G00210095

Cloud IaaS: Security Considerations

Published: 7 March 2011

Analyst(s): Lydia Leong, Neil MacDonald

Ensuring adherence to your organization's security and compliance

requirements is one of the most significant challenges to overcome when
sourcing a cloud infrastructure-as-a-service (IaaS) solution. The security
capabilities of service providers vary greatly. IT managers must understand
the reality of what's available in the cloud. Diligence is required in the
procurement process, along with independent confirmation of service
provider claims.

Key Findings
Cloud IaaS can be sufficiently secure for enterprise needs, but different IaaS offerings have very
different levels of security.
A Statement on Auditing Standards No. 70: Service Organizations (SAS 70) audit is not proof of
security or regulatory compliance. Security certifications may still be useful but do not, by
themselves, constitute proof of adequate security.
Emerging industry efforts to define cloud compliance and maturity standards, such as the Cloud
Security Alliance (CSA) and the Common Assurance Maturity Model (CAMM), hold promise and
should be used as input to define the enterprise's own standards.

Recommendations
Determine your actual security requirements; don't overestimate your needs, particularly
compared with your own internal data center.
Develop guidelines for evaluating the security of IaaS and other cloud-based services.
When evaluating cloud offerings, discuss operational and security requirements early on, just as
you would if the service were being developed internally.
Examine the details of a provider's IaaS implementation to assess the quality of its security.
Consider using cloud computing only when the vendor is sufficiently transparent to ensure it
meets your business's needs for security and compliance.
Perform a risk assessment to understand the proper trade-off between security and cost.
 Table of Contents

Analysis..................................................................................................................................................2
Security and Compliance........................................................................................................................2
Don't Rely Solely on Audits...............................................................................................................3
Security Architecture and Services...................................................................................................4
Identity and Access Management.....................................................................................................6
Staffing.............................................................................................................................................6
You Are Responsible..............................................................................................................................7
Recommended Reading.........................................................................................................................7

List of Figures

Figure 1. Key Concerns When Implementing Cloud Computing..............................................................3

Analysis
As described in "Evaluating Cloud Infrastructure as a Service," all cloud IaaS offerings are not
created equal, despite superficial similarities in the way the offerings are described. There is
considerable variance in service provider design goals, the quality of the technical implementations,
and the cost-effectiveness and the value for money of those implementations.

This is part of a series of reports detailing the differences in the technical architectures and business
models of IaaS offerings. This document is focused on security and compliance considerations.

Security and Compliance

Gartner's surveys and polls consistently show that security, privacy and compliance are the
greatest concerns of organizations considering cloud computing solutions. These include IaaS
solutions, whether the organization is implementing IaaS within its own data center, outsourcing
private IaaS or using public IaaS. (See "Survey Analysis: Global Adoption of Cloud Computing, a
View From Above" for more details on Figure 1, which shows the percentage of respondents who
ranked each concern in their top three.)

Page 2 of 8 Gartner, Inc. | G00210095

 Figure 1. Key Concerns When Implementing Cloud Computing

Security of service

Data location, privacy or access

concerns

Cost uncertainty or variability

Inadequate service levels (e.g.,

availability, performance or reliability)

Increased business risk

Perceived loss of control or choice of

technology
Lack of industry standards for cloud
computing
Lack of awareness of, or confidence
in, model
Dealing with compliance or regulatory
controls
Lack of suppliers with satisfactory
credentials or reputation
Inadequate contract terms or
termination arrangements
Existing
Other Planned

0 10 20 30 40 50 60
Percentage of Respondents

Source: Gartner (March 2011)

There are no easy generalizations when it comes to the security measures implemented by IaaS
providers; every service provider has different administrative, physical and logical security controls.

For more general guidance on security and compliance in the cloud, consult "What You Need to
Know About Cloud Computing Security and Compliance."

Don't Rely Solely on Audits

Some IaaS providers use SAS 70 Type II audits as "proof" of their security. Unfortunately, SAS 70
does not review a provider's security controls for usefulness; it merely verifies that a provider carries
out documented procedures, without any judgment as to whether its controls are good ones. The
results of such an examination are unlikely to provide adequate information, as it is a process-only

Gartner, Inc. | G00210095 Page 3 of 8

 review that is explicitly not intended to be a technical review. (See "SAS 70 is Not Proof of Security,
Continuity or Privacy Compliance.")

Security certifications may be more useful, but be cautious. For instance, International Organization
for Standardization (ISO) 27001, which is a security certification standard, is often used to evaluate
efficacy against ISO 27002's defined security control framework, but it is possible to obtain an ISO
27001 certification without using ISO 27002. Ensure both are used in the certification process.
Certifications are by no means a comprehensive evaluation of a provider's security posture, nor is a
lack of certifications an indication that a provider does not have excellent security controls.

Because audits and certifications are expensive and time consuming, providers often elect not to
pursue them, or use them only in a very limited way. Most service providers that claim SAS 70, for
instance, extend their audit only to their physical data centers, not to the actual infrastructure
service.

While you may be interested in a provider's SAS 70 and other third-party audits and security
certifications, do not use these as a substitute for doing your own security evaluation. (See "What
You Need to Know About Cloud Computing Security and Compliance.") Similarly, while the provider
may claim that it can comply with various requirements (for example, the Sarbanes-Oxley Act [SOX],
Federal Information Security Management Act [FISMA], Health Insurance Portability and
Accountability Act [HIPAA] and Payment Card Industry Data Security Standard [PCI DSS]), the
burden is on you to ensure that it does. In many cases, it might be able to meet part of a standard,
in certain circumstances, but those circumstances might not apply to you; in particular, many IaaS
providers meet PCI standards for customers that do not store cardholder data, but cannot meet the
standards for customers that directly process credit cards.

Also, be aware that your auditor does not have to accept the cloud provider's audit. For instance,
several cloud IaaS providers have obtained PCI certifications where the audit specifically excludes
certain clauses of PCI DSS most importantly, the clause that does not permit multitenancy of
servers. Your auditor may or may not agree that the strength of separation provided for workloads
meets the PCI requirements.

Your organization should set mandatory security requirements during the procurement process for
any cloud-based service. Standards for assessing cloud provider security capabilities are emerging
from organizations such as the CSA, the CAMM and the U.S. Federal Risk and Authorization
Management Program (FedRAMP). These standards should be used as the foundation for your own
organization's cloud security requirements.

Security Architecture and Services

Most IaaS providers have rigorous administrative and physical security controls for their data
centers. Such data centers are typically anonymous, hardened structures, with security guards,
security cameras, and layered access with multiple authentication mechanisms (including
biometrics) and access logging.

IaaS providers usually offer network security with defense in depth. The service provider may have
automatic mitigation of threats such as distributed denial-of-service (DDoS) attacks, and may also

Page 4 of 8 Gartner, Inc. | G00210095

 automatically halt activity against its infrastructure that it deems malicious, such as automatic
blocking of port scanning attempts, whether originating externally or internally.

Most IaaS offerings come with a basic firewall service included, allowing the customer to filter
specific ports and Internet Protocol (IP) address ranges, with the default configuration offering
minimal access. Preferably, the default configuration should use a default deny approach, where the
customer must explicitly define access to be granted. More complex intrusion detection system
(IDS) and intrusion prevention system (IPS) functionality may also be offered; this may be included
and mandatory for all customers, or an optional service for an extra fee. Customers can always
install additional software-based appliances, typically in the form of a virtual machine (VM), for
additional security controls. Some providers may also allow the deployment of security-related
hardware in front of the customer's IaaS environment, even if that environment is shared.

Most IaaS providers take measures to provide some virtual network isolation to customers, through
offering individual virtual LANs (VLANs), virtual routers and virtual switches to each customer.
Providers also usually take steps to secure their network traffic, with protection from network
sniffing, spoofing and local denial-of-service attacks.

As most IaaS offerings are built on virtualized infrastructure, providers may also provide some
security from within the virtualization layer itself for stronger separation of VMs on the same physical
host. For instance, providers with VMware-based infrastructures may support the vShield line of
firewalls, as well as the VMsafe API, which allows security products to take advantage of the
hypervisor's view of the VMs in order to detect and protect against threats; for example, this allows
antivirus scanning to be performed without requiring agents in each VM. (See "VMware Pushes
Further Into the Security Market With Its vShield Offerings" for details.)

IaaS providers also take measures to provide security in their storage offerings, and may offer
options such as data encryption. Storage security is detailed as part of "Cloud IaaS: Adding Storage
to Compute."

IaaS providers may offer antivirus services as part of their core offering; indeed, some IaaS
providers mandate antivirus for all customers. They may also offer host-based IDS and IPS,
configuration auditing (usually based on software such as Tripwire), and a Web application firewall.
These services may be included with the base compute service, or may be extra-fee options. Note
that most IaaS contracts explicitly prohibit the use of network-based vulnerability scanning tools, so
host-based approaches may be the only ones viable for configuration auditing.

Many IaaS providers offer other security services as well, including managed and professional
services. The most common additional service is security information and event management
(SIEM), or more basic log monitoring and management. This is most frequently implemented using
an appliance from a vendor such as LogLogic, or via a third-party partner service such as Alert
Logic. (See "Security Monitoring and Assessment for Cloud Environments" for more.)

Some IaaS providers are able to generate compliance reports as part of their service, consolidating
provisioning reports, scanning reports, logs and the like into a single set of documents readily
accessed via their customer portal. As a future market differentiator, we expect that this information

Gartner, Inc. | G00210095 Page 5 of 8

 will be able to be integrated into and accessible from an enterprise's own security information and
risk management consoles.

Identity and Access Management

There are two areas of concern with identity and access management (IAM) access by the IaaS
provider's own staff (discussed in the "Staffing" section) and access by its customers. IAM is a
foundational component of an IaaS offering. Historically, IaaS providers have kept their own identity
databases, and authenticated against those databases. However, customers are increasingly
demanding integration with other sources of identity data, such as Microsoft Active Directory, or
support for identity federation standards such as OpenID and Security Assertion Markup Language
(SAML), and providers are responding accordingly.

IaaS providers normally have to secure three forms of customer access to their infrastructure
interactive access to the customer portal, API access and access to the VMs themselves. Many
providers now offer an option for multifactor authentication for interactive access, which typically
uses a device such as RSA's SecurID. Most providers encrypt browser access to the customer
portal via Secure Sockets Layer (SSL). API access is typically gained using an API key, but
providers may also support other options, such as the use of X.509 certificates. Finally, access to
the VMs may be accomplished either through console access or remote access (such as via Secure
Shell [SSH] or secure terminal services); this typically uses the authentication scheme of the guest
OS.

Providers might or might not log accesses to their customer portal and API; even if they do log
accesses, these logs might not be available to the customer. They usually do not log accesses to
VMs, although the customer might be able to do so; most guest OSs will do so by default.

One special case of access management is the control mechanism used for initial access to a newly
provisioned VM. Some providers are able to preprovision a secure form of access, such as installing
SSH keys when a VM is provisioned. Others generate an administrative password and make it
available to the user in some way, such as via their portal, or, less securely, out of band using
cleartext via e-mail or SMS.

Staffing
IaaS providers may subject their Operations personnel to background investigations. Some IaaS
providers can also support more specialized needs, such as ensuring that operations are performed
only by personnel who hold security clearances. In most cases, different personnel are responsible
for managing the physical infrastructure (such as replacing failed equipment) and the logical
infrastructure (such as maintaining the underlying virtualization platform).

Providers generally subscribe to the principle of least privilege. They typically log all infrastructure
accesses by their personnel. For self-managed IaaS, the provider's staff generally does not have
access to customer VMs. If this is a managed service, however, the provider's staff generally has
access and responsibility for the VMs; in this case, the provider might or might not create auditable
records of staff access and activities.

Page 6 of 8 Gartner, Inc. | G00210095

 Many IaaS providers keep a security staff that is trained in forensic security and dealing with law
enforcement. Many providers also maintain active ties with the security operations staff at other
service providers, particularly network service providers, cooperating to deal with threats such as
DDoS attacks.

You Are Responsible

Ultimately, you are responsible for the security of the workloads and data placed into IaaS. More
than with any other layer of cloud-based computing services, organizations have flexibility of
security controls with IaaS offerings, as the security and compliance of data and workloads is a
combination of the service provider's capabilities and the security controls placed within the
workloads themselves, such as a local firewall and host-based IPS.

Using input from the CSA, CAMM and other emerging cloud security standards, ensure your
organization has defined its own evaluation criteria for evaluating the security of cloud-based
services including: WAN and LAN communications; physical data center; physical network and
hosts; virtualization platform; storage and guest VMs. Make sure that any cloud-based provider that
you consider is transparent in its security processes and controls.

While the provider may have third-party audits and claim certifications, these must be investigated
further. You must evaluate the provider's claims against your specific security and compliance
needs.

Because the customer is responsible for the contents of its workloads, the responsibility for
resilience of the IaaS service is shared between the provider and the customer. The IaaS provider is
responsible for resiliency in the data center and the hardware; availability options for the computing
infrastructure are discussed in "Cloud IaaS: How Compute Resources Are Delivered." However, the
customer is responsible for architecting resiliency into its application, and into its networking
choices.

Not all workloads and data will be suitable for cloud IaaS deployment. Some are best kept on
premises. However, given the availability of private cloud IaaS, as well as of providers that focus on
meeting demanding security and compliance requirements, cloud IaaS can potentially meet a wide
range of needs.

Recommended Reading
"Cloud IaaS: Networking Options"

"Cloud IaaS: Service-Level Agreements"

"Cloud IaaS: Service and Support Models"

Gartner, Inc. | G00210095 Page 7 of 8

 Regional Headquarters

Corporate Headquarters Japan Headquarters

56 Top Gallant Road Gartner Japan Ltd.
Stamford, CT 06902-7700 Aobadai Hills, 6F
USA 7-7, Aobadai, 4-chome
+1 203 964 0096 Meguro-ku, Tokyo 153-0042
JAPAN
+81 3 3481 3670

European Headquarters Latin America Headquarters

Tamesis Gartner do Brazil
The Glanty Av. das Naes Unidas, 12551
Egham 9 andarWorld Trade Center
Surrey, TW20 9AW 04578-903So Paulo SP
UNITED KINGDOM BRAZIL
+44 1784 431611 +55 11 3443 1509

Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600

2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartners prior written permission. The information contained in this
publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or
adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication
consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions expressed
herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not
provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its
shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see Guiding Principles on Independence and Objectivity on its website, http://www.gartner.com/technology/about/
ombudsman/omb_guide2.jsp.

Page 8 of 8 Gartner, Inc. | G00210095