From Secure Virtualization to Secure Private Clouds
|
|
- Tyrone Lambert
- 8 years ago
- Views:
Transcription
1 Research Publication Date: 13 October 2010 ID Number: G From Secure Virtualization to Secure Private Clouds Neil MacDonald, Thomas J. Bittman As enterprises move beyond virtualizing their data centers to build private cloudcomputing infrastructures, security must evolve to support this. While the fundamental principles of information security don't change, how enterprises provision and deliver security services must change. This research outlines the foundational capabilities that will be required from enterprise security infrastructure to secure private cloud computing. Key Findings Policies tied to physical attributes, security policy enforcement points embedded within physical appliances, and the usage of air gaps for security will inhibit private cloud adoption. Virtualization of security controls is an important step in enabling secure private clouds, but other capabilities are required. Context enablement, including application, identity and content awareness, will be critical to supporting secure private cloud computing. Securing a private cloud can't be just about technology, or it will fail. Changes to processes and a shift in mind-set will also be required. The need for security must not be overlooked or "bolted on" later during the transition to private cloud computing. Recommendations Change your mind-set about information security to think of it as a set of adaptive services that are delivered via programmable infrastructure and controlled by contextual policies based on logical attributes to create adaptive zones of trust, using a separately configurable control plane. Pressure incumbent security vendors to deliver their security controls in a virtualized form to more easily address secure private cloud-computing requirements. In evaluations, heavily weight the ability to use a consistent way of expressing security policy across physical, virtualized and private cloud-computing environments as compared to using different vendors and solutions to address each separately. Maintain separation of duties between security policy enforcement and IT operations in the transition to virtualized data centers and then to private cloud-computing environments. Begin the transformation to context-aware and adaptive security infrastructure now as you upgrade and replace legacy static security infrastructure, such as network and Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.
2 application firewalls, intrusion detection systems (IDSs)/intrusion prevention systems (IPSs) and Web security platforms. Publication Date: 13 October 2010/ID Number: G Page 2 of 10
3 TABLE OF CONTENTS Strategic Planning Assumptions... 4 Analysis... 4 Private Clouds: Same Security Needs, New Capabilities Required... 4 A Set of On-Demand and Elastic Services... 5 Programmable Infrastructure... 6 Policies That Are Based on Logical, Not Physical, Attributes and Are Capable of Incorporating Runtime Context Into Real-Time Security Decisions... 6 Adaptive Trust Zones That Are Capable of High-Assurance Separation of Differing Trust Levels... 7 Separately Configurable Security Policy Management and Control... 8 "Federatable" Security Policy and Identity... 9 Recommended Reading... 9 LIST OF FIGURES Figure 1. Evolving to Secure Private Clouds... 5 Publication Date: 13 October 2010/ID Number: G Page 3 of 10
4 STRATEGIC PLANNING ASSUMPTIONS By 2015, 40% of the security controls used within enterprise data centers will be virtualized, up from less than 5% in By 2015, 70% of enterprises will allow server workloads of different trust levels to share the same physical hardware within their own data center, except where explicitly prohibited by a regulatory or auditor compliance concern. ANALYSIS Gartner defines "cloud computing" (including both private and public clouds) as a style of computing where scalable and elastic IT-enabled capabilities are delivered as a service to customers using Internet technologies. Often, the term "cloud" is used as a shorthand to talk about the attributes that enterprises believe cloud-based computing architectures will offer. Consumers of cloud-based services want usage-based consumption of the services via standard Internet technologies and self-service interfaces. Providers of cloud-based services want the ability to deliver scalable, shareable, automated and elastic services. We discuss these attributes in "Five Refining Attributes of Public and Private Cloud Computing." At its core, private cloud computing is built on the same concepts, and clients indicate their desire to bring these same attributes into the enterprise data center. Here, the IT department becomes the cloud service provider to deliver IT as an elastic service to multiple internal customers. While the focus may shift slightly (for example, self-service provisioning for IT customers is more important, chargeback capabilities are typically less so), the desired attributes are the same. For most organizations, virtualization will provide the foundation and the steppingstone for the evolution to private cloud computing (see "Server Virtualization: One Path That Leads to Cloud Computing"). However, the need for security must not be overlooked or "bolted on" later during the transition to private cloud computing. Private Clouds: Same Security Needs, New Capabilities Required Whether securing physical data centers, virtualized data centers or private clouds, the fundamental tenets of information security don't change ensuring the confidentiality, integrity, authenticity, access, and audit of our information and workloads. These objectives translate into traditional security controls and policy enforcement points (PEPs) for example, firewalling, IPS, IDS, encryption, digital signatures, authentication and authorization. However, there will be significant changes required in how security is delivered. Whether supporting private cloud computing, public cloud computing, or both, security must become adaptive to support a paradigm where workloads are decoupled from the physical hardware underneath and dynamically allocated to a fabric of computing resources. Policies tied to physical attributes, such as the server, Internet Protocol (IP) address, Media Access Control (MAC) address or where physical host separation is used to provide isolation, break down with private cloud computing. For many organizations, the virtualization of security controls (see "Addressing the Most Common Security Risks in Data Center Virtualization Projects") will provide the foundation to secure private cloud infrastructures, but alone, it will not be enough to create a secure private cloud. To support secure private cloud computing, security must be an integral, but separately configurable, part of the private cloud fabric, designed as a set of on-demand, elastic and programmable services, configured by policies tied to logical attributes to create adaptive trust zones capable of separating multiple tenants (see Figure 1). Publication Date: 13 October 2010/ID Number: G Page 4 of 10
5 Figure 1. Evolving to Secure Private Clouds Source: Gartner (October 2010) Ideally, the security models used to support private clouds would enable multidimensional hybrid environments spanning physical to virtual workloads within the same data center and spanning between on-premises and public cloud-based computing environments. In this research, we outline six necessary attributes of private cloud security infrastructure and describe how security must change to support the construction of secure private clouds. A Set of On-Demand and Elastic Services Rather than security being delivered as a set of siloed security product offerings embodied within physical appliances, it needs to be delivered as a set of services available "on demand" to protect workloads and information when and where they are needed. These services need to be integrated into the private cloud provisioning and management processes (not bolted on as an afterthought) and be made available to any type of workload server or desktop (see Note 1). As workloads are provisioned, moved, modified, cloned and ultimately retired, the appropriate security policy would be associated with the workload throughout its life cycle. Although it is possible this type of adaptive security protection could be accomplished solely with physical security infrastructure and complex virtual LAN (VLAN) overlays, we believe most enterprises will use a combination of physical and virtualized security controls to extend security policy into private cloud structures. There are a variety of reasons for this, including addressing the loss of visibility of inter-vm traffic within a virtualized data center, as well as the input/output overhead if traffic is routed out to physical hardware for security policy enforcement. Virtualized security controls can place policy enforcement within the physical host, closer to the workload and information it is protecting when and where it is needed, enabling dynamic data center infrastructures as well as the potential to leverage alternative computing sourcing options. Physical appliances will continue to be used for high-bandwidth applications at the physical boundaries of organizations. Virtualized security controls will be used throughout the private cloud fabric for inter-vm inspection and at logical boundaries to create zones of trust for workloads of different trust levels. Ideally, physical and virtual security controls will intelligently coordinate their inspection to avoid redundant inspection (see "Limited Choices Are Available for Network Firewalls in Virtualized Servers"). Publication Date: 13 October 2010/ID Number: G Page 5 of 10
6 By 2015, 40% of the security controls used within enterprise data centers will be virtualized up from less than 5% in The transition from security as a set of products to delivering security as a set of services is a significant mind-set shift for information security professionals. Virtualized security controls will help to enable this shift. In contrast to physical security controls, which scale up using larger and larger hardware-based appliances, virtualized security PEPs running within security VMs will support the simultaneous need to scale out with a larger number of security VMs running in parallel closer to the workloads and information they protect, and taking advantage of the highavailability and load-balancing capabilities available to all VMs. Programmable Infrastructure The security infrastructure that supplies the security services discussed in the prior section must become "programmable" meaning that the services are exposed for programmatic access (see Note 2). By definition, private and public cloud-computing infrastructure is consumable using Internet-based standards. In the case of programmable security infrastructure, the services are typically exposed using RESTful APIs, which are programming language and framework independent. By exposing security services via APIs, the security policy enforcement point infrastructure becomes programmable from policy administration and policy decision points (such as operational and security management consoles or from other security intelligence systems such as security information and event management systems). There are multiple benefits to this shift in capability. This enables significantly higher levels of automation than are possible with traditional security infrastructure. As new workloads are introduced into the private cloud, security infrastructure can be automatically configured via "self-service interfaces" (where the "user" is a provisioning system, not an end user) to protect the new workload based on predefined security policies without requiring manual programming of the security controls. This shift will enable information security professionals to focus their attention on managing policies, not programming infrastructure. Programmable security infrastructure can be modified in real time so that security services can adapt to workloads as they move dynamically within a private cloud or adapt as a workload's behavior changes. Longer term, as application infrastructure evolves within private clouds, applications will come prepackaged with models of deployment, topology, management and security policies (see "Model-Driven Security: Enabling a Real-Time, Adaptive Security Infrastructure") for policy-driven automation. Policies consumed by management consoles and other security policy administration points will ultimately drive the configuration and programming of the security and management plane, not information technology professionals. By enabling security professionals to focus on policies, this capability has the added benefit of reducing the chance for human error in the programming of the security infrastructure underneath. Policies That Are Based on Logical, Not Physical, Attributes and Are Capable of Incorporating Runtime Context Into Real-Time Security Decisions The nature of the security policies that drive the automated configuration of the programmable infrastructure needs to change as well. As we move to virtualized data centers and then to private cloud infrastructure, increasingly, security policies need to be tied to logical, not physical, attributes. The decoupling and abstraction of the entire IT stack and movement to private and public cloud-computing models mean that workloads and information (even entire data centers Publication Date: 13 October 2010/ID Number: G Page 6 of 10
7 with the notion of a virtual data center) will no longer be tied to specific devices, fixed IP or MAC addresses, breaking static security policies based on physical attributes. Security policies need to shift "up the stack" to logical attributes, such as the identity, group or role of the VM being protected; the identity, group or role of the application; the identity, group or role of the users; and the sensitivity of the workload and information being processed. The shift to identity, application and content awareness is part of a broader shift in information security to become context aware and adaptive (see "The Future of Information Security Is Context Aware and Adaptive"). To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the time a security decision is made. Context is not limited to identity, application and content awareness. It will expand to include environmental context (such as the time of day and geographic location of the server), trust of the device, integrity of the virtualization platform underneath, reputation of the VM being loaded, behavior the user or VM is exhibiting, and so on. Context should also include virtualization awareness so that, as a workload is live migrated or cloned, the associated security automatically moves with the workload throughout its life cycle, without requiring manual intervention. There are multiple benefits to decoupling security policies from the workloads and information they protect. Powerful compound security policies can be delivered independent of network topology, avoiding complexity in VLAN configurations and network-cabling infrastructure. Also, by moving up the stack, security policies can be expressed in more business-friendly terms. For example, identifying which users and groups should access which applications is a straightforward policy to compose and attest to by the business process, information and application owners. Finally, by incorporating runtime context into security decisions, organizations can implement adaptive security policy based on the behavior of the user or of the workload (for example, if a workload is behaving oddly, place a stronger auditing control on it or limit its network access). Adaptive Trust Zones That Are Capable of High-Assurance Separation of Differing Trust Levels Instead of administering security policies on a VM-by-VM basis, security policies based on logical attributes as described in the previous section will be used to create zones of trust logical groups of workloads with similar security requirements and levels of trust (for example, all Payment Card Industry [PCI]-related workloads are assigned a specified level of security policy). As the policies are linked to groups of VMs and not physical infrastructure, the zones adapt throughout the life cycle of the VM as individual VMs move and as new workloads are introduced and assigned to the trust zone. In today's virtualized data center, workloads of different trust levels are not typically combined onto the same physical server. However, this breaks the fluidity of private cloud-computing models. Increasingly, this capability will be desired for higher levels of efficiency and effectiveness of the resource fabric being shared. Leveraging emerging root of trust measurements for hypervisors and embedded hypervisors (see "Building Blocks for Trusted, Secure Hypervisors"), secure private clouds need to be able to support workloads of different trust levels on the same physical hardware, without requiring the use of separate physical servers. By 2015, 70% of enterprises will allow server workloads of different trust levels to share the same physical hardware within their own data center, except where explicitly prohibited by a regulatory or auditor compliance concern. Publication Date: 13 October 2010/ID Number: G Page 7 of 10
8 Adaptive trust zones will become the basis for trust, audit and compliance policies. Security policies will vary between trust zones, and security controls will be placed at the logical perimeters between key trust boundaries. For example, a trust zone of PCI-related workloads may require encryption of all data between virtual machines within the trust zone. It may also be restricted to access from only users associated with the PCI group; it may have all inter-vm traffic monitored with an intrusion detection system; and it may be separated from all other trust zones with stateful firewall inspection, as required by PCI. In contrast, a trust zone of virtual desktop infrastructure (VDI)-related workloads may be treated as untrusted with firewalling and in-line IPS-based inspection of all traffic to and from the zone, as well as blocking of any direct peer-topeer traffic within the zone. Trust zones may be nested so that what was a single, physical data center can now be managed and secured as multiple, virtual data centers, each composed of multiple logical, not physical, perimeters around trust zones. Security policy may then be applied as needed within and between zones. In most cases, multiple trust zones will be allowed to reside on a single physical host with the enterprise able to define how much separation is sufficient for security and compliance purposes. For example, storage and backup can be isolated, and network traffic can be separated using IPS and firewalling enforcement, as internal or external compliance policies dictate. Private cloud infrastructure will require security services that are designed to provide highassurance separation of workloads of different trust levels as a core capability. This is exactly the same type of separation capability required by public cloud providers to separate and isolate tenants from different organizations. For enterprises building private clouds, the concepts are identical although instead of tenants from different organizations, they will routinely be responsible for separating workloads of different trust levels, including different business units and divisions sharing the same underlying physical infrastructure. Separately Configurable Security Policy Management and Control Security must not be weakened as it is virtualized and incorporated into cloud-based computing infrastructures. The security controls and policies discussed previously must not be able to be arbitrarily disabled by operational staff and should fail open or closed as enterprise policies dictate. Strong separation of duties/concerns between IT operations and security needs to be enforceable within a private cloud infrastructure, just as within physical infrastructure and virtualized infrastructure today. This separation occurs at multiple levels. If software controls are virtualized, we should not lose the separation of duties we had in the physical world. This requires that virtualization and private cloud-computing platform vendors provide the ability to separate security policy formation and the operation of security VMs from management policy formation and the operation of the other data center VMs. Typically, this will be enabled by integrating and controlling access to security operations at a granular level, using role-based access control within the management system controlled by integration with organizational and group information located in enterprise directories (typically Active Directory or an LDAP-enabled repository) along with delegated administration capabilities. Likewise, all security policy changes and operations to security VMs must be fully audited in tamper-resistant logs that are inaccessible to security administrators. A security policy manager will enable the orchestration and definition of security policies and the assignment of policies to the logical attributes of the workloads and groups of workloads, as described previously with an emphasis on policy integrity and testing. As a given, VMs may be assigned multiple security policies and may be members of more than one trust zone. The policy management system should support multiple, overlapping security policies to be assigned and be Publication Date: 13 October 2010/ID Number: G Page 8 of 10
9 able to identify the resultant least-privilege policy and provide for policy resolution in the event of a conflict. Ideally, the system will support proactive modeling of "what if" scenarios before policy changes are implemented. "Federatable" Security Policy and Identity Private clouds will be deployed incrementally, not all at once. Private clouds will be carved out of existing data centers, where only a portion has been converted to a private cloud model. In addition, many enterprises will have a percentage of workloads that haven't been virtualized for years to come. Ideally, private cloud security infrastructure would be able to exchange and share policies with other data center security infrastructure virtualized and physical. There are no clear standards for the sharing of security policy. Spanning physical to virtualized infrastructure will require using the same vendor the enterprise has chosen to provide security in both environments, or using different vendors in each environment (see "Three Styles of Securing Public and Private Clouds"). Ideally, security controls placed across physical and virtualized infrastructure will be able to intelligently cooperate for workload inspection for example, data going to and from the data center inspected by hardware-based physical security appliances. Organizations will also begin experimentation with public cloud infrastructure as a service (IaaS) providers creating hybrid private/public cloud-computing environments. Ideally, security policies designed to protect workloads, when on premises, would also be able to be federated (along with user identity-related information) to public cloud providers. There are no established standards for this either. However, the VMware vcloud API is a start, as is work within the Distributed Management Task Force (DMTF) to extend Open Virtualization Format (OVF) (see "The Open Virtualization Format: Improving VM Manageability and Security With Metadata") to express security policy. Absent clear standards and APIs, capabilities for extending enterprise security policy will remain fragmented, relying on a combination of controls bundled within workloads, virtual private network-based extension of network security policies, remote console-based policy management, remote API-based programming of service provider policies, and written commitments for security service levels. RECOMMENDED READING "Five Refining Attributes of Public and Private Cloud Computing" "The Future of Information Security Is Context Aware and Adaptive" "Addressing the Most Common Security Risks in Data Center Virtualization Projects" "Building Blocks for Trusted, Secure Hypervisors" Note 1 Workloads Workloads, in this sense, are the set of applications and services that support a given process, which may span more than one VM and one physical machine. This includes server and desktop workloads. Note 2 Programmatic API Access These APIs will become a target for attack. To reduce the threat of attacks, the best practice will remain the isolation and separation of security and management control traffic to a separate Publication Date: 13 October 2010/ID Number: G Page 9 of 10
10 physical network (see "Security Considerations and Best Practices for Securing Virtual Machines"). REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT U.S.A European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Publication Date: 13 October 2010/ID Number: G Page 10 of 10
From Secure Virtualization to Secure Private Clouds
From Secure Virtualization to Secure Private Clouds Gartner RAS Core Research Note G00208057, Neil MacDonald, Thomas J. Bittman, 13 October 2010, RV2A108222011 As enterprises move beyond virtualizing their
More informationQ&A: The Many Aspects of Private Cloud Computing
Research Publication Date: 22 October 2009 ID Number: G00171807 Q&A: The Many Aspects of Private Cloud Computing Thomas J. Bittman Cloud computing is at the Peak of Inflated Expectations on the Gartner
More informationPrivate Cloud Computing: An Essential Overview
Research Publication Date: 23 November 2010 ID Number: G00209000 Private Cloud Computing: An Essential Overview Thomas J. Bittman Private cloud computing requires strong leadership and a strategic plan
More informationKey Issues for Identity and Access Management, 2008
Research Publication Date: 7 April 2008 ID Number: G00157012 for Identity and Access Management, 2008 Ant Allan, Earl Perkins, Perry Carpenter, Ray Wagner Gartner identity and access management research
More informationOrganizations Must Employ Effective Data Security Strategies
Research Publication Date: 30 August 2005 ID Number: G00123639 Organizations Must Employ Effective Data Security Strategies Rich Mogull Organizations can best protect data through a hierarchical data security
More informationCost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products
Research Publication Date: 10 December 2008 ID Number: G00163195 Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products Lawrence Orans, Greg Young Most
More informationCloud IaaS: Security Considerations
G00210095 Cloud IaaS: Security Considerations Published: 7 March 2011 Analyst(s): Lydia Leong, Neil MacDonald Ensuring adherence to your organization's security and compliance requirements is one of the
More informationDeliver Process-Driven Business Intelligence With a Balanced BI Platform
Research Publication Date: 12 April 2006 ID Number: G00139377 Deliver Process-Driven Business Intelligence With a Balanced BI Platform Kurt Schlegel To enable process-driven business intelligence, IT organizations
More informationFor cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.
Research Publication Date: 15 October 2010 ID Number: G00208009 ITIL 'in the Cloud' George Spafford, Ed Holub The cloud-computing delivery model is generating a lot of interest from organizations wishing
More informationAddressing the Most Common Security Risks in Data Center Virtualization Projects
Research Publication Date: 25 January 2010 ID Number: G00173434 Addressing the Most Common Security Risks in Data Center Virtualization Projects Neil MacDonald In 2007, we addressed the security considerations
More informationMicrosoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality
Research Publication Date: 4 November 2008 ID Number: G00162793 Microsoft's Cloud Vision Reaches for the Stars but Is Grounded in Reality David Mitchell Smith, Neil MacDonald At Professional Developers
More informationNGFWs will be most effective when working in conjunction with other layers of security controls.
Research Publication Date: 12 October 2009 ID Number: G00171540 Defining the Next-Generation Firewall John Pescatore, Greg Young Firewalls need to evolve to be more proactive in blocking new threats, such
More informationResearch. Key Issues for Software as a Service, 2009
Research Publication Date: 6 February 2009 ID Number: G00164873 Key Issues for Software as a Service, 2009 Robert P. Desisto, Ben Pring As organizations' capital budgets dry up, clients evaluating SaaS
More informationThe Value of Integrating Configuration Management Databases With Enterprise Architecture Tools
Research Publication Date: 13 January 2011 ID Number: G00210132 The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools Ronni J. Colville, Patricia Adams As configuration
More informationKnowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets
Research Publication Date: 31 July 2009 ID Number: G00169664 Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets Regina Casonato This research
More informationWhen to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud
Industry Research Publication Date: 3 May 2010 ID Number: G00175030 When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud Massimiliano Claps, Andrea Di Maio Cloud computing
More informationResearch Agenda and Key Issues for Converged Infrastructure, 2006
Research Publication Date: 20 July 2006 ID Number: G00141507 Research Agenda and Key Issues for Converged Infrastructure, 2006 Sylvain Fabre Gartner's research will cover fixed-mobile convergence, the
More informationOrganizations Should Implement Web Application Security Scanning
Research Publication Date: 21 September 2005 ID Number: G00130869 Organizations Should Implement Web Application Security Scanning Amrit T. Williams, Neil MacDonald Web applications are prone to vulnerabilities
More informationThe What, Why and When of Cloud Computing
Research Publication Date: 4 June 2009 ID Number: G00168582 The What, Why and When of Cloud Computing David Mitchell Smith, Daryl C. Plummer, David W. Cearley Cloud computing continues to gain visibility.
More informationKey Issues for Data Management and Integration, 2006
Research Publication Date: 30 March 2006 ID Number: G00138812 Key Issues for Data Management and Integration, 2006 Ted Friedman The effective management and leverage of data represent the greatest opportunity
More informationThe EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other.
Research Publication Date: 4 April 2008 ID Number: G00155260 Integrate EA and IT Governance s Betsy Burton, R. Scott Bittler, Cassio Dreyfuss In many organizations, we find that IT governance (ITG) initiatives
More informationNow Is the Time for Security at the Application Level
Research Publication Date: 1 December 2005 ID Number: G00127407 Now Is the Time for Security at the Application Level Theresa Lanowitz Applications must be available, useful, reliable, scalable and, now
More informationVendor Focus for IBM Global Services: Consulting Services for Cloud Computing
Research Publication Date: 22 February 2010 ID Number: G00174046 Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing Susan Tan Amid the hype and buzz of cloud computing are very
More informationThe Five Competencies of MRM 'Re-' Defined
Research Publication Date: 14 March 2008 ID Number: G00155835 The Five Competencies of MRM 'Re-' Defined Kimberly Collins This research details the five key competencies of marketing resource management
More informationCloud, SaaS, Hosting and Other Off-Premises Computing Models
Research Publication Date: 8 July 2008 ID Number: G00159042 Cloud, SaaS, Hosting and Other Off-Premises Computing Models Yefim V. Natis, Nicholas Gall, David W. Cearley, Lydia Leong, Robert P. Desisto,
More informationThe Lack of a CRM Strategy Will Hinder Health Insurer Growth
Industry Research Publication Date: 15 October 2008 ID Number: G00162107 The Lack of a CRM Strategy Will Hinder Health Insurer Growth Joanne Galimi The Gartner 2008 healthcare payer application survey
More informationResponsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users
Research Publication Date: 17 October 2006 ID Number: G00144061 Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users Amrit T. Williams, John Pescatore, Paul E. Proctor
More information2010 FEI Technology Study: CPM and BI Show Improvement From 2009
Research Publication Date: 22 March 2010 ID Number: G00175233 2010 FEI Technology Study: CPM and BI Show Improvement From 2009 John E. Van Decker Many organizations recognize that current financial management
More informationOvercoming the Gap Between Business Intelligence and Decision Support
Research Publication Date: 9 April 2009 ID Number: G00165169 Overcoming the Gap Between Business Intelligence and Decision Support Rita L. Sallam, Kurt Schlegel Although the promise of better decision
More informationDiscovering the Value of Unified Communications
Research Publication Date: 12 February 2007 ID Number: G00144673 Discovering the Value of Unified Communications Bern Elliot, Steve Cramoysan Unified communications represent a broad range of new solutions
More informationToolkit: Reduce Dependence on Desk-Side Support Technicians
Gartner for IT Leaders Publication Date: 23 April 2007 ID Number: G00147075 Toolkit: Reduce Dependence on Desk-Side Support Technicians David M. Coyle, Terrence Cosgrove The IT service desk and PC life
More informationData in the Cloud: The Changing Nature of Managing Data Delivery
Research Publication Date: 1 March 2011 ID Number: G00210129 Data in the Cloud: The Changing Nature of Managing Data Delivery Eric Thoo Extendible data integration strategies and capabilities will play
More informationIT Operational Considerations for Cloud Computing
Research Publication Date: 13 June 2008 ID Number: G00157184 IT Operational Considerations for Cloud Computing Donna Scott Cloud computing market offerings increase the options available to source IT services.
More informationCDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance
Industry Research Publication Date: 1 May 2008 ID Number: G00156708 CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance Barry Runyon Care delivery organizations (CDOs) are
More informationEight Critical Forces Shape Enterprise Data Center Strategies
Research Publication Date: 8 February 2007 ID Number: G00144650 Eight Critical Forces Shape Enterprise Data Center Strategies Rakesh Kumar Through 2017, infrastructure and operations managers, architects
More informationCase Study: A K-12 Portal Project at the Miami-Dade County Public Schools
Industry Research Publication Date: 31 December 2007 ID Number: G00154138 Case Study: A K-12 Portal Project at the Miami-Dade County Public Schools Bill Rust The Miami-Dade County Public Schools a school
More informationIT asset management (ITAM) will proliferate in midsize and large companies.
Research Publication Date: 2 October 2008 ID Number: G00161024 Trends on Better IT Asset Management Peter Wesche New exiting trends will lead to a higher adoption of asset management methodologies. Tighter
More informationIAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.
Research Publication Date: 1 September 2009 ID Number: G00161012 SIEM and IAM Technology Integration Mark Nicolett, Earl Perkins Integration of identity and access management (IAM) and security information
More informationUnderstanding Vulnerability Management Life Cycle Functions
Research Publication Date: 24 January 2011 ID Number: G00210104 Understanding Vulnerability Management Life Cycle Functions Mark Nicolett We provide guidance on the elements of an effective vulnerability
More informationThe Current State of Agile Method Adoption
Research Publication Date: 12 December 2008 ID Number: G00163591 The Current State of Agile Method Adoption David Norton As the pace of agile adoption increases, development organizations must understand
More informationCloud IaaS: Service-Level Agreements
G00210096 Cloud IaaS: Service-Level Agreements Published: 7 March 2011 Analyst(s): Lydia Leong Cloud infrastructure-as-a-service (IaaS) providers typically offer SLAs that cover the various elements of
More informationHow to Develop an Effective Vulnerability Management Process
Research Publication Date: 1 March 2005 ID Number: G00124126 How to Develop an Effective Vulnerability Management Process Mark Nicolett IT organizations should develop vulnerability management processes
More informationIron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability.
Research Publication Date: 22 March 2010 ID Number: G00175194 Iron Mountain Acquires Mimosa Systems Sheila Childs, Kenneth Chin, Adam W. Couture Iron Mountain offers a portfolio of solutions for cloud-based
More informationCloud E-Mail Decision-Making Criteria for Educational Organizations
Research Publication Date: 10 June 2011 ID Number: G00213675 Cloud E-Mail Decision-Making Criteria for Educational Organizations Matthew W. Cain Educational organizations sometimes struggle to choose between
More informationEmerging PC Life Cycle Configuration Management Vendors
Research Publication Date: 20 January 2011 ID Number: G00209766 Emerging PC Life Cycle Configuration Management Vendors Terrence Cosgrove Although the PC configuration life cycle management (PCCLM) market
More informationThe Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption
Research Publication Date: 3 February 2009 ID Number: G00164356 The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption James Holincheck Gartner surveyed 123 customer references
More informationUse Heterogeneous Storage Virtualization as a Bridge to the Cloud
G00214958 Use Heterogeneous Storage Virtualization as a Bridge to the Cloud Published: 12 August 2011 Analyst(s): Gene Ruth Data center operators who are interested in private cloud storage technologies
More informationReal-Time Decisions Need Corporate Performance Management
Research Publication Date: 26 April 2004 ID Number: COM-22-3674 Real-Time Decisions Need Corporate Performance Management Frank Buytendijk, Brian Wood, Mark Raskino The real-time enterprise model depends
More informationTactical Guideline: Minimizing Risk in E-Mail Hosting Relationships
Research Publication Date: 26 February 2008 ID Number: G00154838 Tactical Guideline: Minimizing Risk in E-Mail Hosting Relationships Matthew W. Cain This report discusses the often hidden risks in moving
More informationQ&A: How Can ERP Recurring Costs Be Contained?
Research Publication Date: 18 December 2008 ID Number: G00163030 Q&A: How Can ERP Recurring Costs Be Contained? Peter Wesche Driven by increased pressure for cost containment, attendees at the 2008 Financial
More informationPredicts 2008: The Market for Servers and Operating Systems Continues to Evolve
Research Publication Date: 6 December 2007 ID Number: G00152575 Predicts 2008: The Market for Servers and Operating Systems Continues to Evolve John Enck, Philip Dawson, George J. Weiss, Rakesh Kumar,
More informationKey Issues for Business Intelligence and Performance Management Initiatives, 2008
Research Publication Date: 14 March 2008 ID Number: G00156014 Key Issues for Business Intelligence and Performance Management Initiatives, 2008 Kurt Schlegel The Business Intelligence and Performance Management
More informationResearch. Mastering Master Data Management
Research Publication Date: 25 January 2006 ID Number: G00136958 Mastering Master Data Management Andrew White, David Newman, Debra Logan, John Radcliffe Despite vendor claims, master data management has
More informationGovernment 2.0 is both citizen-driven and employee-centric, and is both transformational and evolutionary.
Industry Research Publication Date: 11 November 2009 ID Number: G00172423 Government 2.0: Gartner Definition Andrea Di Maio Given the increasing confusion and hype surrounding Government 2.0, it is important
More informationGartner Defines Enterprise Information Architecture
Research Publication Date: 20 February 2008 ID Number: G00154071 Gartner Defines Enterprise Information Architecture David Newman, Nicholas Gall, Anne Lapkin As organizations look for new ways to exploit
More informationBusiness Intelligence Focus Shifts From Tactical to Strategic
Research Publication Date: 22 May 2006 ID Number: G00139352 Business Intelligence Focus Shifts From Tactical to Strategic Betsy Burton, Lee Geishecker, Kurt Schlegel, Bill Hostmann, Tom Austin, Gareth
More informationResearch. Identity and Access Management Defined
Research Publication Date: 4 November 2003 ID Number: SPA-21-3430 Identity and Access Management Defined Roberta J. Witty, Ant Allan, John Enck, Ray Wagner An IAM solution requires multiple products from
More informationMake Optimizing Security Protection in Virtualized Environments a Priority
G00229651 Make Optimizing Security Protection in Virtualized Environments a Priority Published: 15 February 2012 Analyst(s): Neil MacDonald As the virtualization of servers and desktops becomes more common,
More informationManaging IT Risks During Cost-Cutting Periods
Research Publication Date: 22 October 2008 ID Number: G00162359 Managing IT Risks During Cost-Cutting Periods Mark Nicolett, Paul E. Proctor, French Caldwell To provide visibility into increased risks
More informationGartner Clarifies the Definition of the Term 'Enterprise Architecture'
Research Publication Date: 12 August 2008 ID Number: G00156559 Gartner Clarifies the Definition of the Term 'Enterprise Architecture' Anne Lapkin, Philip Allega, Brian Burke, Betsy Burton, R. Scott Bittler,
More informationBEA Customers Should Seek Contractual Protections Before Acquisition by Oracle
Research Publication Date: 15 February 2008 ID Number: G00155026 BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle Peter Wesche, Jane B. Disbrow Oracle has announced an agreement
More informationSecurity and Identity Management Auditing Converge
Research Publication Date: 12 July 2005 ID Number: G00129279 Security and Identity Management Auditing Converge Earl L. Perkins, Mark Nicolett, Ant Allan, Jay Heiser, Neil MacDonald, Amrit T. Williams,
More informationIntegrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process
Research Publication Date: 26 October 2010 ID Number: G00207031 Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process Kimberly Collins This research
More informationRoundup of Business Intelligence and Information Management Research, 1Q08
Gartner for IT Leaders Publication Date: 2 May 2008 ID Number: G00157226 Roundup of Business Intelligence and Information Management Research, 1Q08 Bill Hostmann This document provides a roundup of our
More informationRepurposing Old PCs as Thin Clients as a Way to Save Money
Research Publication Date: 30 March 2009 ID Number: G00166341 Repurposing Old PCs as Thin Clients as a Way to Save Money Mark A. Margevicius, Stephen Kleynhans Tough economic times are forcing customers
More informationInvest in an analysis of current metrics and those missing, and develop a plan for continuous management and improvement.
Research Publication Date: 29 April 2008 ID Number: G00154802 Key Metrics for IT Service and Support David M. Coyle, Kris Brittain To evaluate IT service and support performance, senior management must
More information2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities
Research Publication Date: 23 July 2009 ID Number: G00168896 2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities John E. Van Decker Many organizations recognize that existing financial
More informationGovernance Is an Essential Building Block for Enterprise Information Management
Research Publication Date: 18 May 2006 ID Number: G00139707 Governance Is an Essential Building Block for Enterprise Information Management David Newman, Debra Logan Organizations are seeking new ways
More informationEmbrace Virtual Assistants as Part of a Holistic Web Customer Service Strategy
Research Publication Date: 19 August 2010 ID Number: G00205618 Embrace Virtual Assistants as Part of a Holistic Web Customer Service Strategy Johan Jacobs Customers are insisting on multiple methods to
More informationUse This Eight-Step Process for Identity and Access Management Audit and Compliance
Research Publication Date: 28 March 2005 ID Number: G00126592 Use This Eight-Step Process for Identity and Access Management Audit and Compliance Roberta J. Witty, Ant Allan, Jay Heiser Authentication,
More informationBest Practices for Confirming Software Inventories in Software Asset Management
Research Publication Date: 24 August 2009 ID Number: G00167067 Best Practices for Confirming Software Inventories in Software Asset Management Peter Wesche, Jane B. Disbrow This research discusses the
More informationTransactional HR self-service applications typically get implemented first because they typically automate manual, error-prone processes.
Research Publication Date: 28 August 2008 ID Number: G00159897 HR Self-Service Applications Defined James Holincheck In this research, we discuss the different types of HR self-service and strategies for
More informationIn the North American E-Signature Market, SaaS Offerings Are Increasingly in Demand
Research Publication Date: 18 August 2011 ID Number: G00215378 In the North American E-Signature Market, SaaS Offerings Are Increasingly in Demand Gregg Kreizman Enterprises are becoming increasing comfortable
More informationModify Your Storage Backup Plan to Improve Data Management and Reduce Cost
G00238815 Modify Your Storage Backup Plan to Improve Data Management and Reduce Cost Published: 4 October 2012 Analyst(s): Dave Russell IT leaders and storage managers must rethink their backup procedures
More informationConsider Identity and Access Management as a Process, Not a Technology
Research Publication Date: 2 September 2005 ID Number: G00129998 Consider and Management as a Process, Not a Technology Earl L. Perkins, Ant Allan This Research Note complements earlier Gartner research
More informationCase Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students
Industry Research Publication Date: 26 January 2010 ID Number: G00172722 Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students Steve Bittinger Australia's New
More informationHow Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits
Research Publication Date: 13 June 2008 ID Number: G00158605 How Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits Nigel Rayner Eneco was faced with
More informationThe Six Triggers for Using Data Center Infrastructure Management Tools
G00230904 The Six Triggers for Using Data Center Infrastructure Management Tools Published: 29 February 2012 Analyst(s): Rakesh Kumar This research outlines the six main triggers for users to start using
More informationAn outline of the five critical components of a CRM vision and how they contribute to an enterprise's CRM success
Research Publication Date: 1 March 2007 ID Number: G00146362 How to Create a Powerful CRM Vision Gene Alvarez This research provides: Guidance on how to develop a CRM vision An outline of the five critical
More informationChoosing a Replacement for Incumbent One-Time Password Tokens
Research Publication Date: 21 April 2011 ID Number: G00212244 Choosing a Replacement for Incumbent One-Time Password Tokens Ant Allan This research outlines the options for enterprises seeking replacements
More informationHow BPM Can Enhance the Eight Building Blocks of CRM
Research Publication Date: 6 April 2007 ID Number: G00146588 How BPM Can Enhance the Eight Building Blocks of CRM Marc Kerremans, Jim Davies Business process management (BPM) should complement an organization's
More informationBusiness Intelligence Platform Usage and Quality Dynamics, 2008
Research Publication Date: 2 July 2008 ID Number: G00159043 Business Intelligence Platform Usage and Quality Dynamics, 2008 James Richardson This report gives results from a survey of attendees at Gartner's
More informationBackup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity
Research Publication Date: 11 August 2011 ID Number: G00215300 Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity John P Morency, Donna Scott, Dave Russell For the
More informationBest Practice: Having a 'Big Picture' View of IP Telephony Will Give the Buyer More Control
Research Publication Date: 12 February 2008 ID Number: G00154811 Best Practice: Having a 'Big Picture' View of IP Telephony Will Give the Buyer More Control Steve Blood Companies spend too much on IP-PBXs
More informationSelection Requirements for Business Activity Monitoring Tools
Research Publication Date: 13 May 2005 ID Number: G00126563 Selection Requirements for Business Activity Monitoring Tools Bill Gassman When evaluating business activity monitoring product alternatives,
More informationAgenda for Supply Chain Strategy and Enablers, 2012
G00230659 Agenda for Supply Chain Strategy and Enablers, 2012 Published: 23 February 2012 Analyst(s): Michael Dominy, Dana Stiffler When supply chain executives establish the right strategies and enabling
More informationCost-Cutting IT: Should You Cut Back Your Disaster Recovery Exercise Spending?
Industry Research Publication Date: 11 February 2009 ID Number: G00164764 Cost-Cutting IT: Should You Cut Back Your Disaster Recovery Exercise Spending? Jeff Vining Government CIOs are under increasing
More informationNAC Strategies for Supporting BYOD Environments
G00226204 NAC Strategies for Supporting BYOD Environments Published: 22 December 2011 Analyst(s): Lawrence Orans, John Pescatore Network access control (NAC) will be a key element in a flexible approach
More informationSuccessful EA Change Management Requires Five Key Elements
Research Publication Date: 26 December 2007 ID Number: G00153908 Successful EA Change Management Requires Five Key Elements Richard Buchanan Change, in all its many aspects, is a critical aspect of the
More informationXBRL Will Enhance Corporate Disclosure and Corporate Performance Management
Research Publication Date: 23 April 2008 ID Number: G00156910 XBRL Will Enhance Corporate Disclosure and Corporate Performance Management Nigel Rayner, Neil Chandler Extensible Business Reporting Language
More informationClients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in
Research Publication Date: 15 March 2011 ID Number: G00210952 Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in Tim Zimmerman Enterprises must
More informationWhat to Consider When Designing Next-Generation Data Centers
Research Publication Date: 10 September 2010 ID Number: G00201044 What to Consider When Designing Next-Generation Data Centers David J. Cappuccio Leading-edge data centers are designed for flexibility,
More informationMicrosoft and Google Jostle Over Cloud-Based E-Mail and Collaboration
Research Publication Date: 24 March 2008 ID Number: G00156216 Microsoft and Google Jostle Over Cloud-Based E-Mail and Collaboration Tom Austin Both Google and Microsoft come up short in terms of delivering
More informationThe Seven Building Blocks of MDM: A Framework for Success
Research Publication Date: 11 October 2007 ID Number: G00151496 The Seven Building Blocks of MDM: A Framework for Success John Radcliffe Gartner's Seven Building Blocks of Master Data Management (MDM)
More informationGartner's View on 'Bring Your Own' in Client Computing
G00217298 Gartner's View on 'Bring Your Own' in Client Computing Published: 20 October 2011 Analyst(s): Leif-Olof Wallin Here, we bring together recently published research covering the hot topic of supporting
More informationMake the maturity model part of the effort to educate senior management, so they understand the phases of the EIM journey.
Research Publication Date: 5 December 2008 ID Number: G00160425 Gartner Introduces the EIM Maturity Model David Newman, Debra Logan Organizations cannot implement enterprise information management (EIM)
More informationIT Architecture Is Not Enterprise Architecture
Research Publication Date: 17 November 2010 ID Number: G00206910 IT Architecture Is Not Enterprise Architecture Bruce Robertson Many enterprise architecture (EA) teams and their stakeholders still use
More informationERP, SCM and CRM: Suites Define the Packaged Application Market
Research Publication Date: 25 July 2008 ID Number: G00158827 ERP, SCM and CRM: Suites Define the Packaged Application Market Yvonne Genovese, Jeff Woods, James Holincheck, Nigel Rayner, Michael Maoz Users
More informationEnterprise Asset Management Migration Requires Detailed Planning
Research Publication Date: 2 September 2005 ID Number: G00130205 Enterprise Asset Management Migration Requires Detailed Planning Kristian Steenstrup Neglecting to address key areas when migrating to packaged
More informationFive Business Drivers of Identity and Access Management
Research Publication Date: 31 October 2003 ID Number: SPA-21-3673 Five Business Drivers of Identity and Access Management Roberta J. Witty The primary reasons to implement IAM solutions are business facilitation,
More information