GARTNER 
By Analysts to Discuss Changing Risk Assessment Practices at Gartner Security & Risk Management Summit 2012, September 19-20 in London
STAMFORD, Conn., August 23, 2012-Avoiding the use of software as a service (SaaS) for critical or sensitive data remains a significant form of risk control for many organizations, according to Gartner, Inc. But those that do use SaaS for such data are more likely to use it for sensitive data than for mission-critical data.
These findings are based on Gartner's latest annual survey of the state of risk management programs globally, which questioned 425 respondents from IT risk management disciplines in the U.S., U.K., Germany and Canada from December 2011 to January 2012.
The survey results show that organizations take different approaches to risk management when confronted with a need or opportunity to share data with different types of external party.
Assessment Practices for External Parties
Survey respondents were asked if they had processes in place to assess external party security, risk management, compliance, privacy and BCP/DR for four different situations. Respondents answered: "Do not allow use for sensitive data or processes" almost twice as often in the case of business partners (38 percent) as for platform as a service (PaaS) and infrastructure as a service (IaaS) (20 percent).
Compared with PaaS/IaaS, organizations are about 30 percent more likely to have a policy against putting sensitive data into SaaS (26 percent), and about 45 percent more likely to have a policy against putting it into outsourced data centers (29 percent).
"These results make sense, given that sharing data with a partner almost certainly means that one or more of its employees will be accessing the data, while in a SaaS scenario, the data is typically only accessible to the primary customer," said Jay Heiser, research vice president at Gartner. "This year we asked about both data availability and data confidentiality policies. Survey respondents indicated 10 percent less willingness to place mission-critical data into a SaaS offering than to place sensitive data into it. They were even less willing to place mission-critical data into outsourced data centers, with over one-third of respondents saying that they do not allow it."
Platform-as-a-Service/Infrastructure-as-a-Service Risk Assessment Practices
Only 57 percent of IaaS/PaaS buyers are using a questionnaire to support their risk assessment, and unlike for SaaS, the questionnaire is more likely to be a proprietary one, unique to the buyer's organization, and less likely to be based on standards. As in the case of SaaS, 26 percent are also evaluating information from the provider. The most dramatic change over the past three years is the increased willingness to use IaaS and PaaS for sensitive processes.
Outsourced Data Center Risk Assessment Practices
Thirty-six percent of respondents said they had a policy against putting mission-critical data into an outsourced data center, making avoidance the most chosen mechanism for dealing with data center risk. The level of response for this choice is significantly higher than for either of the other two service models. Twenty-nine percent said this policy applied to SaaS, and only 22 percent said it applied to IaaS/PaaS.
"One of the biggest drivers is probably an expectation that the packaged service offerings, which typically claim to be based on cloud computing, are more reliable," said Mr Heiser. "While fault tolerance is a feature of many such offerings, we consider it premature to assume that mission-critical data is safer in a cloud than in a traditional data center in which buyers usually make very specific choices about how data will be backed up."
The most significant reduction in the use of risk assessment practices has been in the practice of sending company staff to evaluate a partner's controls on-site, which has dropped by over 40 percent over three years. Use of standards-based questionnaires has increased, while the use of proprietary surveys has dropped by the same degree, leaving the prevalence of questionnaires virtually the same.
Additional information is available in the report: "Survey Analysis: Assessment Practices for Cloud, SaaS and Partner Risks, 2012," which is available on Gartner's website athttp://www.gartner.com/resId=2000315.
MrHeiser will discuss the security state of the cloud at theGartner Security & Risk Management Summit 2012 held on September 19-20 in London. For more information on the Summit, please visitwww.gartner.com/eu/security. Members of the media can register by contacting Laurence Goasduff atlaurence.goasduff@gartner.com.
Additional information from the event will be shared on Twitter athttp://twitter.com/Gartner_inc and using #GartnerSEC.
About Gartner Security & Risk ManagementSummit 2012
The Gartner Security & Risk Management Summitfeatures four programs focusing on security, risk management and compliance, business continuity management and chief information security officer (CISO) roles to deliver detailed, role-specific content and networking. Each program offers a full agenda of analyst sessions, keynote presentations, roundtable discussions, case studies, workshops and more.
Contacts:
Rob van der Meulen
Gartner
+44 0 1784 267892
rob.vandermeulen@gartner.com
Christy Pettey
Gartner
+1 408 468 8312
christy.pettey@gartner.com
About Gartner:
Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the valuable partner to clients in 12,000 distinct organizations. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 5,000 associates, including 1,280 research analysts and consultants, and clients in 85 countries.www.gartner.com.
|
distributed by
|
