nobeastsofierce - Fotolia

What tactics can organizations adopt to drive cloud security practices?

In this Ask the Expert, Gartner's Marco Meinardi explains business factors driving cloud security practices and explains the role of the CIA triad in enterprise cloud security.

As more organizations embrace cloud computing, cloud security practices have become more critical than ever. But before moving applications to the public cloud, organizations should assess applications to determine potential risk factors and incorporate the principles of the CIA triad -- confidentiality, integrity and availability -- to help ensure the effective and secure use of public cloud services. That's according to Marco Meinardi, research director at Gartner.

At Gartner Catalyst Conference 2018, Meinardi discussed cloud security practices and the role CIOs play when it comes to using cloud more securely. In this Ask the Expert, he discussed the security of cloud storage and why CIOs should make sure their security teams are trained on cloud capabilities. He also shed light on how cloud providers are working to build trust with cloud consumers.

Editor's note: The following transcript has been edited for clarity and length.

Is the cloud more secure than on-premises environments? What role do CIOs play when it comes to implementing cloud security practices?

Marco Meinardi: It is commonly said that clouds are more secure than [an] on-premises environment, and this is absolutely true, [especially] when you look at the ability of cloud providers to secure their environment. It is also true, however, that the centralization of data around a single entity like Amazon will also attract and centralize all the threats. So, you have two sides of the same coin.

Clouds are secure if you use them securely. ... You as an organization are responsible to use them securely.
Marco Meinardiresearch director at Gartner

However, it also has to be said that cloud providers have put in an incredible effort to build trust with formal certifications like PCI DSS [Payment Card Industry Data Security Standard] and providing reports like the SOC 1, 2 and 3 to build the trust of their clients, as well as [providing] a management tool set that helps the client to achieve their own security on the part of the cloud workloads that they control.

A lot of education has been going on in the recent years that [has] built the confidence of a lot of security departments that clouds actually can be used securely, because clouds are secure if you use them securely. Clouds are not secure, per se. You, as an organization, are responsible to use them securely and to encrypt data when there is a high degree of confidentiality.

[CIOs] should make sure that their security department is fully trained on the capabilities of the cloud. Not knowing what clouds can do, how they can be used or what management tools they have for securing workloads is wrong, because, eventually, the security department will have doubts around security that derives from not knowing what the cloud is capable of. 

It is important that whatever application goes into a public cloud environment [is] fully assessed against risks [by incorporating] the CIA triad of confidentiality, integrity and availability. It has to be compiled for every application.

[Before moving applications to the cloud,] organizations must accomplish a risk mitigation exercise to make sure, 'OK, is the public cloud able to meet the degree of confidentiality that I need? Is the cloud capable of meeting the degree of availability and integrity that my data requires?' If the answer is yes, the workload can be moved to the public cloud, but it needs to be carefully managed to meet those targets. If the answer is no, the workload can stay on premises for some more time until the cloud would be able to meet the degree of control that is required.

Read what Booz Allen Hamilton's Anil Markose has to say about cloud security practices.

Dig Deeper on IT applications, infrastructure and operations

Cloud Computing
Mobile Computing
Data Center
and ESG