The Cloud Manager s Balancing Act Balancing Security And Cost Without Sacrificing Time-To-Value

Similar documents
Best Practices For Public Cloud Security Part Three Of A Three-Part Series On Public Cloud Security

The State Of Public Cloud Security Part One Of A Three-Part Series On Public Cloud Security

Cloud Without Limits: How To Deliver Hybrid Cloud With Agility, Governance, And Choice

Capacity Management Benefits For The Cloud

Leverage Micro- Segmentation To Build A Zero Trust Network

Are SMBs Taking Disaster Recovery Seriously Enough?

Enterprises Seek The Benefits Of Hybrid Cloud, And Work To Overcome The Challenges

Connect and Protect: The Importance Of Security And Identity Access Management For Connected Devices

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

The Power Of Real-Time Insight How Better Visibility, Data Analytics, And Reporting Can Optimize Your T&E Spend

A Forrester Consulting Thought Leadership Paper Commissioned By Zebra Technologies. November 2014

Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability

The Move Toward Modern Application Platforms

Intent Data Can Sharpen Your Competitive Edge

Records Management And Hybrid Cloud Computing: Transforming Information Governance

A Forrester Consulting Thought Leadership Paper Commissioned By HP IT Operations Managers Must Rethink Their Approach To Private Cloud

A Forrester Consulting Thought Leadership Paper Commissioned By Brother. December 2014

Zero Trust Requires Effective Business-Centric Application Segmentation

Simplify And Innovate The Way You Consume Cloud

Strategically Source Your Next Data Centre Data Centre Purchasing Drivers, Priorities, and Barriers for Asia-Pacific Firms

Are SMBs Taking Disaster Recovery Seriously Enough?

SMBs File Storage Needs Are Growing, But 57% Underestimate File Server Costs 45% Are Interested In Cloud Options

Database-As-A-Service Saves Money, Improves IT Productivity, And Speeds Application Development

Key Strategies To Capture And Measure The Value Of Consumerization Of IT

The Key To Cloud And Virtual Computing

Delivering New Levels Of Personalization In Consumer Engagement

Leverage Cloud-Based Contact Center Technologies To Provide Differentiated Customer Experiences

Is It Time To Refresh Your Wireless Infrastructure?

Which Managed Hosting And Private Hosted Cloud Option Is Right For You?

Single-Vendor Security Ecosystems Offer Concrete Benefits Over Point Solutions

Refresh Your Approach To 1:1 Marketing How Real-Time Automation Elevates Personalization

Digital Video Advertising - Advantages and Disadvantages

Managed Hosting And Private Hosted Cloud Both Are Viable Alternatives To Public And Virtual Private Cloud Models

How To Adopt Cloud Based Disaster Recovery

Managed Mobility Cloud Services Gain Momentum With European Midmarket Organizations

Executive Summary Sales Reps And Operations Professionals Need Rich Customer Data To Meet Revenue Targets... 3

The New Calculus Of Marketing How Marketing Leaders Must Re- Engineer For The Internet Of Customers

An Executive Primer To Customer Success Management

How To Get Started With Customer Success Management

The Risks Of Do It Yourself Disaster Recovery

Mobile Device Management Underpins A Bring-Your-Own- Device (BYOD) Strategy

Application Performance Management Is Critical To Business Success

Cloud Change Agents Drive Business Transformation

A Custom Technology Adoption Profile Commissioned By Aerohive Networks. January Cloud Networking

The Road To CrossChannel Maturity

Why Endpoint Backup Is More Critical Than Ever

Privacy, Identity, And Security: A Spotlight On How Financial Services Firms Can Help Protect Customer Identity

Future IT Capacity Planning Depends On Flexibility

Improving The Retail Experience Through Fast Data

Customer Cloud Adoption: From Development To The Data Center

A Forrester Consulting Thought Leadership Paper Commissioned By BMC Software Industrializing IT Workload Automation

Consumer Web Portals: Platforms At Significant Security Risk

UC And Collaboration Adoption By Business Leads To Real Benefits

Digital Business Requires Application Performance Management

Benefits Of Leveraging The Cloud Extend To Master Data Management

Drive Innovation Using The Right Skills: The Value Of Custom Software Development

Security: The Vital Element Of The Internet Of Things

CPG Sales Leaders Go Multichannel A Guide To CPG Sales And Channel Management In A Digital World

Enable Mobility With Application Visibility At The Edge Of The Network

Projected Cost Analysis Of SAP HANA

Not All Cloud Solutions Are Created Equal: Extracting Value From Wireless Cloud Management

Building Value from Visibility

Cloud Backup And Disaster Recovery Meets Next-Generation Database Demands Public Cloud Can Lower Cost, Improve SLAs And Deliver On- Demand Scale

For Enterprise Architecture Professionals

A Forrester Consulting Thought Leadership Paper Commissioned By MetaPack. September 2014

The Era Of Intimate Customer Decisioning Is At Hand

The New Path-To- Purchase The Connected Consumer s Cross- Device Journey

Executive Summary Understanding The Private Cloud Concept Conclusions And Best Practices... 7

Private Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

A Forrester Consulting Thought Leadership Paper Commissioned By AT&T Collaboration Frontier: An Integrated Experience

Monitoring IT Business Services

Big Data Ups The Customer Analytics Game

Real-Time Data Analytics Empowering Publishers To Make Better, Faster Decisions

The Unified Communications Journey

The Expanding Role Of Mobility In The Workplace

How Organizations Are Improving Business Resiliency With Continuous IT Availability

Infrastructure As Code: Fueling The Fire For Faster Application Delivery

Transcription:

A Forrester Consulting Thought Leadership Paper Commissioned By Trend Micro November 2014 The Cloud Manager s Balancing Act Balancing Security And Cost Without Sacrificing Time-To-Value Part Two Of A Three Part Series On Public Cloud Security

Table Of Contents Executive Summary... 1 The Three Variables Of Public Cloud Security... 2 Balancing The Variables Requires A Best-Fit, Automated Solution... 3 Appendix A: Methodology... 5 Appendix B: Demographics/Data... 5 Appendix C: Endnotes... 6 ABOUT FORRESTER CONSULTING Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forrester s Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit forrester.com/consulting. 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to www.forrester.com. [1-PVTJUJ]

1 Executive Summary Application developers are migrating to the cloud with or without the support of IT and security, motivated by the agility and speed that the cloud can provide. This is changing the fundamental equation that cloud managers have to solve when balancing cost, appropriate security, and time-to-value. Time-to-value, once a flexible variable when selecting security, is no longer negotiable. Cloud managers who impede developer productivity will quickly find their developers circumventing IT to access cloud resources. This can lead to unsecure workloads and escalating costs for unmonitored cloud use and additional resources. In order to maintain control over cloud security and costs without sacrificing time-to-value, savvy cloud managers will employ an automated best-fit security solution. This paper is the second in a series of three from Forrester Consulting commissioned by Trend Micro on public cloud security practices. This paper follows The State Of Public Cloud Security, which serves as a primer on current best practices in public cloud security. Please see the Methodology section of this paper for more details. In order to maintain control over cloud security and costs without sacrificing time-to-value, savvy cloud managers will employ an automated best-fit security solution.

2 The Three Variables Of Public Cloud Security At the heart of public cloud security is a shared responsibility between the cloud vendor and the organization. Forrester calls this the uneven handshake, where the cloud service provider is only responsible for securing the data center, infrastructure, and hypervisor, while the end user organization is responsible for the operating system, applications, users, and data. Unlike in many hosting models, the cloud vendor isn t responsible for solving all security requirements. Expecting security for the entire stack isn t an option nor is it wise. Our survey of 321 IT professionals involved in public cloud security found that only 18% of respondents believe that the native security capabilities of cloud providers are sufficient for their implementation. To ensure that workloads are adequately protected, cloud managers will need to layer security policies on top of the existing policies of the cloud vendor. In crafting those new layers of security, there are three vital components to keep in mind: Time-to-value. This is the No. 1 concern of developers, and as a result, it needs to be the No. 1 priority of cloud managers as well. In our custom survey, two of the top three barriers to adopting ideal cloud security practices were related to time-to-value challenges 43% of respondents felt ideal security was too time-intensive, and 36% worried that it would slow down cloud usage (see Figure 1). Developers are not concerned with traditional security policies and procedures, and slow security can quickly translate into developers circumventing established processes without security or oversight. It is essential that cloud managers can ensure cloud resources are available for developers in under 15 minutes and that security is automated and out of sight of developers. 1 Only today s leading-edge cloud managers acknowledge the risk of not prioritizing time-to-value and, in turn, have successfully moved out in front of their enterprise cloud usage. FIGURE 1 Concerns Around Time-To-Value And Cost Often Hinder Ideal Security Practices Why haven t you implemented all of the public cloud security practices you d ideally like to? (Select all that apply) Too time-intensive 43% Time-to-value-related Not needed at the current time 43% concerns Cost-related concerns It would slow down our cloud usage 36% Our environment is too complex 35% Costs escalate when security policies are applied 31% Security practices are not automated 29% Our cloud provider can t meet our security needs 17% Public cloud s value is diminished by security policies 17% We can t find providers that fill our security requirements 15% Do not have the technical expertise to apply these policies 14% Security professionals can t adapt to a cloud model 11% Other (please specify) 1% Base: 112 IT professionals involved in their organization s public cloud security policies and tasks Source: A commissioned study conducted by Forrester Consulting on behalf of Trend Micro, May 2014

3 Security risks. In an attempt to prioritize time-to-value and optimize existing developer cloud usage, cloud managers often settle for minimal security practices. In their minds, some security is better than no security. However, with substandard security, security breaches can expose your organization to serious costs, in financial terms as well as brand identity, consumer trust, and litigation. There are core components of cloud security data encryption, monitoring and logging, role-based authentication, advanced firewalling, intrusion detection/prevention, patch management, and threat prevention that are necessary to keep cloud environments secure. The challenge is today s security services are often slow to implement. Cloud managers must simplify security policy application and get out of the way of developers, without increasing risk profile. Cost. Public cloud offers a less expensive option for delivering basic services as compared with hosted services or internal infrastructure options. This is owing to its usage-based pricing and the fact that users pay only for resources that are being consumed. But, these cost savings are limited to variable, short-term, and/or basic resource usage. Utilizing the cloud saves enterprises money when they are powered down, not when they are powered up. Costs can escalate quickly if users fail to turn off resources when not in use or employ additional services such as security. Escalating security costs ranked as a top reason why nearly one-third of the organizations surveyed have not implemented ideal security policies. Blanket security features applied across an environment can quickly drive up cost or slow application performance. Failure to apply any security services can expose your organization to significant risk and huge financial repercussions. Cloud managers not only need to regulate usage but also apply security practices that minimize overall costs. Cloud managers need a better way of securing their public cloud one that minimizes security risk exposure without unnecessarily escalating costs or delaying time-to-value. Balancing The Variables Requires A Best-Fit, Automated Solution The fundamental equation that cloud managers have to solve when balancing cost, appropriate security, and timeto-value has shifted, but all three variables are still essential to the success of public cloud (see Figure 2). While time-tovalue is now nonnegotiable, we have seen that inadequate security can expose organizations to serious financial risk, and blanket security features tacked on to the cloud can escalate costs quickly or cause developers to bypass IT. Therefore, cloud managers need to make sure their public cloud security programs provide appropriate security on all workloads, do not hinder developers time-to-value, and allow the organization to control costs. One way to ensure these three conditions are all met is to create a security solution that features premade templates with differing levels of security that can be provisioned when developers need them and applies the correct level of security to different workloads automatically. Such a solution is: FIGURE 2 The Equation To Balance Public Cloud Security Has Shifted Old formula New formula First priority Security First priority Time-to-value Secondary priorities Cost Time-to-value Secondary priorities Cost Security Source: Forrester Consulting, Inc.

4 Automated, to ensure time-to-value. The importance of time-to-value to developers cannot be overstated, so a successful security solution must prioritize it. Rather than take a traditional multiday approach where security is manually applied to workloads, cloud managers should automate security policies. When a developer requests a specific workload, security policies can be wrapped into the standard provisioning process. Some organizations completely abstract the underlying complexity of this, providing developers with check box cloud security. When security policies are automatically applied to workloads, it ensures that security policies are being followed and developers time-to-value is not compromised. This is especially important in industries with high compliance standards or regulations that need to be followed. A best fit for the workload, to manage costs. A onesize-fits-all security policy can drive up the cost of public cloud. Organizations taking this approach find the highest required level of security protection and apply it across all of its resources, many of which don t require that level of protection (e.g., encryption, PCI, HIPAA, etc.). Instead, cloud managers should apply security policies based on workload type and differing levels of sensitivity and regulations. This ensures that there is not overspending on unneeded security. Prebuilt in a template, to ensure proper security. Rather than relying on developers to select security for their workloads, organizations should automatically provision the appropriate level of security in the cloud template that the developer selects. This ensures that when developers request a new resource, the right security policies that fit the workload are automatically applied when the resource is provisioned without the need for the developer to determine the specific security protocols needed for that workload type. Alternatively, if the ability to prebuild security templates is not available, some organizations choose to have cloud managers review workloads after the developer has already provisioned them. This enables the developer to maintain time-to-value but ensures that proper security oversight takes place.

5 Appendix A: Methodology In this study, Forrester conducted an online survey of 321 organizations with 100 or more employees spending more than $5,000 average per month on public cloud in Australia, Brazil, France, Germany, Japan, the UK, and the US to evaluate current and best practices in public cloud security. Survey participants included IT professionals involved in their organization s public cloud security policies and tasks. The study began in April 2014 and was completed in May 2014. Appendix B: Demographics/Data FIGURE 3 Survey Demographics DE: 10% Company size UK: 16% 20,000 or more employees 20% US: 16% FR: 11% JAP: 16% 5,000 to 19,999 employees 25% 1,000 to 4,999 employees 36% 500 to 999 employees 13% BRA: 16% AUS: 17% 100 to 499 employees 6% IT role (Select all that apply) Which title best describes your position at your organization? Infrastructure 73% Operations 71% Cloud infrastructure/ operations/architect Solution/application architecture Security 59% IKM 46% SVM 31% 41% 51% C-level executive 25% Vice president 11% Director 25% Manager 30% Project manager 3% Full-time practitioner 5% ADD 31% Software testing and QA 25% Business analyst 21% Base: 321 IT professionals involved in their organization s public cloud security policies and tasks (Percentages may not total 100 due to rounding Source: A commissioned study conducted by Forrester Consulting on behalf of Trend Micro, May 2014

6 Appendix C: Endnotes 1 Source: Master 10 Trends For Your Cloud Journey, Forrester Research, Inc., May 10, 2012.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information