KuppingerCole Report
Advisory Note
By Mike Small

Security Organization, Governance, and the Cloud

The cloud provides an alternative way of obtaining IT services that offers many benefits including increased flexibility as well as reduced cost. This document provides an overview of the approach that enables an organization to securely and reliably use cloud services to achieve business objectives.

1 Executive Summary

This report is one of a series of documents around the use of cloud services. It recommends how the governance of security and compliance for the use ...

Login Get full Access

2 Highlights

This report provides recommendations for how the governance of security and compliance for cloud services should be organized and implemented. The hi ...

Login Get full Access

3 Risk and Responsibility for Cloud Services

How the responsibility for security is shared between the CSP and the cloud customer depends upon the cloud service model and the risks depend upon th ...

Login Get full Access

3.1 Cloud Service Models

There are several different kinds of service that can be delivered through the cloud. These can be described in terms of layers each providing more b ...

Figure 1 shows the various layers of cloud services these layers illustrate how the services build upon each other. The fact that the services build ...

Login Get full Access

3.2 Shared Responsibility

The responsibility for security and compliance when using cloud services is shared between the cloud customer and the CSP.

How responsibility is ...

For IaaS services the CSP has no control over how the service is being used by the customer and is only responsible for securing the infrastructure us ...

Login Get full Access

4 Cloud Challenges

There are four principle categories of risk from the use of cloud services – compliance, business continuity, data security and cyber security.

Ther ...

Login Get full Access

4.1 Compliance Risks

Loss of compliance is the most prominent concern of organizations using cloud services.

Many organizations have invested heavily to ensure complianc ...

Login Get full Access

4.2 Business Continuity

There are several ways in which using cloud services could impact on business continuity.

It is often claimed that the cloud provides flexibility; h ...

Login Get full Access

4.3 Data Security

Using cloud services can make it more difficult to control legitimate access to data and increases the risks of data leakage.

The infrastructure upo ...

Login Get full Access

4.4 Cyber Security

The scale of cloud services and their use of the Internet make them a potential target for cyber criminals.

The value of the cloud service to the C ...

Login Get full Access

5 Cloud Governance

KuppingerCole recommends taking a good governance approach to all IT services and this is fundamental to securely embracing the cloud services and the ...

The governance process starts from business objectives and defines a policy for the IT services to deliver on those objectives. These lead to the pro ...

Login Get full Access

6 Cloud Management

The governance-based approach to the use of cloud services must be implemented through managed processes covering their acquisition, security and assu ...

Login Get full Access

6.1 Assess Organizational Readiness

The organization itself needs to be ready to use cloud services.

It is very hard to successfully outsource something if you do not fully understand ...

Login Get full Access

6.2 Assess Application Readiness

Some kinds of IT applications and some types of data are more suitable than others for deployment in the cloud.

For these, the balance of the pot ...

Login Get full Access

6.3 Cloud Service Procurement Process

Organizations must have a robust process for procuring cloud services.

This is necessary to ensure that cloud services are obtained to support def ...

Login Get full Access

6.4 Defining the security and compliance controls

Not all risks are equal – you need to prioritize which risks are important and specify the controls needed to manage these.

KuppingerCole Advisory R ...

Login Get full Access

6.5 Implementing the Controls

The cloud service customer must ensure that the controls for which it is responsible are implemented. However, since the delivery of the cloud serv ...

Login Get full Access

7 Organization

The Future IT Paradigm by KuppingerCole, provides a standardized model which organizations can use to can use to implement their digital transformatio ...

Business Service Delivery focuses on providing exactly the services business needs, in the way business needs them, and at the time they are needed. ...

There are many organizational stakeholders and the future IT organization needs to engage with all of these to ensure success.

  • Risk and Comp ...
Login Get full Access

8 Recommendations

Cloud services provide an important opportunity for organizations to implement digital transformation, get closer to their customers, increase flexibi ...

Organizations must take a governance led approach to cloud services.

Cloud services are outside the direct control of the customer organizatio ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.