Last month Gartner Analyst Jay Heiser conducted an extremely informative and thought-provoking webinar entitled “The Current and Future State of Cloud Security, Risk and Privacy.” During the presentation, Mr. Heiser highlighted what he called the “Public Cloud Risk Gap,” characterized in part by inadequate processes and technologies by the cloud service providers and in part by a lack of diligence and planning by enterprises using public cloud applications. In many ways, it was a call to arms to ensure that adequate controls, thought and preparation are put to use before public clouds are adopted by enterprises and public sector organizations.
From the side of the cloud application provider, the webinar noted that most cloud service offerings are incomplete when measured against traditional “on-premise” security standards, there are relatively few security-related Service Level Agreements (SLAs), and there is minimal transparency on the security posture of most cloud services. From the enterprise side (the cloud service consumer), he points out that they frequently come to the table with inadequate planning and consideration in the area of security requirements definition and have an incomplete data sensitivity classification governing their data assets. Despite this, the webinar highlighted that organizations of all sizes are increasingly willing to place their data externally, and they are increasingly likely to have at least some formalized processes for the assessment of the associated risk – which is good news.