Cloud-based service models slowly gain risk-management traction

PaaS and Iaas are the most trusted service models: Gartner says that the most dramatic change over the past three years is the increased willingness to use IaaS and PaaS for sensitive processes.

The research firm found that organizations are about 30% more likely to have a policy against putting sensitive data into SaaS than PaaS or IaaS, with 26% saying they do not use SaaS for anything sensitive. Businesses are also 45% more likely to have a policy against putting sensitive data into outsourced data centers than the other two.

Meanwhile, 36% of respondents said they had a policy against putting mission-critical data into an outsourced location, making avoidance the most chosen mechanism for dealing with risk in the data center. The level of response for this choice is significantly higher than for either of the other two service models, according to Gartner. Twenty-nine percent of respondents said this policy applied to SaaS, and only 22% said it applied to IaaS/PaaS.

"These results make sense, given that sharing data with a partner almost certainly means that one or more of its employees will be accessing the data, while in a SaaS scenario, the data is typically only accessible to the primary customer," said Jay Heiser, research vice president at Gartner. "This year we asked about both data availability and data confidentiality policies. Survey respondents indicated 10% less willingness to place mission-critical data into a SaaS offering than to place sensitive data into it. They were even less willing to place mission-critical data into outsourced data centers, with over one-third of respondents saying that they do not allow it."

On the whole however, enterprises are more likely to trust cloud-based models than they were a year ago.

"One of the biggest drivers is probably an expectation that the packaged service offerings, which typically claim to be based on cloud computing, are more reliable," said Heiser. "While fault tolerance is a feature of many such offerings, we consider it premature to assume that mission-critical data is safer in a cloud than in a traditional data center in which buyers usually make very specific choices about how data will be backed up."

In terms of determining the safety of business partners’ business infrastructure, Gartner has ironically found there to be a big reduction in sending company staff to evaluate a partner's controls on-site. That practice has declined by more than 40% over three years, as has the use of proprietary surveys. Use of the less secure standards-based questionnaires has increased proportionately, particularly for SaaS risk assessment.

IaaS and PaaS, correlating to their more-trusted status, are less likely to be supported with questionnaire-based risk assessment: only 57% of IaaS/PaaS buyers are relying on questionnaires to support their risk assessment strategies. Unlike for SaaS, if a questionnaire is used, it’s more likely to be a proprietary one, unique to the buyer's organization. Also, 26% are evaluating information from the provider itself.

What’s Hot on Infosecurity Magazine?