This research note is restricted to the personal use of renu@mit.gov.

in
G00232645

Data Security Monitoring in the Cloud:

Challenges and Solutions
Published: 23 April 2012

Analyst(s): Jeffrey Wheatman

Data-level security monitoring is increasingly crucial for sensitive data

handled in the cloud, but the available monitoring options are immature and
challenging to implement. Gartner's best practices can help with risk
assessment and technology selection.

Key Findings

Security requirements and drivers in the cloud are different from those in traditional data center
environments, and data monitoring is no exception. The dynamic nature of the cloud, coupled
with the lack of customer ownership of infrastructure and limited transparency, has essentially
broken traditional security models and architectures.

While cloud providers have increased the options for monitoring in their clouds, the offerings
are still fairly immature, limited and mostly focused on network- and application-layer activity,
rather than on activity in the data layer.

Auditors and other stakeholders are increasingly focusing on data access, and the security
monitoring options currently available in the cloud are unlikely to fully satisfy their requirements.

Recommendations

Communicate with stakeholders to ensure that they understand the potential risks associated
with storing and processing data in the public cloud, focusing on the lack of options for
monitoring, especially for regulated and critical data.

Ensure that cloud services providers (CSPs) provide the appropriate level of monitoring controls
for the level of risk associated with the data (especially regulated data). This does not mean the
CSP will take ownership of the monitoring controls, because the data belongs to the
organization, and the organization is ultimately responsible for its safety and security.

Communicate with current and potential CSPs concerning your data-level monitoring needs.
Seek guidance about how to use native tools or solutions from your CSP, solutions from
independent software vendors (ISVs), or extensions or APIs offered by CSPs to allow you to
build your own solutions.

This research note is restricted to the personal use of renu@mit.gov.in

This research note is restricted to the personal use of renu@mit.gov.in

Ensure that any data monitoring solution you adopt integrates, or at minimum communicates,
with your enterprise's current monitoring and incident response tools and processes in cases
where the security organization must manage multiple solutions (not only cloud solutions).

Analysis
Why Monitor Data Access in the Cloud?
Gartner is seeing more clients entrusting not only regulated data, but also intellectual property and
other critical data, to public cloud projects. When these data elements are placed in cloud
environments that are not fully under the enterprise's control, it becomes more important to
understand who is accessing what. An enterprise can recover from a breach involving regulated
data, but the margin of error for intellectual property tends to be much narrower. Under these
circumstances, the ability to conduct real-time monitoring of data in the cloud could mean the
difference between a minor incident and one that threatens the viability of the enterprise.
The security risks to data in the cloud are significant (see Note 1 and "What You Need to Know
About Cloud Computing Security and Compliance" [Note: This document has been archived; some
of its content may not reflect current conditions.]), but they are not well-understood, making this
type of risk difficult to manage. Moreover, the immaturity and dynamic nature of cloud computing
makes traditional enterprise data security controls impractical. Controls can be grouped into three
basic categories:

Administrative: These controls include policy, procedure, and identity and access governance.

Preventative: These controls include access, encryption, intrusion prevention and data
masking.

Detective: These controls include monitoring, analytics and incident response.

The Risks Involved

Gartner has seen an improvement in the ability of CSPs to offer administrative and preventative
controls, either natively in the cloud or through partnerships with ISVs, but detective controls
focused specifically on data access, if they exist at all, are less mature. Enterprises often do not
have visibility into what goes on in the cloud, and the patterns and behaviors related to data access
are no exceptions. This weakness represents a significant risk for enterprises that store or process
critical data in the cloud. These risks include:

Poor supervision of highly privileged users: CSP administrators have access that could easily
subvert controls implemented higher up in the stack, and could access stored data across
many of their customers. The inability to view what these administrators do with this privileged
level of access carries a significant risk, and could result in an adverse audit finding. Although
many CSPs monitor their administrators' activities, they typically do so for their own needs,
which don't necessarily match their customers' needs, and may offer insufficient protection for
critical data.

Page 2 of 8

Gartner, Inc. | G00232645

This research note is restricted to the personal use of renu@mit.gov.in

This research note is restricted to the personal use of renu@mit.gov.in

Weak data segmentation: The multitenancy models that are the norm in public clouds
inevitably lead to risks of data crossing logical or physical boundaries, and of savvy or skilled
users being able to bypass controls at virtualized borders. The segmentation security controls
offered by the virtualization technology that supports cloud implementations have historically
been attack-resistant. However, there is always the possibility that unknown vulnerabilities or
new attack mechanisms may allow the crossing of security boundaries that lead to data access.

Excessive reliance on applications' access controls: Lack of data-centric monitoring at the

cloud infrastructure level places much of the security load on the applications' access controls.
If permissions are granted inappropriately, or if deprovisioning is not implemented or
entitlement review is not done, users may have access to data they do not need, and this may
lead to a data breach whether intentional or accidental. Even if application-level monitoring is
available from the CSP or the application, it is often not granular enough to provide a real
understanding of which users are accessing which data and under what circumstances.
Moreover, the cloud provider may not be able or willing to implement behavioral-based anomaly
detection.

These risks have prompted Gartner to recommend to clients that are storing or processing critical
data in the cloud that they develop a strategy for monitoring the data's usage, either using CSPprovided tools, or third-party tools needed for data monitoring in the cloud. Data-centric regulations
such as PCI standards and the U.S. Health Insurance Portability and Accountability Act, and
pending regulations such as the EU Data Protection Directive, have rigorous requirements for
auditing and accountability concerning access to protected data types. Moreover, enterprises will
increasingly pressure cloud providers to offer them the ability to respond to increasing auditors'
focus on regulatory compliance in cloud deployments and auditors are likely to find that the
current data monitoring capabilities are inadequate.

Challenges to Implementing Data-Level Monitoring in the Cloud

Data-level monitoring in cloud environments can be challenging, because of general issues related
to cloud architectures, and specific issues unique to particular cloud offerings. These challenges
include:

Cloud providers tend to focus on performance-based monitoring, rather than security

monitoring, and whatever security monitoring they do offer is usually not oriented to the data
layer. Network security monitoring tools such as firewall logs and network intrusion prevention
systems provide visibility into network activity, but do not focus on data payloads. Application
monitoring in platform as a service (PaaS) and software as a service (SaaS) systems typically do
not deliver anomaly-based detection. A SaaS- based CRM data monitoring system, for
example, would not trigger on the fact that a salesperson has downloaded the entire customer
database, even though this action would likely represent a deviation from normal sales activity.
Cloud application brokerages are attempting to improve their oversight of situations like this by
sending cloud application traffic through a proxy where data access controls can be enforced.

Data-centric monitoring technologies, such as database audit and protection (DAP) and
content-aware data loss prevention (DLP) tools, are typically architected using network
aggregators in conjunction with server agents installed on the database server. Public CSPs will

Page 3 of 8

Gartner, Inc. | G00232645

This research note is restricted to the personal use of renu@mit.gov.in

This research note is restricted to the personal use of renu@mit.gov.in

not allow client devices to be installed on their networks, and their willingness to allow clients to
install agents varies widely by offering.

The dynamic nature of cloud computing may mean that the data moves within the CSP's
infrastructure. If this is the case, any monitoring solution must be able to move rules, profiles
and policies on the fly to be effective. When cloud providers begin to offer data monitoring, their
capabilities will be limited in scope and function. Comprehensive monitoring requires a
combination of structured rules and behavior-based anomaly detection. Due to the effort
involved in fine-tuning behavior-based monitoring, the offerings will likely be signature-based, at
least in early stage offerings.

Many CSPs offer audit log management capabilities in SaaS and PaaS stacks, but native
logging adds processing and storage overhead, as well as the need for various log retention
and archiving requirements.

SaaS offerings tend to provide application monitoring based on the assumption that since the
client can only access data through the applications, the monitoring of direct access to data
in other words, not through the application is unnecessary.

Best Practices for Data Security Monitoring in the Cloud

Data security monitoring challenges and solutions vary for each cloud computing model in which
Gartner sees enterprises investing, but certain overall best practices still apply:

Begin by deciding whether data-level monitoring is required. For some use cases notably in
SaaS and PaaS offerings the default network or application monitoring provided as part of
the cloud provider's service agreement may be sufficient. For example, if the data in a SaaS
offering is only accessible through a provided application interface and the data is stored using
a distributed storage model, the value of data-specific monitoring is low. Some PaaS offerings,
such as application life cycle management as a service (ALMaaS) or application security as a
service (ASaaS), do not store the types of data that need to be monitored.

Evaluate the options for data-level security monitoring in current and future cloud projects, and
ensure that any providers or platforms that are adopted provide the appropriate level of
monitoring controls for the risk associated with the data. This is especially important for
regulated data types. In cases where CSP offerings are insufficient, add-ons or third-party tools
must be evaluated in order to adequately address the risks.

Ensure that the enterprise's auditors, legal and compliance departments, and other
stakeholders understand the risks of limited cloud data security monitoring, and that they will be
satisfied with any solutions before they are implemented. (Retrofitting will likely have an impact
on sizing, performance and cost.)

Follow the growth of third-party cloud security brokers that can provide layered security on top
of CSP offerings. This approach will likely not be possible immediately, however, because these
third-party solutions are still comparatively new, and growing in maturity.

Page 4 of 8

Gartner, Inc. | G00232645

This research note is restricted to the personal use of renu@mit.gov.in

This research note is restricted to the personal use of renu@mit.gov.in

Communicate with current and potential CSPs concerning your data-level monitoring needs.
Seek guidance as to how to use cloud-native tools or solutions, solutions from ISVs or APIs
offered by CSPs to allow you to build your own solutions.

Some organizations will only deploy and manage one monitoring platform. In cases where there
are distinct platforms one in the enterprise and one in public cloud you must ensure that
any monitoring solution integrates or communicates with your enterprise's monitoring, and with
your incident response tools and processes.

Look to cloud-based security services that can act as proxies, and that can either encrypt
sensitive data before being stored in the cloud, or monitor all cloud data access.

Infrastructure as a Service (IaaS)-Specific Issues

In an IaaS cloud deployment, the client owns the entire stack, and this simplifies implementation of
data-level monitoring. Although IaaS providers will not allow a network collector to be deployed, the
client can install a local agent, data collector or virtualized appliance versions of network software.
This makes it possible to implement a DAP or DLP solution that provides visibility into what is going
on at the data layer. Native auditing and logging can also be used to feed to an internally managed
monitoring solution, such as a security information and event management (SIEM) tool, that
supports a comprehensive view of the overall threat picture, encompassing internal and cloudbased threats.
It is important to note, however, that logging or auditing functionality that is turned on or agents that
are installed will impact processor usage and storage, and may result in added costs due to the
bandwidth used by transmitting monitored data between the cloud and corporate networks. Native
logging in particular presents several challenges: Logs typically need to be archived and maintained
for legal and regulatory compliance, and because they contain actual data need to be further
secured against possible access by an attacker. Moreover, the system's administrators have
access to the logs, and could potentially alter them to hide the details of a breach.

PaaS-Specific Issues
PaaS presents the most difficult set of use cases, for three reasons:

PaaS refers to a broad range of platform types and therefore a broad range of approaches to
data security monitoring. A database-as-a-platform provider may, for example, make it possible
to turn on logging for an additional charge, but likely will not allow the installation of an agent for
a third-party monitoring solution such as a DAP or DLP tool. On the other hand, in a more
expansive platform, such as business process monitoring as a service, the data store is
embedded, and there is no option to turn on logging or install an agent. This means that the
only monitoring available is what may be offered by the provider.

As noted, most monitoring in these stacks is performance-based, and any security monitoring
typically uses signature-based detection. Some PaaS providers provide APIs that can be
leveraged to expand their native monitoring capabilities. These APIs can be customized to
support behavior-based monitoring and analysis, but require significant effort to fine-tune.

Page 5 of 8

Gartner, Inc. | G00232645

This research note is restricted to the personal use of renu@mit.gov.in

This research note is restricted to the personal use of renu@mit.gov.in

Further, because some PaaS offerings comprise several layers, it can be difficult to identify the
appropriate level at which to monitor.

Because the market is so fragmented, PaaS clients will likely be purchasing solutions from
multiple providers, which will make normalizing a monitoring solution extremely challenging for
the foreseeable future.

SaaS-Specific Issues
In many ways, SaaS provides the easiest data security monitoring solution. SaaS is offered as a
stack, so data typically can be accessed only through the designated application, not directly. For
this reason, there is no real differentiation between application monitoring and data monitoring.
Most, if not all, SaaS providers can produce reports based on application activity. However, these
canned reports are based on standard signatures that is, what the provider defines as normal
activity.
The challenge is assessing how to implement behavior-based monitoring. Some SaaS providers
offer APIs that can be used to generate custom reporting and analysis, but the benefits of using
these APIs may not be worth the effort; in other words, the effort of creating customized monitoring
and reporting solutions may be so onerous as to push customers to use native CSP offerings,
however limited they may be. Also it is difficult to standardize monitoring across multiple SaaS
providers. This is where application brokers can play a significant role.
Another issue is that the simplicity of the integration between the application and the data in SaaS,
while seemingly providing a strong look at data access, does not lend itself to monitoring based on
behavioral analysis (for example, triggering on an individual's leveraging legitimate access to view or
download more records or documents than are needed to complete a given job). SaaS also does
not provide visibility into the data payload for classification purposes.

Recommended Reading
Some documents may not be available as part of your current Gartner subscription.
"Cloud IaaS: Security Considerations"
"Critical Security Questions to Ask a Cloud Service Provider"
"Database Activities You Should Be Monitoring"
"Database Activity Monitoring Is Evolving Into Database Audit and Protection"
"Hype Cycle for Cloud Security, 2011"
"Key Issues for Securing Public and Private Cloud Computing, 2011"

Page 6 of 8

Gartner, Inc. | G00232645

This research note is restricted to the personal use of renu@mit.gov.in

This research note is restricted to the personal use of renu@mit.gov.in

"Predicts 2012: Enterprises Must Balance Opportunity and Risk in Cloud and Mobile Security"
Evidence
The analysis in this research was developed based on information derived from various data
sources. Gartner client calls on the topic of data security in general and on security in the cloud
indicate that many clients focus more aggressively on preventative controls than detective controls,
and this is more obvious in cloud projects. Calls were conducted by Gartner with 15 leading
providers of cloud computing services to discuss current and future offerings for data-centric
monitoring. Calls with auditors and a review of pertinent data-centric laws and regulations provided
the framework for drivers of data protection in cloud environments.
Note 1 References for the Risks of Cloud Computing
"Reducing Security Risks in Cloud Computing"
"Risk Management in Cloud Computing"
Nearly half of U.S. IT professionals say the risks of cloud computing outweigh the benefits,
according to the first annual ISACA IT Risk-Reward Barometer Survey.
This is part of a set of related research. See the following for an overview:

Securing and Managing Cloud Computing

Page 7 of 8

Gartner, Inc. | G00232645

This research note is restricted to the personal use of renu@mit.gov.in

This research note is restricted to the personal use of renu@mit.gov.in

Regional Headquarters
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
USA
+1 203 964 0096

Japan Headquarters
Gartner Japan Ltd.
Atago Green Hills MORI Tower 5F
2-5-1 Atago, Minato-ku
Tokyo 105-6205
JAPAN
+ 81 3 6430 1800

European Headquarters
Tamesis
The Glanty
Egham
Surrey, TW20 9AW
UNITED KINGDOM
+44 1784 431611

Latin America Headquarters

Gartner do Brazil
Av. das Naes Unidas, 12551
9 andarWorld Trade Center
04578-903So Paulo SP
BRAZIL
+55 11 3443 1509

Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600

2012 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This
publication may not be reproduced or distributed in any form without Gartners prior written permission. The information contained in this
publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or
adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication
consists of the opinions of Gartners research organization and should not be construed as statements of fact. The opinions expressed
herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not
provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its
shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartners Board of
Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization
without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner
research, see Guiding Principles on Independence and Objectivity on its website, http://www.gartner.com/technology/about/
ombudsman/omb_guide2.jsp.

Page 8 of 8

Gartner, Inc. | G00232645

This research note is restricted to the personal use of renu@mit.gov.in