Professional Documents
Culture Documents
Data Security Monitoring in 232645
Data Security Monitoring in 232645
Data Security Monitoring in 232645
in
G00232645
Key Findings
Security requirements and drivers in the cloud are different from those in traditional data center
environments, and data monitoring is no exception. The dynamic nature of the cloud, coupled
with the lack of customer ownership of infrastructure and limited transparency, has essentially
broken traditional security models and architectures.
While cloud providers have increased the options for monitoring in their clouds, the offerings
are still fairly immature, limited and mostly focused on network- and application-layer activity,
rather than on activity in the data layer.
Auditors and other stakeholders are increasingly focusing on data access, and the security
monitoring options currently available in the cloud are unlikely to fully satisfy their requirements.
Recommendations
Communicate with stakeholders to ensure that they understand the potential risks associated
with storing and processing data in the public cloud, focusing on the lack of options for
monitoring, especially for regulated and critical data.
Ensure that cloud services providers (CSPs) provide the appropriate level of monitoring controls
for the level of risk associated with the data (especially regulated data). This does not mean the
CSP will take ownership of the monitoring controls, because the data belongs to the
organization, and the organization is ultimately responsible for its safety and security.
Communicate with current and potential CSPs concerning your data-level monitoring needs.
Seek guidance about how to use native tools or solutions from your CSP, solutions from
independent software vendors (ISVs), or extensions or APIs offered by CSPs to allow you to
build your own solutions.
Ensure that any data monitoring solution you adopt integrates, or at minimum communicates,
with your enterprise's current monitoring and incident response tools and processes in cases
where the security organization must manage multiple solutions (not only cloud solutions).
Analysis
Why Monitor Data Access in the Cloud?
Gartner is seeing more clients entrusting not only regulated data, but also intellectual property and
other critical data, to public cloud projects. When these data elements are placed in cloud
environments that are not fully under the enterprise's control, it becomes more important to
understand who is accessing what. An enterprise can recover from a breach involving regulated
data, but the margin of error for intellectual property tends to be much narrower. Under these
circumstances, the ability to conduct real-time monitoring of data in the cloud could mean the
difference between a minor incident and one that threatens the viability of the enterprise.
The security risks to data in the cloud are significant (see Note 1 and "What You Need to Know
About Cloud Computing Security and Compliance" [Note: This document has been archived; some
of its content may not reflect current conditions.]), but they are not well-understood, making this
type of risk difficult to manage. Moreover, the immaturity and dynamic nature of cloud computing
makes traditional enterprise data security controls impractical. Controls can be grouped into three
basic categories:
Administrative: These controls include policy, procedure, and identity and access governance.
Preventative: These controls include access, encryption, intrusion prevention and data
masking.
Poor supervision of highly privileged users: CSP administrators have access that could easily
subvert controls implemented higher up in the stack, and could access stored data across
many of their customers. The inability to view what these administrators do with this privileged
level of access carries a significant risk, and could result in an adverse audit finding. Although
many CSPs monitor their administrators' activities, they typically do so for their own needs,
which don't necessarily match their customers' needs, and may offer insufficient protection for
critical data.
Page 2 of 8
Weak data segmentation: The multitenancy models that are the norm in public clouds
inevitably lead to risks of data crossing logical or physical boundaries, and of savvy or skilled
users being able to bypass controls at virtualized borders. The segmentation security controls
offered by the virtualization technology that supports cloud implementations have historically
been attack-resistant. However, there is always the possibility that unknown vulnerabilities or
new attack mechanisms may allow the crossing of security boundaries that lead to data access.
These risks have prompted Gartner to recommend to clients that are storing or processing critical
data in the cloud that they develop a strategy for monitoring the data's usage, either using CSPprovided tools, or third-party tools needed for data monitoring in the cloud. Data-centric regulations
such as PCI standards and the U.S. Health Insurance Portability and Accountability Act, and
pending regulations such as the EU Data Protection Directive, have rigorous requirements for
auditing and accountability concerning access to protected data types. Moreover, enterprises will
increasingly pressure cloud providers to offer them the ability to respond to increasing auditors'
focus on regulatory compliance in cloud deployments and auditors are likely to find that the
current data monitoring capabilities are inadequate.
Data-centric monitoring technologies, such as database audit and protection (DAP) and
content-aware data loss prevention (DLP) tools, are typically architected using network
aggregators in conjunction with server agents installed on the database server. Public CSPs will
Page 3 of 8
not allow client devices to be installed on their networks, and their willingness to allow clients to
install agents varies widely by offering.
The dynamic nature of cloud computing may mean that the data moves within the CSP's
infrastructure. If this is the case, any monitoring solution must be able to move rules, profiles
and policies on the fly to be effective. When cloud providers begin to offer data monitoring, their
capabilities will be limited in scope and function. Comprehensive monitoring requires a
combination of structured rules and behavior-based anomaly detection. Due to the effort
involved in fine-tuning behavior-based monitoring, the offerings will likely be signature-based, at
least in early stage offerings.
Many CSPs offer audit log management capabilities in SaaS and PaaS stacks, but native
logging adds processing and storage overhead, as well as the need for various log retention
and archiving requirements.
SaaS offerings tend to provide application monitoring based on the assumption that since the
client can only access data through the applications, the monitoring of direct access to data
in other words, not through the application is unnecessary.
Begin by deciding whether data-level monitoring is required. For some use cases notably in
SaaS and PaaS offerings the default network or application monitoring provided as part of
the cloud provider's service agreement may be sufficient. For example, if the data in a SaaS
offering is only accessible through a provided application interface and the data is stored using
a distributed storage model, the value of data-specific monitoring is low. Some PaaS offerings,
such as application life cycle management as a service (ALMaaS) or application security as a
service (ASaaS), do not store the types of data that need to be monitored.
Evaluate the options for data-level security monitoring in current and future cloud projects, and
ensure that any providers or platforms that are adopted provide the appropriate level of
monitoring controls for the risk associated with the data. This is especially important for
regulated data types. In cases where CSP offerings are insufficient, add-ons or third-party tools
must be evaluated in order to adequately address the risks.
Ensure that the enterprise's auditors, legal and compliance departments, and other
stakeholders understand the risks of limited cloud data security monitoring, and that they will be
satisfied with any solutions before they are implemented. (Retrofitting will likely have an impact
on sizing, performance and cost.)
Follow the growth of third-party cloud security brokers that can provide layered security on top
of CSP offerings. This approach will likely not be possible immediately, however, because these
third-party solutions are still comparatively new, and growing in maturity.
Page 4 of 8
Communicate with current and potential CSPs concerning your data-level monitoring needs.
Seek guidance as to how to use cloud-native tools or solutions, solutions from ISVs or APIs
offered by CSPs to allow you to build your own solutions.
Some organizations will only deploy and manage one monitoring platform. In cases where there
are distinct platforms one in the enterprise and one in public cloud you must ensure that
any monitoring solution integrates or communicates with your enterprise's monitoring, and with
your incident response tools and processes.
Look to cloud-based security services that can act as proxies, and that can either encrypt
sensitive data before being stored in the cloud, or monitor all cloud data access.
PaaS-Specific Issues
PaaS presents the most difficult set of use cases, for three reasons:
PaaS refers to a broad range of platform types and therefore a broad range of approaches to
data security monitoring. A database-as-a-platform provider may, for example, make it possible
to turn on logging for an additional charge, but likely will not allow the installation of an agent for
a third-party monitoring solution such as a DAP or DLP tool. On the other hand, in a more
expansive platform, such as business process monitoring as a service, the data store is
embedded, and there is no option to turn on logging or install an agent. This means that the
only monitoring available is what may be offered by the provider.
As noted, most monitoring in these stacks is performance-based, and any security monitoring
typically uses signature-based detection. Some PaaS providers provide APIs that can be
leveraged to expand their native monitoring capabilities. These APIs can be customized to
support behavior-based monitoring and analysis, but require significant effort to fine-tune.
Page 5 of 8
Further, because some PaaS offerings comprise several layers, it can be difficult to identify the
appropriate level at which to monitor.
Because the market is so fragmented, PaaS clients will likely be purchasing solutions from
multiple providers, which will make normalizing a monitoring solution extremely challenging for
the foreseeable future.
SaaS-Specific Issues
In many ways, SaaS provides the easiest data security monitoring solution. SaaS is offered as a
stack, so data typically can be accessed only through the designated application, not directly. For
this reason, there is no real differentiation between application monitoring and data monitoring.
Most, if not all, SaaS providers can produce reports based on application activity. However, these
canned reports are based on standard signatures that is, what the provider defines as normal
activity.
The challenge is assessing how to implement behavior-based monitoring. Some SaaS providers
offer APIs that can be used to generate custom reporting and analysis, but the benefits of using
these APIs may not be worth the effort; in other words, the effort of creating customized monitoring
and reporting solutions may be so onerous as to push customers to use native CSP offerings,
however limited they may be. Also it is difficult to standardize monitoring across multiple SaaS
providers. This is where application brokers can play a significant role.
Another issue is that the simplicity of the integration between the application and the data in SaaS,
while seemingly providing a strong look at data access, does not lend itself to monitoring based on
behavioral analysis (for example, triggering on an individual's leveraging legitimate access to view or
download more records or documents than are needed to complete a given job). SaaS also does
not provide visibility into the data payload for classification purposes.
Recommended Reading
Some documents may not be available as part of your current Gartner subscription.
"Cloud IaaS: Security Considerations"
"Critical Security Questions to Ask a Cloud Service Provider"
"Database Activities You Should Be Monitoring"
"Database Activity Monitoring Is Evolving Into Database Audit and Protection"
"Hype Cycle for Cloud Security, 2011"
"Key Issues for Securing Public and Private Cloud Computing, 2011"
Page 6 of 8
"Predicts 2012: Enterprises Must Balance Opportunity and Risk in Cloud and Mobile Security"
Evidence
The analysis in this research was developed based on information derived from various data
sources. Gartner client calls on the topic of data security in general and on security in the cloud
indicate that many clients focus more aggressively on preventative controls than detective controls,
and this is more obvious in cloud projects. Calls were conducted by Gartner with 15 leading
providers of cloud computing services to discuss current and future offerings for data-centric
monitoring. Calls with auditors and a review of pertinent data-centric laws and regulations provided
the framework for drivers of data protection in cloud environments.
Note 1 References for the Risks of Cloud Computing
"Reducing Security Risks in Cloud Computing"
"Risk Management in Cloud Computing"
Nearly half of U.S. IT professionals say the risks of cloud computing outweigh the benefits,
according to the first annual ISACA IT Risk-Reward Barometer Survey.
This is part of a set of related research. See the following for an overview:
Page 7 of 8
Regional Headquarters
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096
Japan Headquarters
Gartner Japan Ltd.
Atago Green Hills MORI Tower 5F
2-5-1 Atago, Minato-ku
Tokyo 105-6205
JAPAN
+ 81 3 6430 1800
European Headquarters
Tamesis
The Glanty
Egham
Surrey, TW20 9AW
UNITED KINGDOM
+44 1784 431611
Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600
2012 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartners prior written permission. The information contained in this
publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or
adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication
consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions expressed
herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not
provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its
shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see Guiding Principles on Independence and Objectivity on its website, http://www.gartner.com/technology/about/
ombudsman/omb_guide2.jsp.
Page 8 of 8