KuppingerCole Report
Buyer's Compass
By Mike Small

IaaS Tenant Security Controls

IT Organizations now commonly use multiple cloud services as well as on premises IT. This KuppingerCole Buyer's Compass focusses on the capabilities IaaS services provide to manage the common business risks such as loss of business continuity, data breaches and regulatory compliance failure when using cloud services as part of a hybrid IT delivery model. It will provide you with questions to ask vendors, criteria to select your vendor, and the requirements for successful deployments. This report will prepare your organization to conduct RFIs and RFPs for IaaS as part of a Hybrid IT service delivery model.

1 How to use the Buyer's Compass

This KuppingerCole Buyer's Compass on ITSM solution provides information about:

  • Use Cases

  • Functional Selection Criteria

  • Non-function ...

Login Free 30-day Select Access Get full Access

2 Market Segments Defined

The market segments for IaaS services are defined by the scale of operation and the richness of the service provided. There are several well-known glo ...

The CSPs must meet their obligations to provide a secure and compliant services. However, risks frequently arise because the tenant does not properly ...

Login Free 30-day Select Access Get full Access

3 Top Use Cases

As organizations go through digital transformation, they are using IaaS / PaaS cloud services to change the way they do business by creating new applications and modernizing their processes. This avoids the need for capital expenditure as well as the lengthy procurement delays involved when new hardware is needed. In addition, organizations are increasingly using cloud services to back up their business-critical data. For these business-critical enterprise applications there is a need to ensure that these services are used in a secure and compliant manner.

IaaS providers also offer an extended platform to support these use cases commonly providing pre-packaged services for middleware, databases, and development tools.

Use case Description
Cloud Native Using the cloud service mostly to experiment with new technologies and to develop and deploy new systems providing direct engagement with customers, partners, and suppliers. These include:

• DevOps - This is the most common starting point for cloud service usage as part of a digital transformation strategy. The service is used for the development and testing of new or updated applications which may then be deployed using the service.
• Analytics and Machine Learning - the amount of data generated through social media, marketing tools, large scale networks of sensors typical of IoT, manufacturing and other processes can exceed the practical capacity of on-premises IT. The cloud provides a practical solution to provide data storage capacity and high computing power at a reasonable cost to analyse and exploit this data.
Enterprise Hybrid Most organizations are now using a hybrid IT services delivery model where the use of multiple cloud services is integrated with business-critical services that are delivered in other ways. These include:

• Digital Transformation - The use of cloud services can accelerate the digital transformation process. It limits the need for capital expenditure and procurement delays reducing the time to market. It can also accelerate the delivery of new business products and services across multiple geographies.
• Hybrid Workloads and Data - where the objective is to achieve some of the benefits provided by the cloud (e.g., scalability, availability, or cost) while retaining control over certain security or compliance related aspects. This use case requires secure and performant connectivity and common management.
• Disaster Recovery - here the cloud service forms an important part of the organizational business continuity plan. Its use may range from providing a back-up of business-critical data, through to cold or hot standby services enabling continuous operation of business-critical applications.
Security and Compliance Digital transformation makes the organization more dependent upon the digitized services and hence more vulnerable to cyber risks. A cloud service must provide capabilities for the tenant to manage the common business risks that apply in the above use cases:

• Loss of business continuity – from individual element failures as well as cyber-attacks such as ransomware and denial of service.
• Data breaches – loss, leakage, or unauthorized access to the applications or data stored or processed within the cloud service.
• Compliance- results in failure to comply with obligation imposed by laws or regulations.

Table 1 Top Use CasesTable

4 Top 20 Selection Criteria - Functional

When looking at products in detail - for instance, during an RFI or RFP - there frequently are hundreds of different criteria to be evaluated. However ...

Login Free 30-day Select Access Get full Access

5 Top 10 Selection Criteria - Non-functional

As well as the functional selection criteria listed above, there are several non-functional criteria to consider when deciding on an IaaS service in the context of a hybrid IT model. Table 3 lists these requirements.

Non-functional Selection Criterion Description
Size of vendor Large vendors are not necessarily the best ones, but size matters to some extent. Smaller vendors may react faster, have a strong local presence, and be more innovative, while larger vendors have greater staying power in the market. This is particularly important for the vendor of a service used to provide a business-critical application.
Number of customers for product Having many customers is not only an indicator of financial strength, but also helps in innovation, given that the vendor needs to satisfy the needs of a wider variety of customers.
Strategic focus on IaaS Vendors with a broad product portfolio, where IaaS is not the primary focus, might innovate less in this area. Ensuring that the vendor has a strategic focus on IaaS is an important criterion.
Geographic Location of Services The geographic location and legal jurisdiction from where the services are provided can be an important consideration for both performance and compliance reasons.

• The service should be available close to where it will be consumed to ensure that it is adequately responsive to requests. If the service is used from multiple geographic areas, it may be advantageous to choose a service that is delivered from these multiple regions.
• Many forms of data processing and storage are subject to regulations and laws that require this to be carried out (and sometimes administered) in specific geographies or jurisdictions.
• The tenant’s choice of geographic location should be guaranteed by the service contract / SLA.
Partner ecosystem in region There should be a good partner ecosystem in the geographical region of the tenant, to support the tenant in specifying, designing, migrating, implementing, and managing the IaaS project.
Service Contractual Clauses The Service Contract / SLA (Service Level Agreement) should provide binding commitments that are appropriate for the tenant’s use case. Areas to consider include:

• Commitments by the CSP that the data will be processed in a way that is compliant with the relevant laws and regulations.
• Ownership of the tenant’s data held in the service and how the data can be recovered at the termination of the contract.
• How the responsibilities for security are shared between the tenant and the CSP.
• Guarantees around the geographic location and processing of tenants’ data.
• The CSP’s policies regarding disclosure to tenants of legal access requests to their data.
• The CSP’s policies relating to disclosure to tenants of suspected and actual data breaches.
Interoperability Cloud services offer a wide variety of capabilities many of which are proprietary to the different services. The use of these capabilities may increase the costs to the tenant should they subsequently decide to move to another service. The tenant should consider the extent to which the capabilities offered by the service are based on widely implemented standards and balance this against the risk of technical lock-in.
Cyber Security of the Service The scale of cloud services and their use of the Internet make them a potential target for cyber criminals. The value of the cloud service to CSP makes it a target for economic blackmail with the threat of denial-of-service attacks. DDoS attacks could result in the cloud tenant being unable to use the service as intended. Malware introduced into the cloud service may prevent the service from operating correctly. Furthermore, malware could be introduced into files or data held in cloud services that would activate when downloaded into the organizational systems.

For IaaS, the CSP is responsible for the infrastructure but your organization is responsible for the operating system and everything above. Evaluate:

• How well the infrastructure and components involved in the exploitation of the service are protected against denial-of-service attacks and malware.
• Ensure that the CSP’s responsibility for the security of the service is clearly defined.
• Evaluate the tools and services provided by the service to help you to protect the components for which you are responsible against cyber threats.
Independent Certification of Compliance Organizations are obliged to comply with laws and regulations governing how the data they hold is processed and stored and evaluating how well a cloud service will support their compliance obligations is essential. For IaaS, the provider can justly claim to have no knowledge or control over what data the tenant stores in the service or how the service is used. However, the provider does have access to the service infrastructure and systems and control over where the data and processing occurs as well as how the infrastructure is administered.

While the cloud service tenant must ensure the compliance of the elements for which it is responsible, since the delivery of the cloud service is outside the direct control of the tenant, the tenant must evaluate the whether the service will be delivered in a secure and compliant manner. This is another reason for adopting a common governance approach for all IT services however they are delivered.

The service contract and SLA are important – make sure that:

• The contract and SLA provided meet your business requirements for the service. Consider how you will be able to measure performance against the contract and what compensation is provided for failure.
• The division of responsibilities for security and compliance is clearly defined.

Certification of compliance with the relevant laws, regulations and standards can provide added assurance. Evaluate the evidence that CSP provides to show that the is independently certified as compliant with these standards.

• The ISO/IEC 2700x standards are well established and compliance with these standards provides assurance that the security of the cloud service is well managed.
• SOC reports conducted to SSAE 18 / ISAE 3402 provide independent attestations on a service provided by an organization including cloud services.
• The CSA STAR program includes a registry that documents the security controls provided by popular cloud computing offerings.
• Codes of Conduct can help organizations choose between suppliers. However, look for independent certification that the provider follows the code.
Match with Tenant’s Vendor Strategy The cost and complexity of managing services from many vendors has led some organizations to identify a limited number of preferred vendors that are able to satisfy a wide range of the organization’s needs. This is also relevant when selecting a cloud service. It may be preferable to select a service from a preferred vendor even though it is not the best match with the functional requirements. Some factors to consider include:

• The other products and services offered by the vendor.
• The match between the organization’s future requirements and the vendor’s roadmap.
• Pricing discounts through volume usage.
• Commonality of service management interfaces.

Table 3: Top Non-functional Selection Criteria

6 Use Cases / Selection Criteria Matrix

Having identified the most important use cases and selection criteria for IaaS vendors, this section provides a matrix that maps use cases and functio ...

KuppingerCole Advisory Services can support you to adapt the criteria to your specific requirements and provide further services around selecting the ...

Login Free 30-day Select Access Get full Access

7 Top 5 Prerequisites - Technical

IaaS in the context of a hybrid IT service model cannot be isolated from other areas of IT service delivery. Thus, there are some technical prerequisi ...

Login Free 30-day Select Access Get full Access

8 Top 5 Prerequisites - Organizational

Successful exploitation of IaaS in the context of a hybrid IT service delivery model depends not only on the technology selected but also on how IT is ...

Login Free 30-day Select Access Get full Access

9 Top 10 Questions to ask the vendors

As well as asking about specific features, there are some more questions that are worth asking vendors. The following questions help in understanding ...

Login Free 30-day Select Access Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.