from in-house or self-managed hosting to various types of cloud offerings. He said that enterprises largely need the same security controls in the cloud, but that "it's a question of who controls them."
For example, enterprises using public cloud Software as a Service (SaaS) are highly dependent on their cloud service provider because they forfeit practically all security responsibilities to the CSP, Heiser said. In such circumstances, enterprises should take special care to ensure that all critical provisions and security controls are included in the contract with the CSP.
Unfortunately, not all CSPs are willing to provide detailed security assurances to customers. Donna Scott, a Gartner vice president and distinguished analyst, said Gartner clients have logged many complaints about weak service-level agreements (SLAs) that lack the necessary guarantees when it comes to security, confidentiality and transparency.
Though enterprises have dealt with shadow IT for a long time, Scott noted that Gartner research has found that more than 25% of corporate IT spending now falls outside the purview of traditional IT organizations, with that percentage expected to increase. Enterprises also want to avoid being "unnecessarily slow" in adopting cloud services so as not to lose a potential edge over competitors, and that leaves IT organizations to deal with the security implications of CSP contracts.
"We recommend that you think about a framework for how you're going to manage and govern contracts with these providers," Scott said.
Potential cloud contract pitfalls
With many of the security details left to CSPs, just what should enterprise cloud customers look for in contracts? John Morency, a research vice president with Gartner, commented that "the devil is in the details," especially regarding which party is responsible for which aspect of security operations.
"Who is responsible for what? Who is responsible for the configuration and operations management?" Morency asked. "How are you going to define shared responsibilities for triage?"
Heiser said enterprises often struggle to determine what security controls a CSP has in place; when asked, many providers offer boilerplate responses or vague documentation. The industry needs to form some common certifications so enterprises can gauge provider competence more easily, he said, with the U.S. government's FedRAMP initiative proving to be the closest to a global standard.
More from the 2013 Gartner Security and Risk Management Summit
Gartner: Mobile device security futures are a mixed bag
'Symantec 4.0' strategy to emphasize integration, CEO says
Another area of concern is CSP downtime. Despite the perception of the cloud as being available 24/7/365, many CSPs don't operate that way, Morency said, particularly when it comes to global SaaS services in which the providers don't own the data centers. Enterprises should seek clarification on uptime guarantees, downtime frequency and scheduling, and how availability will affect users of the cloud services.
Even without planned downtime, a disaster can strike out of the blue. Morency highlighted a 2011 incident in which a lightning strike damaged a power transformer in a Dublin, Ireland, Amazon data center, taking the large facility offline despite it being built with disaster resiliency in mind.
"There are no guarantees," Morency said. "The notion of the 100% guarantee doesn't exist."
As for being compensated for service time lost, Morency emphasized that enterprises must ensure that specific compensation levels must be set in SLAs; otherwise, he said, CSPs would revert to typical compensation levels such as 20% to 50% for service time lost. Morency noted that he has personally only seen two instances in which a CSP included stronger language in a contract without being pushed by a customer.
Losing an hour, day or week of service is bad enough, but Morency also brought up the worst-case scenario for enterprise cloud customers: What happens if the provider goes out of business? Customers of the U.K. division of Doyenz faced this question on Aug. 10, 2012, when the company sent notice to its customers that it was closing its doors and they had three weeks to decide what they were going to do with their data. Some CSPs don't even give that much notice, he said. "Most organizations don't have the flexibility and time to deal with this issue," he commented.
Morency also advised attendees to ensure they have contract language stating that data they store with the CSP can't be packaged and sold to other third parties, as often happens when a provider is facing fiscal trouble and needs a quick injection of cash.
Even if an enterprise can negotiate strong language into a contract with a CSP, the benefits of the cloud don't necessarily outweigh the security risks, Heiser advised attendees. He suggested that enterprises with an appetite for risk and data of low sensitivity should consider cloud hosting options after they perform a thorough risk assessment -- but any organization not interested in experimenting should wait.
"We want someone else to take care of our destiny, and we want it in writing," Heiser said. "It's not going to happen."