Cloud IaaS: Security Considerations

Size: px
Start display at page:

Download "Cloud IaaS: Security Considerations"

Transcription

1 G Cloud IaaS: Security Considerations Published: 7 March 2011 Analyst(s): Lydia Leong, Neil MacDonald Ensuring adherence to your organization's security and compliance requirements is one of the most significant challenges to overcome when sourcing a cloud infrastructure-as-a-service (IaaS) solution. The security capabilities of service providers vary greatly. IT managers must understand the reality of what's available in the cloud. Diligence is required in the procurement process, along with independent confirmation of service provider claims. Key Findings Cloud IaaS can be sufficiently secure for enterprise needs, but different IaaS offerings have very different levels of security. A Statement on Auditing Standards No. 70: Service Organizations (SAS 70) audit is not proof of security or regulatory compliance. Security certifications may still be useful but do not, by themselves, constitute proof of adequate security. Emerging industry efforts to define cloud compliance and maturity standards, such as the Cloud Security Alliance (CSA) and the Common Assurance Maturity Model (CAMM), hold promise and should be used as input to define the enterprise's own standards. Recommendations Determine your actual security requirements; don't overestimate your needs, particularly compared with your own internal data center. Develop guidelines for evaluating the security of IaaS and other cloud-based services. When evaluating cloud offerings, discuss operational and security requirements early on, just as you would if the service were being developed internally. Examine the details of a provider's IaaS implementation to assess the quality of its security. Consider using cloud computing only when the vendor is sufficiently transparent to ensure it meets your business's needs for security and compliance. Perform a risk assessment to understand the proper trade-off between security and cost.

2 Table of Contents Analysis...2 Security and Compliance...2 Don't Rely Solely on Audits...3 Security Architecture and Services...4 Identity and Access Management...6 Staffing...6 You Are Responsible...7 Recommended Reading...7 List of Figures Figure 1. Key Concerns When Implementing Cloud Computing...3 Analysis As described in "Evaluating Cloud Infrastructure as a Service," all cloud IaaS offerings are not created equal, despite superficial similarities in the way the offerings are described. There is considerable variance in service provider design goals, the quality of the technical implementations, and the cost-effectiveness and the value for money of those implementations. This is part of a series of reports detailing the differences in the technical architectures and business models of IaaS offerings. This document is focused on security and compliance considerations. Security and Compliance Gartner's surveys and polls consistently show that security, privacy and compliance are the greatest concerns of organizations considering cloud computing solutions. These include IaaS solutions, whether the organization is implementing IaaS within its own data center, outsourcing private IaaS or using public IaaS. (See "Survey Analysis: Global Adoption of Cloud Computing, a View From Above" for more details on Figure 1, which shows the percentage of respondents who ranked each concern in their top three.) Page 2 of 8 Gartner, Inc. G

3 Figure 1. Key Concerns When Implementing Cloud Computing Security of service Data location, privacy or access concerns Cost uncertainty or variability Inadequate service levels (e.g., availability, performance or reliability) Increased business risk Perceived loss of control or choice of technology Lack of industry standards for cloud computing Lack of awareness of, or confidence in, model Dealing with compliance or regulatory controls Lack of suppliers with satisfactory credentials or reputation Inadequate contract terms or termination arrangements Other Existing Planned Percentage of Respondents Source: Gartner (March 2011) There are no easy generalizations when it comes to the security measures implemented by IaaS providers; every service provider has different administrative, physical and logical security controls. For more general guidance on security and compliance in the cloud, consult "What You Need to Know About Cloud Computing Security and Compliance." Don't Rely Solely on Audits Some IaaS providers use SAS 70 Type II audits as "proof" of their security. Unfortunately, SAS 70 does not review a provider's security controls for usefulness; it merely verifies that a provider carries out documented procedures, without any judgment as to whether its controls are good ones. The results of such an examination are unlikely to provide adequate information, as it is a process-only Gartner, Inc. G Page 3 of 8

4 review that is explicitly not intended to be a technical review. (See "SAS 70 is Not Proof of Security, Continuity or Privacy Compliance.") Security certifications may be more useful, but be cautious. For instance, International Organization for Standardization (ISO) 27001, which is a security certification standard, is often used to evaluate efficacy against ISO 27002's defined security control framework, but it is possible to obtain an ISO certification without using ISO Ensure both are used in the certification process. Certifications are by no means a comprehensive evaluation of a provider's security posture, nor is a lack of certifications an indication that a provider does not have excellent security controls. Because audits and certifications are expensive and time consuming, providers often elect not to pursue them, or use them only in a very limited way. Most service providers that claim SAS 70, for instance, extend their audit only to their physical data centers, not to the actual infrastructure service. While you may be interested in a provider's SAS 70 and other third-party audits and security certifications, do not use these as a substitute for doing your own security evaluation. (See "What You Need to Know About Cloud Computing Security and Compliance.") Similarly, while the provider may claim that it can comply with various requirements (for example, the Sarbanes-Oxley Act [SOX], Federal Information Security Management Act [FISMA], Health Insurance Portability and Accountability Act [HIPAA] and Payment Card Industry Data Security Standard [PCI DSS]), the burden is on you to ensure that it does. In many cases, it might be able to meet part of a standard, in certain circumstances, but those circumstances might not apply to you; in particular, many IaaS providers meet PCI standards for customers that do not store cardholder data, but cannot meet the standards for customers that directly process credit cards. Also, be aware that your auditor does not have to accept the cloud provider's audit. For instance, several cloud IaaS providers have obtained PCI certifications where the audit specifically excludes certain clauses of PCI DSS most importantly, the clause that does not permit multitenancy of servers. Your auditor may or may not agree that the strength of separation provided for workloads meets the PCI requirements. Your organization should set mandatory security requirements during the procurement process for any cloud-based service. Standards for assessing cloud provider security capabilities are emerging from organizations such as the CSA, the CAMM and the U.S. Federal Risk and Authorization Management Program (FedRAMP). These standards should be used as the foundation for your own organization's cloud security requirements. Security Architecture and Services Most IaaS providers have rigorous administrative and physical security controls for their data centers. Such data centers are typically anonymous, hardened structures, with security guards, security cameras, and layered access with multiple authentication mechanisms (including biometrics) and access logging. IaaS providers usually offer network security with defense in depth. The service provider may have automatic mitigation of threats such as distributed denial-of-service (DDoS) attacks, and may also Page 4 of 8 Gartner, Inc. G

5 automatically halt activity against its infrastructure that it deems malicious, such as automatic blocking of port scanning attempts, whether originating externally or internally. Most IaaS offerings come with a basic firewall service included, allowing the customer to filter specific ports and Internet Protocol (IP) address ranges, with the default configuration offering minimal access. Preferably, the default configuration should use a default deny approach, where the customer must explicitly define access to be granted. More complex intrusion detection system (IDS) and intrusion prevention system (IPS) functionality may also be offered; this may be included and mandatory for all customers, or an optional service for an extra fee. Customers can always install additional software-based appliances, typically in the form of a virtual machine (VM), for additional security controls. Some providers may also allow the deployment of security-related hardware in front of the customer's IaaS environment, even if that environment is shared. Most IaaS providers take measures to provide some virtual network isolation to customers, through offering individual virtual LANs (VLANs), virtual routers and virtual switches to each customer. Providers also usually take steps to secure their network traffic, with protection from network sniffing, spoofing and local denial-of-service attacks. As most IaaS offerings are built on virtualized infrastructure, providers may also provide some security from within the virtualization layer itself for stronger separation of VMs on the same physical host. For instance, providers with VMware-based infrastructures may support the vshield line of firewalls, as well as the VMsafe API, which allows security products to take advantage of the hypervisor's view of the VMs in order to detect and protect against threats; for example, this allows antivirus scanning to be performed without requiring agents in each VM. (See "VMware Pushes Further Into the Security Market With Its vshield Offerings" for details.) IaaS providers also take measures to provide security in their storage offerings, and may offer options such as data encryption. Storage security is detailed as part of "Cloud IaaS: Adding Storage to Compute." IaaS providers may offer antivirus services as part of their core offering; indeed, some IaaS providers mandate antivirus for all customers. They may also offer host-based IDS and IPS, configuration auditing (usually based on software such as Tripwire), and a Web application firewall. These services may be included with the base compute service, or may be extra-fee options. Note that most IaaS contracts explicitly prohibit the use of network-based vulnerability scanning tools, so host-based approaches may be the only ones viable for configuration auditing. Many IaaS providers offer other security services as well, including managed and professional services. The most common additional service is security information and event management (SIEM), or more basic log monitoring and management. This is most frequently implemented using an appliance from a vendor such as LogLogic, or via a third-party partner service such as Alert Logic. (See "Security Monitoring and Assessment for Cloud Environments" for more.) Some IaaS providers are able to generate compliance reports as part of their service, consolidating provisioning reports, scanning reports, logs and the like into a single set of documents readily accessed via their customer portal. As a future market differentiator, we expect that this information Gartner, Inc. G Page 5 of 8

6 will be able to be integrated into and accessible from an enterprise's own security information and risk management consoles. Identity and Access Management There are two areas of concern with identity and access management (IAM) access by the IaaS provider's own staff (discussed in the "Staffing" section) and access by its customers. IAM is a foundational component of an IaaS offering. Historically, IaaS providers have kept their own identity databases, and authenticated against those databases. However, customers are increasingly demanding integration with other sources of identity data, such as Microsoft Active Directory, or support for identity federation standards such as OpenID and Security Assertion Markup Language (SAML), and providers are responding accordingly. IaaS providers normally have to secure three forms of customer access to their infrastructure interactive access to the customer portal, API access and access to the VMs themselves. Many providers now offer an option for multifactor authentication for interactive access, which typically uses a device such as RSA's SecurID. Most providers encrypt browser access to the customer portal via Secure Sockets Layer (SSL). API access is typically gained using an API key, but providers may also support other options, such as the use of X.509 certificates. Finally, access to the VMs may be accomplished either through console access or remote access (such as via Secure Shell [SSH] or secure terminal services); this typically uses the authentication scheme of the guest OS. Providers might or might not log accesses to their customer portal and API; even if they do log accesses, these logs might not be available to the customer. They usually do not log accesses to VMs, although the customer might be able to do so; most guest OSs will do so by default. One special case of access management is the control mechanism used for initial access to a newly provisioned VM. Some providers are able to preprovision a secure form of access, such as installing SSH keys when a VM is provisioned. Others generate an administrative password and make it available to the user in some way, such as via their portal, or, less securely, out of band using cleartext via or SMS. Staffing IaaS providers may subject their Operations personnel to background investigations. Some IaaS providers can also support more specialized needs, such as ensuring that operations are performed only by personnel who hold security clearances. In most cases, different personnel are responsible for managing the physical infrastructure (such as replacing failed equipment) and the logical infrastructure (such as maintaining the underlying virtualization platform). Providers generally subscribe to the principle of least privilege. They typically log all infrastructure accesses by their personnel. For self-managed IaaS, the provider's staff generally does not have access to customer VMs. If this is a managed service, however, the provider's staff generally has access and responsibility for the VMs; in this case, the provider might or might not create auditable records of staff access and activities. Page 6 of 8 Gartner, Inc. G

7 Many IaaS providers keep a security staff that is trained in forensic security and dealing with law enforcement. Many providers also maintain active ties with the security operations staff at other service providers, particularly network service providers, cooperating to deal with threats such as DDoS attacks. You Are Responsible Ultimately, you are responsible for the security of the workloads and data placed into IaaS. More than with any other layer of cloud-based computing services, organizations have flexibility of security controls with IaaS offerings, as the security and compliance of data and workloads is a combination of the service provider's capabilities and the security controls placed within the workloads themselves, such as a local firewall and host-based IPS. Using input from the CSA, CAMM and other emerging cloud security standards, ensure your organization has defined its own evaluation criteria for evaluating the security of cloud-based services including: WAN and LAN communications; physical data center; physical network and hosts; virtualization platform; storage and guest VMs. Make sure that any cloud-based provider that you consider is transparent in its security processes and controls. While the provider may have third-party audits and claim certifications, these must be investigated further. You must evaluate the provider's claims against your specific security and compliance needs. Because the customer is responsible for the contents of its workloads, the responsibility for resilience of the IaaS service is shared between the provider and the customer. The IaaS provider is responsible for resiliency in the data center and the hardware; availability options for the computing infrastructure are discussed in "Cloud IaaS: How Compute Resources Are Delivered." However, the customer is responsible for architecting resiliency into its application, and into its networking choices. Not all workloads and data will be suitable for cloud IaaS deployment. Some are best kept on premises. However, given the availability of private cloud IaaS, as well as of providers that focus on meeting demanding security and compliance requirements, cloud IaaS can potentially meet a wide range of needs. Recommended Reading "Cloud IaaS: Networking Options" "Cloud IaaS: Service-Level Agreements" "Cloud IaaS: Service and Support Models" Gartner, Inc. G Page 7 of 8

8 Regional Headquarters Corporate Headquarters 56 Top Gallant Road Stamford, CT USA European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, ombudsman/omb_guide2.jsp. Page 8 of 8 Gartner, Inc. G

Cloud IaaS: Service-Level Agreements

Cloud IaaS: Service-Level Agreements G00210096 Cloud IaaS: Service-Level Agreements Published: 7 March 2011 Analyst(s): Lydia Leong Cloud infrastructure-as-a-service (IaaS) providers typically offer SLAs that cover the various elements of

More information

Understanding Vulnerability Management Life Cycle Functions

Understanding Vulnerability Management Life Cycle Functions Research Publication Date: 24 January 2011 ID Number: G00210104 Understanding Vulnerability Management Life Cycle Functions Mark Nicolett We provide guidance on the elements of an effective vulnerability

More information

Key Issues for Identity and Access Management, 2008

Key Issues for Identity and Access Management, 2008 Research Publication Date: 7 April 2008 ID Number: G00157012 for Identity and Access Management, 2008 Ant Allan, Earl Perkins, Perry Carpenter, Ray Wagner Gartner identity and access management research

More information

Organizations Should Implement Web Application Security Scanning

Organizations Should Implement Web Application Security Scanning Research Publication Date: 21 September 2005 ID Number: G00130869 Organizations Should Implement Web Application Security Scanning Amrit T. Williams, Neil MacDonald Web applications are prone to vulnerabilities

More information

Managing IT Risks During Cost-Cutting Periods

Managing IT Risks During Cost-Cutting Periods Research Publication Date: 22 October 2008 ID Number: G00162359 Managing IT Risks During Cost-Cutting Periods Mark Nicolett, Paul E. Proctor, French Caldwell To provide visibility into increased risks

More information

Research. Key Issues for Software as a Service, 2009

Research. Key Issues for Software as a Service, 2009 Research Publication Date: 6 February 2009 ID Number: G00164873 Key Issues for Software as a Service, 2009 Robert P. Desisto, Ben Pring As organizations' capital budgets dry up, clients evaluating SaaS

More information

Cloud E-Mail Decision-Making Criteria for Educational Organizations

Cloud E-Mail Decision-Making Criteria for Educational Organizations Research Publication Date: 10 June 2011 ID Number: G00213675 Cloud E-Mail Decision-Making Criteria for Educational Organizations Matthew W. Cain Educational organizations sometimes struggle to choose between

More information

Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in

Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in Research Publication Date: 15 March 2011 ID Number: G00210952 Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in Tim Zimmerman Enterprises must

More information

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools Research Publication Date: 13 January 2011 ID Number: G00210132 The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools Ronni J. Colville, Patricia Adams As configuration

More information

Now Is the Time for Security at the Application Level

Now Is the Time for Security at the Application Level Research Publication Date: 1 December 2005 ID Number: G00127407 Now Is the Time for Security at the Application Level Theresa Lanowitz Applications must be available, useful, reliable, scalable and, now

More information

When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud

When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud Industry Research Publication Date: 3 May 2010 ID Number: G00175030 When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud Massimiliano Claps, Andrea Di Maio Cloud computing

More information

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance Industry Research Publication Date: 1 May 2008 ID Number: G00156708 CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance Barry Runyon Care delivery organizations (CDOs) are

More information

From Secure Virtualization to Secure Private Clouds

From Secure Virtualization to Secure Private Clouds Research Publication Date: 13 October 2010 ID Number: G00208057 From Secure Virtualization to Secure Private Clouds Neil MacDonald, Thomas J. Bittman As enterprises move beyond virtualizing their data

More information

Organizations Must Employ Effective Data Security Strategies

Organizations Must Employ Effective Data Security Strategies Research Publication Date: 30 August 2005 ID Number: G00123639 Organizations Must Employ Effective Data Security Strategies Rich Mogull Organizations can best protect data through a hierarchical data security

More information

Addressing the Most Common Security Risks in Data Center Virtualization Projects

Addressing the Most Common Security Risks in Data Center Virtualization Projects Research Publication Date: 25 January 2010 ID Number: G00173434 Addressing the Most Common Security Risks in Data Center Virtualization Projects Neil MacDonald In 2007, we addressed the security considerations

More information

Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost

Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost G00238815 Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost Published: 4 October 2012 Analyst(s): Dave Russell IT leaders and storage managers must rethink their backup procedures

More information

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes. Research Publication Date: 15 October 2010 ID Number: G00208009 ITIL 'in the Cloud' George Spafford, Ed Holub The cloud-computing delivery model is generating a lot of interest from organizations wishing

More information

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products Research Publication Date: 10 December 2008 ID Number: G00163195 Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products Lawrence Orans, Greg Young Most

More information

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users Research Publication Date: 17 October 2006 ID Number: G00144061 Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users Amrit T. Williams, John Pescatore, Paul E. Proctor

More information

Best Practices for Confirming Software Inventories in Software Asset Management

Best Practices for Confirming Software Inventories in Software Asset Management Research Publication Date: 24 August 2009 ID Number: G00167067 Best Practices for Confirming Software Inventories in Software Asset Management Peter Wesche, Jane B. Disbrow This research discusses the

More information

Emerging PC Life Cycle Configuration Management Vendors

Emerging PC Life Cycle Configuration Management Vendors Research Publication Date: 20 January 2011 ID Number: G00209766 Emerging PC Life Cycle Configuration Management Vendors Terrence Cosgrove Although the PC configuration life cycle management (PCCLM) market

More information

Q&A: The Many Aspects of Private Cloud Computing

Q&A: The Many Aspects of Private Cloud Computing Research Publication Date: 22 October 2009 ID Number: G00171807 Q&A: The Many Aspects of Private Cloud Computing Thomas J. Bittman Cloud computing is at the Peak of Inflated Expectations on the Gartner

More information

Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity

Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity Research Publication Date: 11 August 2011 ID Number: G00215300 Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity John P Morency, Donna Scott, Dave Russell For the

More information

Solution Path: Threats and Vulnerabilities

Solution Path: Threats and Vulnerabilities Solution Path: Threats and Vulnerabilities Published: 24 January 2012 Burton IT1 Research G00226331 Analyst(s): Dan Blum This solution path helps Gartner clients develop a strategy and program for managing

More information

Establishing a Strategy for Database Security Is No Longer Optional

Establishing a Strategy for Database Security Is No Longer Optional Establishing a Strategy for Database Security Is No Longer Optional Published: 29 November 2011 G00226793 Analyst(s): Jeffrey Wheatman The options for securing increasingly valuable databases are very

More information

Security and Identity Management Auditing Converge

Security and Identity Management Auditing Converge Research Publication Date: 12 July 2005 ID Number: G00129279 Security and Identity Management Auditing Converge Earl L. Perkins, Mark Nicolett, Ant Allan, Jay Heiser, Neil MacDonald, Amrit T. Williams,

More information

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions. Research Publication Date: 1 September 2009 ID Number: G00161012 SIEM and IAM Technology Integration Mark Nicolett, Earl Perkins Integration of identity and access management (IAM) and security information

More information

Case Study: A K-12 Portal Project at the Miami-Dade County Public Schools

Case Study: A K-12 Portal Project at the Miami-Dade County Public Schools Industry Research Publication Date: 31 December 2007 ID Number: G00154138 Case Study: A K-12 Portal Project at the Miami-Dade County Public Schools Bill Rust The Miami-Dade County Public Schools a school

More information

NGFWs will be most effective when working in conjunction with other layers of security controls.

NGFWs will be most effective when working in conjunction with other layers of security controls. Research Publication Date: 12 October 2009 ID Number: G00171540 Defining the Next-Generation Firewall John Pescatore, Greg Young Firewalls need to evolve to be more proactive in blocking new threats, such

More information

Eight Critical Forces Shape Enterprise Data Center Strategies

Eight Critical Forces Shape Enterprise Data Center Strategies Research Publication Date: 8 February 2007 ID Number: G00144650 Eight Critical Forces Shape Enterprise Data Center Strategies Rakesh Kumar Through 2017, infrastructure and operations managers, architects

More information

X.509 Certificate Management: Avoiding Downtime and Brand Damage

X.509 Certificate Management: Avoiding Downtime and Brand Damage G00226426 X.509 Certificate Management: Avoiding Downtime and Brand Damage Published: 4 November 2011 Analyst(s): Eric Ouellet, Vic Wheatman Organizations are often not aware of the scope or the validity

More information

Private Cloud Computing: An Essential Overview

Private Cloud Computing: An Essential Overview Research Publication Date: 23 November 2010 ID Number: G00209000 Private Cloud Computing: An Essential Overview Thomas J. Bittman Private cloud computing requires strong leadership and a strategic plan

More information

2010 FEI Technology Study: CPM and BI Show Improvement From 2009

2010 FEI Technology Study: CPM and BI Show Improvement From 2009 Research Publication Date: 22 March 2010 ID Number: G00175233 2010 FEI Technology Study: CPM and BI Show Improvement From 2009 John E. Van Decker Many organizations recognize that current financial management

More information

Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing

Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing Research Publication Date: 22 February 2010 ID Number: G00174046 Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing Susan Tan Amid the hype and buzz of cloud computing are very

More information

Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality

Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality Research Publication Date: 4 November 2008 ID Number: G00162793 Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality David Mitchell Smith, Neil MacDonald At Professional Developers

More information

The Six Triggers for Using Data Center Infrastructure Management Tools

The Six Triggers for Using Data Center Infrastructure Management Tools G00230904 The Six Triggers for Using Data Center Infrastructure Management Tools Published: 29 February 2012 Analyst(s): Rakesh Kumar This research outlines the six main triggers for users to start using

More information

Critical Privacy Questions to Ask an HCM/CRM SaaS Provider

Critical Privacy Questions to Ask an HCM/CRM SaaS Provider Research Publication Date: 31 July 2009 ID Number: G00168488 Critical Privacy Questions to Ask an HCM/CRM SaaS Provider Carsten Casper, Thomas Otter, Arabella Hallawell The vast majority (probably greater

More information

Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students

Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students Industry Research Publication Date: 26 January 2010 ID Number: G00172722 Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students Steve Bittinger Australia's New

More information

Toolkit: Reduce Dependence on Desk-Side Support Technicians

Toolkit: Reduce Dependence on Desk-Side Support Technicians Gartner for IT Leaders Publication Date: 23 April 2007 ID Number: G00147075 Toolkit: Reduce Dependence on Desk-Side Support Technicians David M. Coyle, Terrence Cosgrove The IT service desk and PC life

More information

IT asset management (ITAM) will proliferate in midsize and large companies.

IT asset management (ITAM) will proliferate in midsize and large companies. Research Publication Date: 2 October 2008 ID Number: G00161024 Trends on Better IT Asset Management Peter Wesche New exiting trends will lead to a higher adoption of asset management methodologies. Tighter

More information

Data in the Cloud: The Changing Nature of Managing Data Delivery

Data in the Cloud: The Changing Nature of Managing Data Delivery Research Publication Date: 1 March 2011 ID Number: G00210129 Data in the Cloud: The Changing Nature of Managing Data Delivery Eric Thoo Extendible data integration strategies and capabilities will play

More information

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process Research Publication Date: 26 October 2010 ID Number: G00207031 Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process Kimberly Collins This research

More information

How to Develop an Effective Vulnerability Management Process

How to Develop an Effective Vulnerability Management Process Research Publication Date: 1 March 2005 ID Number: G00124126 How to Develop an Effective Vulnerability Management Process Mark Nicolett IT organizations should develop vulnerability management processes

More information

Agenda for Supply Chain Strategy and Enablers, 2012

Agenda for Supply Chain Strategy and Enablers, 2012 G00230659 Agenda for Supply Chain Strategy and Enablers, 2012 Published: 23 February 2012 Analyst(s): Michael Dominy, Dana Stiffler When supply chain executives establish the right strategies and enabling

More information

Cloud, SaaS, Hosting and Other Off-Premises Computing Models

Cloud, SaaS, Hosting and Other Off-Premises Computing Models Research Publication Date: 8 July 2008 ID Number: G00159042 Cloud, SaaS, Hosting and Other Off-Premises Computing Models Yefim V. Natis, Nicholas Gall, David W. Cearley, Lydia Leong, Robert P. Desisto,

More information

IT Architecture Is Not Enterprise Architecture

IT Architecture Is Not Enterprise Architecture Research Publication Date: 17 November 2010 ID Number: G00206910 IT Architecture Is Not Enterprise Architecture Bruce Robertson Many enterprise architecture (EA) teams and their stakeholders still use

More information

Choosing a Replacement for Incumbent One-Time Password Tokens

Choosing a Replacement for Incumbent One-Time Password Tokens Research Publication Date: 21 April 2011 ID Number: G00212244 Choosing a Replacement for Incumbent One-Time Password Tokens Ant Allan This research outlines the options for enterprises seeking replacements

More information

Research Agenda and Key Issues for Converged Infrastructure, 2006

Research Agenda and Key Issues for Converged Infrastructure, 2006 Research Publication Date: 20 July 2006 ID Number: G00141507 Research Agenda and Key Issues for Converged Infrastructure, 2006 Sylvain Fabre Gartner's research will cover fixed-mobile convergence, the

More information

What to Consider When Designing Next-Generation Data Centers

What to Consider When Designing Next-Generation Data Centers Research Publication Date: 10 September 2010 ID Number: G00201044 What to Consider When Designing Next-Generation Data Centers David J. Cappuccio Leading-edge data centers are designed for flexibility,

More information

Business Intelligence Platform Usage and Quality Dynamics, 2008

Business Intelligence Platform Usage and Quality Dynamics, 2008 Research Publication Date: 2 July 2008 ID Number: G00159043 Business Intelligence Platform Usage and Quality Dynamics, 2008 James Richardson This report gives results from a survey of attendees at Gartner's

More information

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets Research Publication Date: 31 July 2009 ID Number: G00169664 Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets Regina Casonato This research

More information

E-Mail Is a Commodity and Other Fairy Tales

E-Mail Is a Commodity and Other Fairy Tales G00210585 E-Mail Is a Commodity and Other Fairy Tales Published: 9 February 2011 Analyst(s): Matthew W. Cain A deep understanding of the operational, architectural, policy and feature requirements of an

More information

Iron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability.

Iron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability. Research Publication Date: 22 March 2010 ID Number: G00175194 Iron Mountain Acquires Mimosa Systems Sheila Childs, Kenneth Chin, Adam W. Couture Iron Mountain offers a portfolio of solutions for cloud-based

More information

Governance Is an Essential Building Block for Enterprise Information Management

Governance Is an Essential Building Block for Enterprise Information Management Research Publication Date: 18 May 2006 ID Number: G00139707 Governance Is an Essential Building Block for Enterprise Information Management David Newman, Debra Logan Organizations are seeking new ways

More information

Overcoming the Gap Between Business Intelligence and Decision Support

Overcoming the Gap Between Business Intelligence and Decision Support Research Publication Date: 9 April 2009 ID Number: G00165169 Overcoming the Gap Between Business Intelligence and Decision Support Rita L. Sallam, Kurt Schlegel Although the promise of better decision

More information

NAC Strategies for Supporting BYOD Environments

NAC Strategies for Supporting BYOD Environments G00226204 NAC Strategies for Supporting BYOD Environments Published: 22 December 2011 Analyst(s): Lawrence Orans, John Pescatore Network access control (NAC) will be a key element in a flexible approach

More information

Use Heterogeneous Storage Virtualization as a Bridge to the Cloud

Use Heterogeneous Storage Virtualization as a Bridge to the Cloud G00214958 Use Heterogeneous Storage Virtualization as a Bridge to the Cloud Published: 12 August 2011 Analyst(s): Gene Ruth Data center operators who are interested in private cloud storage technologies

More information

The Current State of Agile Method Adoption

The Current State of Agile Method Adoption Research Publication Date: 12 December 2008 ID Number: G00163591 The Current State of Agile Method Adoption David Norton As the pace of agile adoption increases, development organizations must understand

More information

In the North American E-Signature Market, SaaS Offerings Are Increasingly in Demand

In the North American E-Signature Market, SaaS Offerings Are Increasingly in Demand Research Publication Date: 18 August 2011 ID Number: G00215378 In the North American E-Signature Market, SaaS Offerings Are Increasingly in Demand Gregg Kreizman Enterprises are becoming increasing comfortable

More information

Deliver Process-Driven Business Intelligence With a Balanced BI Platform

Deliver Process-Driven Business Intelligence With a Balanced BI Platform Research Publication Date: 12 April 2006 ID Number: G00139377 Deliver Process-Driven Business Intelligence With a Balanced BI Platform Kurt Schlegel To enable process-driven business intelligence, IT organizations

More information

The What, Why and When of Cloud Computing

The What, Why and When of Cloud Computing Research Publication Date: 4 June 2009 ID Number: G00168582 The What, Why and When of Cloud Computing David Mitchell Smith, Daryl C. Plummer, David W. Cearley Cloud computing continues to gain visibility.

More information

The IT Service Desk Market Is Ready for SaaS

The IT Service Desk Market Is Ready for SaaS Research Publication Date: 17 April 2009 ID Number: G00166526 The IT Service Desk Market Is Ready for SaaS David M. Coyle The IT service desk market is well-positioned to use the software-as-a-service

More information

Gartner Defines Enterprise Information Architecture

Gartner Defines Enterprise Information Architecture Research Publication Date: 20 February 2008 ID Number: G00154071 Gartner Defines Enterprise Information Architecture David Newman, Nicholas Gall, Anne Lapkin As organizations look for new ways to exploit

More information

The Lack of a CRM Strategy Will Hinder Health Insurer Growth

The Lack of a CRM Strategy Will Hinder Health Insurer Growth Industry Research Publication Date: 15 October 2008 ID Number: G00162107 The Lack of a CRM Strategy Will Hinder Health Insurer Growth Joanne Galimi The Gartner 2008 healthcare payer application survey

More information

Discovering the Value of Unified Communications

Discovering the Value of Unified Communications Research Publication Date: 12 February 2007 ID Number: G00144673 Discovering the Value of Unified Communications Bern Elliot, Steve Cramoysan Unified communications represent a broad range of new solutions

More information

Consider Identity and Access Management as a Process, Not a Technology

Consider Identity and Access Management as a Process, Not a Technology Research Publication Date: 2 September 2005 ID Number: G00129998 Consider and Management as a Process, Not a Technology Earl L. Perkins, Ant Allan This Research Note complements earlier Gartner research

More information

Assessing the Security Risks of Cloud Computing

Assessing the Security Risks of Cloud Computing Research Publication Date: 3 June 2008 ID Number: G00157782 Assessing the Security Risks of Cloud Computing Jay Heiser, Mark Nicolett Organizations considering cloud-based services must understand the

More information

Tactical Guideline: Minimizing Risk in E-Mail Hosting Relationships

Tactical Guideline: Minimizing Risk in E-Mail Hosting Relationships Research Publication Date: 26 February 2008 ID Number: G00154838 Tactical Guideline: Minimizing Risk in E-Mail Hosting Relationships Matthew W. Cain This report discusses the often hidden risks in moving

More information

Q&A: How Can ERP Recurring Costs Be Contained?

Q&A: How Can ERP Recurring Costs Be Contained? Research Publication Date: 18 December 2008 ID Number: G00163030 Q&A: How Can ERP Recurring Costs Be Contained? Peter Wesche Driven by increased pressure for cost containment, attendees at the 2008 Financial

More information

Gartner's View on 'Bring Your Own' in Client Computing

Gartner's View on 'Bring Your Own' in Client Computing G00217298 Gartner's View on 'Bring Your Own' in Client Computing Published: 20 October 2011 Analyst(s): Leif-Olof Wallin Here, we bring together recently published research covering the hot topic of supporting

More information

The Five Competencies of MRM 'Re-' Defined

The Five Competencies of MRM 'Re-' Defined Research Publication Date: 14 March 2008 ID Number: G00155835 The Five Competencies of MRM 'Re-' Defined Kimberly Collins This research details the five key competencies of marketing resource management

More information

Five Business Drivers of Identity and Access Management

Five Business Drivers of Identity and Access Management Research Publication Date: 31 October 2003 ID Number: SPA-21-3673 Five Business Drivers of Identity and Access Management Roberta J. Witty The primary reasons to implement IAM solutions are business facilitation,

More information

Key Issues for Data Management and Integration, 2006

Key Issues for Data Management and Integration, 2006 Research Publication Date: 30 March 2006 ID Number: G00138812 Key Issues for Data Management and Integration, 2006 Ted Friedman The effective management and leverage of data represent the greatest opportunity

More information

Five Cloud Computing Trends That Will Affect Your Cloud Strategy Through 2015

Five Cloud Computing Trends That Will Affect Your Cloud Strategy Through 2015 G00230221 Five Cloud Computing Trends That Will Affect Your Cloud Strategy Through 2015 Published: 10 February 2012 Analyst(s): David W. Cearley, David Mitchell Smith In this Impact Assessment, we focus

More information

The Next Generation of Functionality for Marketing Resource Management

The Next Generation of Functionality for Marketing Resource Management G00212759 The Next Generation of Functionality for Marketing Resource Management Published: 11 May 2011 Analyst(s): Kimberly Collins This research defines the next generation of marketing resource management

More information

Make Optimizing Security Protection in Virtualized Environments a Priority

Make Optimizing Security Protection in Virtualized Environments a Priority G00229651 Make Optimizing Security Protection in Virtualized Environments a Priority Published: 15 February 2012 Analyst(s): Neil MacDonald As the virtualization of servers and desktops becomes more common,

More information

Invest in an analysis of current metrics and those missing, and develop a plan for continuous management and improvement.

Invest in an analysis of current metrics and those missing, and develop a plan for continuous management and improvement. Research Publication Date: 29 April 2008 ID Number: G00154802 Key Metrics for IT Service and Support David M. Coyle, Kris Brittain To evaluate IT service and support performance, senior management must

More information

Research. Mastering Master Data Management

Research. Mastering Master Data Management Research Publication Date: 25 January 2006 ID Number: G00136958 Mastering Master Data Management Andrew White, David Newman, Debra Logan, John Radcliffe Despite vendor claims, master data management has

More information

Best Practices for Planning Windows 7 Deployment

Best Practices for Planning Windows 7 Deployment Research Publication Date: 4 March 2010 ID Number: G00174371 Best Practices for Planning Windows 7 Deployment Michael A. Silver Successful migrations to Windows 7 will meet user expectations, are done

More information

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle Research Publication Date: 15 February 2008 ID Number: G00155026 BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle Peter Wesche, Jane B. Disbrow Oracle has announced an agreement

More information

Research. Identity and Access Management Defined

Research. Identity and Access Management Defined Research Publication Date: 4 November 2003 ID Number: SPA-21-3430 Identity and Access Management Defined Roberta J. Witty, Ant Allan, John Enck, Ray Wagner An IAM solution requires multiple products from

More information

The Limits of Certification and Guarantees in Buying Electronic Health Records in the U.S.

The Limits of Certification and Guarantees in Buying Electronic Health Records in the U.S. Industry Research Publication Date: 3 February 2010 ID Number: G00174011 The Limits of Certification and Guarantees in Buying Electronic Health Records in the U.S. Wes Rishel It is important not to rely

More information

Case Study: Innovation Squared: The Department for Work and Pensions Turns Innovation Into a Game

Case Study: Innovation Squared: The Department for Work and Pensions Turns Innovation Into a Game Research Publication Date: 23 November 2010 ID Number: G00208615 Case Study: Innovation Squared: The Department for Work and Pensions Turns Innovation Into a Game Brian Burke, Mary Mesaglio The U.K.'s

More information

2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities

2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities Research Publication Date: 23 July 2009 ID Number: G00168896 2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities John E. Van Decker Many organizations recognize that existing financial

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption

The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption Research Publication Date: 3 February 2009 ID Number: G00164356 The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption James Holincheck Gartner surveyed 123 customer references

More information

IT Operational Considerations for Cloud Computing

IT Operational Considerations for Cloud Computing Research Publication Date: 13 June 2008 ID Number: G00157184 IT Operational Considerations for Cloud Computing Donna Scott Cloud computing market offerings increase the options available to source IT services.

More information

Predicts 2008: The Market for Servers and Operating Systems Continues to Evolve

Predicts 2008: The Market for Servers and Operating Systems Continues to Evolve Research Publication Date: 6 December 2007 ID Number: G00152575 Predicts 2008: The Market for Servers and Operating Systems Continues to Evolve John Enck, Philip Dawson, George J. Weiss, Rakesh Kumar,

More information

Strategic Road Map for Network Access Control

Strategic Road Map for Network Access Control G00219087 Strategic Road Map for Network Access Control Published: 11 October 2011 Analyst(s): Lawrence Orans, John Pescatore Long derided as an overhyped concept, network access control (NAC) has emerged

More information

Data Center Redesign Yields an 80%-Plus Reduction in Energy Usage

Data Center Redesign Yields an 80%-Plus Reduction in Energy Usage Research Publication Date: 10 August 2011 ID Number: G00213049 Data Center Redesign Yields an 80%-Plus Reduction in Energy Usage Jay E. Pultz The National Renewable Energy Laboratory's (NREL's) data center

More information

Embrace Virtual Assistants as Part of a Holistic Web Customer Service Strategy

Embrace Virtual Assistants as Part of a Holistic Web Customer Service Strategy Research Publication Date: 19 August 2010 ID Number: G00205618 Embrace Virtual Assistants as Part of a Holistic Web Customer Service Strategy Johan Jacobs Customers are insisting on multiple methods to

More information

Containers and Modules: Is This the Future of the Data Center?

Containers and Modules: Is This the Future of the Data Center? Research Publication Date: 8 April 2011 ID Number: G00211139 Containers and Modules: Is This the Future of the Data Center? David J. Cappuccio Modular and container-based data centers have emerged as yet

More information

Roundup of Business Intelligence and Information Management Research, 1Q08

Roundup of Business Intelligence and Information Management Research, 1Q08 Gartner for IT Leaders Publication Date: 2 May 2008 ID Number: G00157226 Roundup of Business Intelligence and Information Management Research, 1Q08 Bill Hostmann This document provides a roundup of our

More information

2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase

2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase Research Publication Date: 20 April 2010 ID Number: G00176029 2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase John E. Van Decker, Cathy Tornbohm This Gartner Financial

More information

Additional Tools for a World-Class ERP Infrastructure

Additional Tools for a World-Class ERP Infrastructure G00219770 Additional Tools for a World-Class ERP Infrastructure Published: 28 October 2011 Analyst(s): Pat Phelan, Derek Prior This research provides a guide to the infrastructure elements that are needed

More information

Data Center Consolidation Projects: Benefits and Pitfalls

Data Center Consolidation Projects: Benefits and Pitfalls Research Publication Date: 2 May 2011 ID Number: G00212148 Data Center Consolidation Projects: Benefits and Pitfalls David J. Cappuccio This research outlines the primary success factors in consolidation

More information

Business Intelligence Focus Shifts From Tactical to Strategic

Business Intelligence Focus Shifts From Tactical to Strategic Research Publication Date: 22 May 2006 ID Number: G00139352 Business Intelligence Focus Shifts From Tactical to Strategic Betsy Burton, Lee Geishecker, Kurt Schlegel, Bill Hostmann, Tom Austin, Gareth

More information

Key Issues for Business Intelligence and Performance Management Initiatives, 2008

Key Issues for Business Intelligence and Performance Management Initiatives, 2008 Research Publication Date: 14 March 2008 ID Number: G00156014 Key Issues for Business Intelligence and Performance Management Initiatives, 2008 Kurt Schlegel The Business Intelligence and Performance Management

More information

The EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other.

The EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other. Research Publication Date: 4 April 2008 ID Number: G00155260 Integrate EA and IT Governance s Betsy Burton, R. Scott Bittler, Cassio Dreyfuss In many organizations, we find that IT governance (ITG) initiatives

More information

How to Choose Providers for Mobile Consumer Application Platforms

How to Choose Providers for Mobile Consumer Application Platforms How to Choose Providers for Mobile Consumer Application Platforms Michael McGuire Lead Author Michael McGuire,, Mike McGuire guides digital marketers on best practices for developing strategies. He specializes

More information