Gartner: Cloud service outages are more risky than data leaks

Security issues are still a major restraint in the deployment of cloud computing resources in the enterprise, and a Gartner analyst says the biggest problem is not that data could be corrupted in the cloud, but that cloud outages could occur, leading to data loss.

Gartner Cloud security analyst Jay Heiser says there is a view that the biggest risk of using cloud computing is that key data may be compromised, but we rarely see such a scenario. In 2011, Sony suffered data leaks, involving tens of millions of customers in its cloud, and a handful of other leaks that leaked personally identifiable information from the cloud.

Heiser says it is now more common for cloud outages and data loss, and in this regard, companies are poorly prepared.

Let us recall the major disruptions of the past few years. Amazon Web Services, the market's leading cloud service provider, has experienced three major disruptions in the past two years. After the April 2011 EC2 of the Elastic Computing cloud, a certain amount of data has been undone. Evernot lost 6,000 customer data in 2010, while Carbonite lost some of its customers ' backup data in 2009.

Heiser points out that many of these outages are caused by errors in system upgrades. Amazon, for example, says its recent data outages are caused by hardware that is installed in the heart of its data center.

Amazon's disruption led to the closure of Reddit, Imgur and other popular websites, and Amazon's aftermath after the accident.

' These problems appear again and again, so they are likely to reappear, ' Heiser said at the online seminar organised by Gartner this week. Although this is one of the most significant concerns of cloud users, according to Gartner's recent survey, only half of the companies have deployed programs to assess the duration of business continuity processes. He added that the issue of safety leaks should not be overlooked, but the more pressing issue was around business continuity.

Heiser says the cloud computing industry is slowly tackling these problems, but the vendors, users and third-party agencies that are trying to drive cloud security improvements should do more.

In service level agreements (SLAs), vendors have been reluctant to address the security recoverability of data loss. "People are complaining that cloud service providers have been vague about how they protect their customers," says Heiser. "Some suppliers say they will not publish this information because there may be some security risks. Vendors have repeatedly claimed to be able to provide high levels of data availability and confidentiality, but Heiser said they did not provide evidence to allow customers to verify their rhetoric.

In this regard, users should be more proactive. The first thing a user needs to do is classify data and mark the data that really needs to be protected. Incomplete or non-existent data classification is a common problem. "If users do not know the security requirements for specific data that are different from other data, it will be difficult to assess whether the vendor can provide sufficient security," Heiser said. ”

Third-party organizations are working to establish standards and certification in these areas, but Heiser says this is still lacking. For example, the Cloud Security alliance has taken a wide range of measures to address a variety of issues, but these measures are not deep enough to address the fundamental problems of specific areas.

FedRAMP is a common safety standard procedure listed by the U.S. federal government for each cloud computing service provider it uses, but it is still in its early stages and will not be available until 2014. "We are beginning to understand what we need, but we need to do more: standard control, assessment practices and global consensus," Heiser said. "Companies are in the best position and they are most able to put pressure on suppliers to be as transparent as possible to these issues."

So what should enterprise cloud users do? "Choose your Cloud Control ' campaign '," says Heiser. "The macro trend is that more and more data will appear in more and more end-user devices, making it more difficult to control data and create more vulnerabilities." By classifying data, companies can prioritize data that requires high security protection. For most businesses, the most important data will be less than 20% of total data, or even 5% or less. For this data, the enterprise should be "desperate to protect", using encryption, token, data loss defense system or to keep the data within the enterprise, rather than the public cloud. You should also deploy antivirus software, Anti-malware, and other security and control to ensure that other data is not vulnerable to attack. In the present case, the reality is, in Heiser's words: Most of the data will need to protect themselves.