a forrester consulting thought leadership paper...
TRANSCRIPT
A Forrester Consulting Thought Leadership Paper Commissioned By Microsoft
Enabling The Secure And Rapid Adoption Of Cloud Services
October 2013
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 1
Table Of Contents
Executive Summary ................................................................................................................................................................................. 2
IT Pros Turn To Cloud Services To Help Reduce Costs While Increasing Value ...................................................................... 3
Cloud Adoption Requires Architectural And Process Changes ..................................................................................................... 6
IT Pros Take A Multilayered Approach To Data Protection ........................................................................................................ 11
Key Recommendations ......................................................................................................................................................................... 14
Appendix A: Methodology................................................................................................................................................................... 15
Appendix B: Demographics/Data ....................................................................................................................................................... 15
Appendix C: Endnotes .......................................................................................................................................................................... 16
© 2013, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources.
Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total
Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional
information, go to www.forrester.com. [1-M572U3]
About Forrester Consulting
Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in
scope from a short strategy session to custom projects, Forrester’s Consulting services connect you directly with research analysts who apply
expert insight to your specific business challenges. For more information, visit www.forrester.com/consulting.
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 2
Executive Summary
On behalf of Microsoft, Forrester Consulting conducted research to explore the current and future state of security in
cloud environments among North American and European enterprises. In this study, we found that cloud adoption is
accelerating at a rapid clip because the benefits (flexible cost models, rapid implementation, high availability, and
performance) outweigh many security concerns regarding the cloud provider’s ability to respond to significant service
disruptions, protect sensitive data, and support regulatory compliance. Given the rapid adoption, IT pros, particularly
those in security, must focus not on inhibiting or preventing adoption (because it’s futile) but on how they can support
this adoption by ensuring the right controls are in place and mitigating risks to a level that is acceptable to the business.
To do this, IT pros must assess the security and risk posture of potential cloud providers for the ability not only to
provide network and data protections such as encryption but also to demonstrate process maturity in disaster recovery
preparedness and response, identity and access management, and incident management and forensics.
Key Findings More specifically, in this custom study, we found that:
• Flexible models, scalability, and lower overall costs continue to drive cloud adoption. When asked to rank the
top three cloud drivers, 44% of IT pros selected flexible cost models, 40% selected scalability (specifically the
ability to scale up and scale down services as needed), and 36% selected lower overall costs.
• Forty percent have moved email to the cloud, and more workloads will follow. Another 22% of IT pros plan to
move email to the cloud during the next 12 months, at which point, a majority of organizations will use a cloud
provider for email. But it’s not just email. In healthy numbers, IT pros also plan to move storage, document
management, portals, and office productivity tools to the cloud.
• When evaluating cloud providers, IT pros focus on network security, data protection, and continuity. IT pros
consider network security controls such as firewalls and intrusion detection systems to be of high or critical
importance (85% and 77%, respectively). They also consider data security and protection technology such as data
leak prevention and encryption of data in transit to be of high or critical importance (85% and 80%, respectively).
Disaster recovery or IT continuity was also important: 79% said it was a high or critical consideration. When
asked about process considerations, business continuity and disaster recovery (BCDR) and data protection once
again topped the list, but identity and access management appeared in the top three.
• IT pros expect some architectural and process changes in security as the result of cloud adoption. More than
one-third of IT pros expect to see many differences in how they approach security management and
implementation. This due to the fact than when workloads move to the cloud, IT pros lose responsibility for the
direct implementation and management of security controls but the organization still holds them ultimately
responsible for the security of the organization’s assets. This requires more focus in integrating on-premises and
cloud-based security, more monitoring of service-level agreements (SLAs), and continuous assessment of the
cloud provider’s security and risk posture.
• For granular data protection, IT pros expect to see secure databases and storage. More than 76% of IT pros
indicated that secure databases and storage were of critical or high importance, followed by data leak prevention
(DLP) technology at 72%.
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 3
• When it comes to compliance, IT pros look to a mix of security and industry-specific certifications. When
evaluating cloud providers for compliance, IT pros identified compliance with ISO 27001, HIPAA, and SAS 70
(now SOC) as high or critical in importance. IT pros identified ISO 27001 as the top standard or regulation when
evaluating cloud providers. While not industry-specific or even cloud-specific, ISO 27001 is a globally recognized
security standard, and certification for it indicates a better-than-average maturity in security management.
IT Pros Turn To Cloud Services To Help Reduce Costs While Increasing Value
Core IT infrastructure and services are undergoing a massive transformation. Today, new server deployments are
virtualized by default, and consolidation, standardization, and automation are helping IT pros optimize costs and
deliver services that are more dependable. Even still, most IT organizations find themselves under continuous pressure
to reduce costs even further and transform themselves to meet new business demands. For many, public cloud services
are becoming smart alternatives to the on-premises deployment of IT services that can help achieve these goals. In fact,
according to Forrester’s Forrsights Software Survey, Q4 2012, Forrester Research, Inc., 38% of enterprises have already
adopted software-as-a-service (SaaS), 17% have adopted platform-as-a-service (PaaS), and 28% have adopted
infrastructure-as-a-service (IaaS).1 How? It’s because cloud services:
• Provide more flexible cost models and reduced implementation time. Since most cloud service subscriptions
can be treated as operational expenses and not capital expenditures, companies are able to move away from the
old-style acquisition of boxed software media and licenses — allowing them to acquire solutions and applications
when and where they need it and not when they can budget capital expenditures for it. This ensures ease of
purchasing and provisioning of new software services.
• Allow IT pros to scale services up or down as business demands change. While buying more licenses has been
relatively easy (except for version availability and incompatibility issues), legacy software licensing models did not
allow for easy scaling down and reducing seats as needs change. The cloud resolved this: You can acquire as
much computing and software power as you need. You can also use pay-as-you-go subscription models with
cloud offerings.
• Have lower hardware, power, and licensing costs. Because you don’t need to have hardware on-premises to run
cloud services, hardware acquisition, system administration, and power costs are significantly lower with cloud-
based services.
• Require fewer IT resources for maintenance. Since much of the computing power is not on-premises and you
don’t need to do version upgrades, patching, or maintenance of either the hardware, operating system, or
business software, IT personnel costs will be significantly (our interviewees said that in some cases 80% or more)
lower.
• Improve availability and performance. Many organizations fail to realize that they actually cannot provide the
same level of availability, business continuity, disaster recovery, and performance at the same price level as a
cloud provider, which can leverage its scale and expertise to deliver higher availability with lower costs.
• Speed up deployment of new services and applications. With minutes instead of days/weeks to procure and
provision servers, the pace of innovation has dramatically increased. Reduced time-to-develop and time-to-
market means your IT can be much more agile in servicing needs of the business units or developers. Cloud
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 4
services also help organizations embrace and enable innovation and move faster than their competition. In fact, it
is the speed and agility that IT hasn’t been able to provide that has resulted in what many call “shadow IT” where
business units are resorting to using credit cards to procure computing resources outside of the purview of the IT.
Figure 1
Lower Cost And Higher Performance And Scalability Drive Cloud Adoption
Base: 200 US and European IT decision-makers from firms with 1,000 or more employees
(multiple responses accepted)
Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013
More And More Workloads Will Move To The Cloud Which specific workloads are IT pros moving to the cloud? It turns out that IT pros have already moved email (40%)
and essential office productivity tools (30%) workloads to the cloud. But more workloads are headed to the cloud; data
storage (56%), customer portals (56%), and document management (56%) have the highest levels of planned
implementation/expansion (see Figure 2). In Forrester’s own client interviews, we found that IT pros are moving these
workloads to the cloud because:
• IT can’t keep up with data storage growth. As organizations have digitized most business processes, data storage
requirements for both structured (databases) and unstructured (file shares storing high-resolution images, video,
files, etc.) content have skyrocketed.2 This is further exacerbated by the need to back up and replicate data
multiple times for operational and disaster recovery and to archive data for sometimes years at time for
regulatory compliance and legal discovery. In many cases, IT organizations have found that cloud storage,
particularly for bulk storage requirements related to files, backups, and archives, is less expensive than on-
premises storage deployments.
• Email requires high availability and performance. For many organizations, they classify email as a mission-
critical application. When it’s down or performance is degraded, internal and external communication between
employees, partners, and customers comes to a halt. Email requires significant storage as well as high levels of
availability and performance, and outside of very large enterprises, this can often be difficult to achieve in-house.
Security is also of the utmost importance. IT must not only stop spam and phishing campaigns but also ensure
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 5
that employees do not send or accidentally leak sensitive data from the organization. Protecting data in emails
using on-premises DLP solutions is costly and labor-intensive to configure (you have to be able to define sensitive
and risky data using search patterns) — moving email DLP into the cloud also acts as a catalyst for moving email
into the cloud.
• Customer/employee portals require state-of-the-art high-performance identity and access management.
Creating and maintaining a single sign-on (SSO) and identity and access management (IAM) environment is not
an easy task — even with good on-premises IAM solutions. Using a cloud-based solution for IAM services
provides these services out of the box, along with better network security and distributed denial of service (DDoS)
protection.
• Cloud-based document management allows for structured risk-aware management. Most organizations
Forrester interviewed struggle with unstructured data protection and a mushrooming array of on-premises
collaboration and enterprise content management systems resulting in lax compliance and controls. Cloud-based
document management systems 1) mandate that all documents are stored in the same place (at the cloud
provider); 2) force better risk-tagging of data elements; and 3) reduce the use of unstructured data in general.
• Cloud-based office applications foster collaboration. Organizations tell us they are seeing the benefits of cloud-
based productivity (word processing, spreadsheets, presentations, etc.) applications already because they enable
secure document sharing and promote collaboration faster than on-premises solutions. Beyond collaboration,
organizations also said that their desktop maintenance costs for business users have decreased 30% to 50%
because of not having to administer and maintain desktop versions.
Figure 2
Data Storage, Email, Portals, And Document Management Are Moving Rapidly Into The Cloud
Base: 200 US and European IT decision-makers from firms with 1,000 or more employees
Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013 Note: Don’t know responses are not included
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 6
Cloud Adoption Requires Architectural And Process Changes
It’s one thing to decide that your organization is going to leverage cloud services; determining whether you can do so
successfully and in a stable and secure fashion is a very different matter. This is measured by your organization’s
familiarity with cloud computing technologies and services, your level of experience with them, as well as your degree
of understanding about what makes them different and the implication that has on your organization. Given the rapid
adoption of cloud services, it’s clear that IT pros, particularly those in the security organization, must focus on how they
address security concerns and reduce overall risk — attempting to block or inhibit adoption is out the question. When
evaluating the security posture of service providers, IT pros were most concerned with the cloud provider’s ability to
provide:
• Adequate network security and data protection controls. Similar to their own internal environments, IT pros
want to know the cloud providers have basic network security controls in place such as firewalls and intrusion
detection systems. And because the provider will store sensitive data, IT pros also must ensure that they or their
provider can protect data in flight (typically through encryption). Once there, the provider has the means to
protect the data from IT failure, human errors, and other events (typically through backups, snapshots, and
replication) and prevent possible extrusions (from cybercriminals, malicious insiders, or unwitting insiders) with
DLP technology (see Figure 3).
• Adequate processes for IT continuity, data protection, and internal identity and access management.
Evaluating a provider’s technical controls is only half the battle. To ascertain their risk posture accurately, IT pros
must also understand the maturity of the provider’s security operations and processes. IT pros seem most
concerned about providers’ readiness for a major disruption that requires an invocation of their disaster recovery
(DR) plan. Readiness is more than technology. It requires having documented plans that the provider tests on a
regular basis. The same is true for data protection; it’s more than just applying encryption and deploying DLP.
Providers need to understand the patchwork of global data privacy regulations and their implications on where
they can store and transmit data. Moreover, since so-called “trusted insiders” are responsible for a large
percentage of breaches, understanding how the provider restricts and strictly enforces access control for its own
employees is one of the most important considerations in data protection (see Figure 4). Finally, when breaches
and other incidents occur, it’s important that the provider has robust incident response plans in place to properly
stop, investigate, and communicate the breach. You can transfer responsibility for data protection to a third
party, but you can’t transfer liability.
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 7
Figure 3
IT Pros Seek Robust Data Protection, Network Security, BCDR, And IAM Tools And Technologies
Base: 200 US and European IT decision-makers from firms with 1,000 or more employees
Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013 Note: Don’t know responses are not included
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 8
Figure 4
Cloud Providers Must Have BCDR, Data Protection, PIM, And Physical Security Processes Firmed Up
Base: 200 US and European IT decision-makers from firms with 1,000 or more employees
Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013
IT Pros Must Focus Security Technology On Integration, Visibility, And Access Control With on-premises IT services and apps, IT pros have almost total control of security: They can set firewall rules, set up
access policies for their apps, manage encryption keys, and set up patterns in DLP solutions. When workloads move to
the cloud, you lose responsibility for the direct implementation and management of security controls, but you still have
responsibility to protect your organizations’ most sensitive assets — regardless of location or hosting model. Cloud
security is all about 1) ensuring adequate security controls at your cloud provider, and 2) integrating your on-premises
security tools and processes with that of the cloud provider — because not all workloads will move to the cloud. What
are the biggest differences in the security of on-premises versus cloud apps? According to our custom study and
interactions with Forrester clients, it’s the fact that IT pros must:
• Rely on the DR technology and approaches of the cloud provider. According to our study, 39% of IT pros see
many or complete differences in BCDR between on-premises and cloud apps and services. By deploying
applications in the cloud, IT pros become reliant on the high availability and disaster response (DR) capabilities
of their cloud providers. In some cases, the cloud providers can offer much higher levels of availability than IT
pros could achieve on-premises. However, IT pros don’t take provider’s capabilities for granted; they require
visibility into the way the cloud provider designs, implements, and manages these capabilities. They want to
know, for example, that the provider has the ability to continue processing in the event of localized failures (e.g.,
hardware or software failure, human error, data corruption) as well as data-center-wide failures (e.g., extreme
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 9
weather, power failures). In addition to providing these foundational services, IT pros want backup and recovery
mechanisms that support their own DR processes and expose services that support the development of their own
highly available applications.
• Integrate IAM for cloud services with on-premises identity systems. Increasingly, IT pros leverage cloud
service to expose data and applications to not only employees but also members of their extended enterprise (e.g.,
business partners, contractors, and customers). Managing identities and access controls across this diverse set of
user groups requires the same robust identity management systems IT pros currently have on-premises, along
with the necessary security capabilities, such as roles-based access control (RBAC) and multifactor
authentication. In addition to rich IAM capabilities in the cloud, integration with existing on-premises identity
systems was critical for most of the IT pros we interviewed — organizations want to extend their existing identity
systems to the cloud rather than bolting together disparate identity frameworks. While federation can help bridge
that gap, systems that offer a more integrated hybrid approach are often more preferable.
• Demand transparency in physical security. Cloud providers often implement advanced physical security
features (like video surveillance), which are too expensive for the average enterprise but can provide a much
higher level of security. However, not all cloud providers provision their own data centers; many lease floor space
from colocation providers that support other customers in their data centers. It’s therefore critical to understand
the physical security measures of the data center in which providers will store your sensitive data.
• Insist on storage and workload isolation. For a cloud provider serving multitudes of customers, storage and
workload isolation is a must. Organizations we interviewed said that while they are comfortable sharing lower-
level hardware and software environments at the cloud provider (e.g., development and integration
environments) with other clients, they definitely demand robust access control and isolation in higher-level
environments (e.g., staging, QA) and definitely in the production environment. The tools that enable logical
isolation are encryption, virtualized operating systems, firewalls, and network compartmentalization.
• Require network visibility and analysis into and logs from cloud intrusion detection and prevention
(IDS/IPS) and security incident and event monitoring (SIEM). Forrester’s interviews reveal that clients expect
IDS/IPS to be bundled into the cloud provider’s environment. Most said that they are satisfied with the
commoditized IDS/IPS solutions of the cloud provider as long as the provider can demonstrate reporting and
auditing capabilities and meets applicable compliance standards (e.g., FedRAMP). IT pros have gone to great
lengths to deploy, integrate, and fine-tune SIEM platforms. Many clients feel that they lose this situational
awareness in the cloud, but they expect that cloud providers will readily provide integration with their clients’ on-
premises SIEM solutions to regain it.
• Stipulate the use of robust privileged identity management tools and processes. Privileged identity
management (PIM) in the cloud is something that concerns IT pros. When it comes to your own environment,
you obviously know your system administrators well, but in the cloud, you know nothing about the
administrators managing the environment. IT pros increasingly demand to understand the provider’s process for
background checks, and they want greater insight into the process of granting and using administrative rights to
the provider’s hardware and virtualization infrastructure. Many Forrester clients tell us that they want their cloud
provider to use a PIM tool (password-safe privileged session management and recording tool, privilege
delegation tool, etc.) for the cloud environment and also have strong process controls for privileged access to
systems.
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 10
Figure 5
More Than One-Third Expect A Substantial, If Not A Complete, Overhaul Of Security In The Cloud
Base: 200 US and European IT decision-makers from firms with 1,000 or more employees
Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013 Note: Don’t know responses are not included
IT Pros Must Focus Processes On Mitigating Risk In ongoing discussions with Forrester clients, it’s clear that the security technology of the cloud provider is not
everything. IT pros not only want to see documented procedural safeguards in the cloud environment but also demand
measurable SLAs for availability. When asked about the expected differences in nontechnical processes, IT pros
expected to see differences in all essential processes from BCDR to risk assessments and change management. Once
again, DR tops the list. Collaboration of the client teams with the cloud provider teams in BCDR processes that pertain
to the IaaS infrastructure and the client’s assets, physical security, risk assessment, data protection processes, and
change management are the most important (see Figure 6).
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 11
Figure 6
Security Processes Are Significantly Different In The Cloud
Base: 200 US and European IT decision-makers from firms with 1,000 or more employees
Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013 Note: Don’t know responses are not included
IT Pros Take A Multilayered Approach To Data Protection
Many of the workloads that IT pros have or plan to move to the cloud contain massive amounts of sensitive data
(intellectual property, nonpublic financial information, etc.) and personally identifiable information (PII) such as
employee or customer addresses that IT pros need to protect regardless of location or hosting model. In addition to
protecting sensitive data from cybercriminals, fraudsters, and state-sponsored agents, IT pros must ensure that the
organization does not violate compliance or privacy laws (e.g., HIPAA in the US or the EU Data Protection Directive)
that dictate how the organization can collect, store, use, and transfer PII. In this custom study, we found that IT pros
require a multifaceted approach to protecting their data including the:
• Security of databases and storage. One can consider the database the most important layer in the IT stack — it’s
often where you store your organization’s most sensitive data and certainly most of the PII. According to our
custom study, 76% of IT pros indicated that secure databases/storage were of critical or high importance.
Protecting databases requires multiple technologies, some provided by the database vendors themselves and
some provided by security vendors, but they generally include database monitoring, encryption (the ability to
encrypt at a granular level such as a cell, row, or table), data masking (obscuring sensitive data), and database-
specific DLP tools.
• Demonstration of DLP. Seventy-two percent of IT pros cited DLP as a high or critical priority. Forrester clients
often tell us that they look at DLP from two different angles: 1) protection of PII data types (which luckily are
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 12
often easy to identify, such as social security or credit card numbers), and 2) protection of organization-specific
sensitive data (e.g., intellectual property, classified information).
• Segregation and isolation of data. Keeping (sensitive) data apart from other companies’ data is critical:
Companies definitely would not like to find their potential competitors looking at their cloud-stored data. Proper
network segregation and compartmentalization and applying least-privileges principles to all IaaS personnel will
ensure data segregation and isolation. Ninety-four percent of respondents thought that data segregation was at
least of medium importance.
• Destruction or deletion of data. If you opt to discontinue services with your cloud provider or if you are using a
public cloud service for the storage of archival data that has an expired retention period, it’s very important to
have assurances that the provider can certify the destruction of the data. Otherwise, the data is still possibly
vulnerable to cybercriminals, legal discovery, or compliance audit. In this custom study, 66% of IT pros said that
data destruction was of high or critical importance.
• Support for encryption. According to the custom study, about 66% of IT pros said that encryption (applied at
various levels) was of high or critical importance. Many organizations also mentioned that they want to have data
encryption to protect data ingestion and transfer. Most organizations use SSL on the web layer but find that the
application layer is trickier, as many applications do not easily support SSL or deal well with encrypted data.
Organizations working with less-sensitive data find that cloud providers can run key management processes. For
more-sensitive data protection, clients said that they use managed PKI services. Emerging technologies in this
space include homomorphic encryption and efficient and fast searching of encrypted data without decryption.
Figure 7
Cloud Providers Must Protect Clients’ Data Using Secure Database, DLP, Data Segregation, Secure Key
Management, And Encryption
Base: 200 US and European IT decision-makers from firms with 1,000 or more employees
Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013 Note: Don’t know responses are not included
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 13
IT Pros Want Cloud Providers To Certify With Security And Industry Standards Even those organizations that are not subject to strict regulatory controls often used widely recognized regulations and
industry standards as a guideline for expected best practices. While Forrester has witnessed standards such as the Cloud
Security Alliance (CSA) Cloud Controls Matrix (CCM) and Service Organization Controls (SOC) 1 and SOC 2 become
the international standard for assessing security of cloud providers, ISO 27001 is still incredibly important. In fact, 40%
of IT pros say it’s of high or critical importance in their evaluation (see Figure 8). For many, ISO 27001 is an essential
barometer of core security management maturity. Cloud providers are required to comply with SOC 1, SOC 2, SOX,
and PCI primarily for financial services, HIPAA for healthcare, and FISMA/FedRAMP for US government agencies
and affiliates (contractors and organizations that are part of the defense industrial base).
Figure 8
Cloud Providers Need To Comply With ISO 27001, SAS 70, HIPAA, SOX, And PCI Regulations
Base: 200 US and European IT decision-makers from firms with 1,000 or more employees
Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 14
KEY RECOMMENDATIONS
Supporting the inevitable transition to the cloud requires an understanding of the differences in managing security and
risk. Forrester recommends that firms look for cloud providers that can reliably and repeatedly demonstrate scalable,
documented, and followed-through processes and use of leading-edge tools in:
1. Multilayered data protection at rest and in transit. Mature data protection requires encryption of data at
the storage layer, using DLP tools on servers and in email, as well as non-repudiable key management
processes. While many companies value control and management of their own encryption keys, others require
that the cloud provider should be able to optionally provide key management and information rights
capabilities that work well with the organization’s workloads and also allow a third-party data protection
company to plug into the cloud environment (to “watch the watchers”).
2. BCDR. Our survey respondents and interviewees unanimously said that they look out to ensure that their
cloud provider can at least guarantee 99.9% SLAs as well as allow them to participate in BCDR exercises.
Organizations also need documentation, repeatability, visibility, and transparency of IaaS provider BCDR
processes as well as integration of the cloud provider’s relevant BCDR process with their on-premises BCDR
processes.
3. Robust business and privileged IAM capabilities. Leading firms mandate that their cloud provider use PIM
tools for administrative password checkout and session monitoring and recording. Business user security
repositories should ideally be stored at the clients’ site and resources should act as a federated (SAML 2.0 or
OAuth) relying party. The cloud provider should also provide turn-key solutions for SSO and multifactor
authentication for sensitive applications and sensitive or PII data access.
4. Network security and intrusion detection and prevention integration. Interviewees mentioned that at the
tools and process levels, they need to ensure that their cloud provider is able to match and exceed security
requirements when using a cloud provider. Identity- and resource-aware firewalls are recommended. Identity-
aware firewall and virtual networking capabilities are a must, and cloud providers also need to provide robust
IDS/IPS functionality to help with prevention and forensic support of any suspicious activity.
5. Portable transparency and trust. When evaluating cloud providers, make sure that their compliance
promises are real, and ask to see evidence when it comes to ISO 27001, SOC 1, and SOC 2, plus industry-specific
compliance. Be sure to ask for compliance with FedRAMP, as that standard is the most cloud-savvy today when
it comes to security. Build a framework that will allow your organization to pass on your cloud providers’
certifications to both your upstream and downstream partners and suppliers so that you can avoid being the
weakest link in the security compliance chain.
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 15
Appendix A: Methodology
In this study, Forrester conducted an online survey of 200 North American and European IT security decision-makers
from firms with 1,000 or more employees to understand the current and future state of security in cloud environments.
Survey participants included IT security professionals and leaders with decision-making responsibilities for their
organization’s cloud security. This study was conducted in July 2013.
Appendix B: Demographics/Data
Figure 9
Regional and Industry Breakdown of Respondents
Base: 200 US and European IT decision-makers from firms with 1,000 or more employees
(percentages do not total 100 because of rounding)
Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013
Forrester Consulting
Enabling The Secure And Rapid Adoption Of Cloud Services
Page 16
Figure 10
Responsibility For Their Organization’s Cloud Strategy, Management, And Implementation
Base: 200 US and European IT decision-makers from firms with 1,000 or more employees
(percentages do not total 100 because of rounding)
Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013
Appendix C: Endnotes
1 Source: Forrsights Software Survey, Q4 2012, Forrester Research, Inc.
2 Source: “Cloud Storage Comes Down To Earth,” Forrester Research, Inc., August 5, 2010.