Professional Documents
Culture Documents
Security 2019
Steve Riley
© 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research organization, which should not be construed as statements of fact. While the information contained in this
publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research
may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are
gov erned by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its res earch organization without input or
inf luence from any third party. For further information, see "Guiding Principles on Independence and Objectivity."
Cloud isn’t perfect, there have
been some big recent failures.
2 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
3 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Through 20___, >99%
of cloud security failures
will be the customer’s fault.
4 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Our goal today …
Learn how to avoid
these common mistakes.
5 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Introduction
6 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Cloud Risk Control
Management Provider
7 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
No automation No control
8 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
File sharing:
You’re doing it wrong!
9 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Part 1:
Multitenancy Risk
10 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Cloud Risk Control
Management Provider
IaaS SaaS
Security Control
11 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Cloudsec is not for newbies
12 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
13 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Does
not
scale
14 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Part 2:
IaaS Security
15 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Cloud Risk
Management
16 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Lifetime
Physical Virtual
Servers Machines Containers
Serverless
17 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Security Services
Workload Protection
Posture Management
18 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Cloud-Native Mindset
Optional, but
should be
performed on file Important,
Cloud Antimalware
repositories but may be
Scanning
Threat Detection performed
outside
Extended HIPS With of the
Vulnerability Shielding workload
Data Protection
Server Workload EDR Behavioral
Application, PaaS and
Monitoring, Threat Detection and
API Security Response
Application Control/Whitelisting
Workload Security: Patching and Configuration
System Integrity Assurance
Pervasive Visibility, Logging, Audit and Assessment
Network Firewalling, Microsegmentation and Visibility Core
workload
Continuous Cloud Security Posture Management protection
Hardening, Configuration and Vulnerability Management
strategies
Infrastructure Configuration
Cloud Workload Protection Hierarchy
Network Storage Compute PaaS
19 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Part 3:
SaaS Control
20 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Cloud Risk
Management
21 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Discovery
Policies
Usually
needs more
attention
Requirements
End of Life
Analysis
Continuous Risk
Management Acceptance Most SaaS
implementations
concentrate here
Implementation
22 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
SecureAccess
Secure Access Threat
Threat Protection
Protection
• EDRM
Sensitive data Antispam
monitoring DLP Encryption
Content
Data (sensitive data and rights Malware
Classification sandboxing
control) management scanning
or labeling
Network Auditing,
Apps/ Usage Enterprise log
access logging,
Applications reporting integration
encryption alerting
• EBA
U
IAM/IDaaS MFA for
Users Adaptive
admins and
PAM access control
users
Visibility CASB or SSPM or SMP or APIs
23 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Directory Integration SSO
Provisioning/Deprovisioning IDaaS/IAM MFA Integration
Roles
Adaptive Access Control
Cloud Access
Encryption Threat Intelligence
DLP
Security Broker
Advanced Threat
File Sharing Control Prevention
Activity Alerting
Native SaaS UEBA
Log Storage
SIEM Event Correlation
Investigation
24 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Part 4:
Toe Dip to
Full Immersion
25 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
26 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
2016
Can’t
defend
Prohibit
Sensitivity
27 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
2020
Can’t
defend
Prohibit
Sensitivity
28 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
2024
Allow Allow
with with
defaults extra
Value
Can’t
defend
Sensitivity
29 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Part 5:
Conclusion
30 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Cloud Risk Control
Management Provider
31 © 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Recommended Research
Hype Cycle for Cloud Security, 2020
Steve Riley, Jay Heiser, Tom Croll (G00448013)
Clouds Are Secure: Are You Using Them Securely?
Jay Heiser (G00350439)
How to Develop Infrastructure-as-a-Service Security Skills
Steve Riley (G00392867)
How to Make Cloud More Secure Than Your Own Data Center
Neil MacDonald, Tom Croll (G00430108)
How to Develop a SaaS Governance Framework
Jay Heiser (G00382661)