14/7/2020 Guide to Cloud Security Concepts

Licensed for Distribution

This research note is restricted to the personal use of Celenia Varela

([email protected]).

Guide to Cloud Security Concepts

Published 27 March 2020 - ID G00720923 - 20 min read
By Analysts Patrick Hevesi, Richard Bartley, Dennis Xu
Initiatives:Security Technology and Infrastructure for Technical Professionals

This guide for security and risk management technical professionals will help first-time readers
get up to speed with current cloud security concepts and acronyms. It will help more
experienced readers understand new and upcoming concepts to build their cloud security
strategy and architecture.

Overview
Key Findings
■ Cloud security architecture and architect roles are mission-critical to the success of cloud
deployments.

■ Cloud risk assessment needs to be automated to keep pace with business needs.

■ Tier 1 cloud providers can be more secure starting points for workloads of all types.

■ Many companies have adopted a multicloud strategy, which necessitates the use of provider-
independent third-party security tools for consistent policy and governance across the multicloud
landscape.

Recommendations
Security and risk management technical professionals focusing on cloud security:

■ Start with defining your cloud security strategy, and favor cloud-native tools augmented by third-
party tools based on identified requirements.

■ Define cloud security ownership and build a cloud security architecture role and define best
practices.
https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 1/22
14/7/2020 Guide to Cloud Security Concepts

■ Leverage CASBs for cloud app risk features to automate and speed up cloud risk assessment.

■ Use CASB to protect sensitive data in approved cloud apps and to provide visibility and granular
access control to unapproved cloud apps.

■ For IaaS and aPaaS, use CSPM tools to provide overall visibility, and employ CWPP vendor tools to
provide workload insights across multiple clouds.

Analysis
Cloud security continues to be one of the most requested core topic coverage areas for the Security
Technology and Infrastructure Initiative. This is due to the constant drive for organizations to move
their infrastructure to the cloud, and security concerns are at the top of the list. An additional
challenge with cloud security is there is a constant growth of technologies, strategies and new
vendors. This guide will help you understand the core concepts around cloud security, from people
and process to the technology at each of the layers needed to keep pace with your cloud security
strategy. Figure 1 shows the different areas of coverage for the cloud security core topic. Each item
has an introductory description, then links to more detailed information. We have also included a
glossary of terms that come up in cloud security discussions.

Gartner Welcomes Your Feedback

We strive to continuously improve the quality and relevance of our research. If you would like to provide
feedback on this document, please visit  “Gartner GTP Paper Feedback” to fill out a short survey. Your
valuable input will help us deliver better content and service in the future.

Figure 1: GTP Cloud Security Core Topic Coverage

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 2/22
14/7/2020 Guide to Cloud Security Concepts

Source: Gartner (March 2020)

Cloud Security Architecture

Your existing security architecture provides an approach to make cloud security architecture design
decisions using a layered approach to align business needs to technical (and process) security
capabilities. But there will be new concepts, processes and tools that will be needed to update your
security architecture to take into account new deployment models such as SaaS, PaaS and IaaS.
These new components will need to be decomposed and focused on to define the particular security
needs of each area of cloud implementation. This will facilitate focus on integrations between
clouds, their zones and interfaces, thus ensuring that all aspects of deployment are addressed.

If the organization is embracing development in the cloud using PaaS, containers and agile
processes, then the cloud security architecture will benefit from inclusion of DevSecOps tools and
services. These tools, processes and automation should be included in the security architecture to
ensure the integrity of the overall cloud deployment.

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 3/22
14/7/2020 Guide to Cloud Security Concepts

There are multiple approaches to security architecture, including the uses of frameworks and
methodologies to support design and implementation steps. A typical example of security
architecture methodology is SABSA, and a useful framework to help with architecting in the cloud is
the NIST Cybersecurity Framework. Gartner’s research in this area includes a general introduction to
security architecture in “Improve Your Security With Security Architecture,” and more in-depth help on
setting up and executing security architecture capabilities in “A Guidance Framework for Establishing
Your Approach to Security Architecture.” “Use SABSA to Architect Your IaaS Cloud Security” focuses
on security architecture in the cloud. Figure 2 (from this SABSA research) shows stages of
architectural design in layers to help define key aspects of cloud security and provides deep insights
into steps needed to be accomplished for each layer.

Figure 2: SABSA Security Architecture Layers and Their Value for Cloud Security

Gartner

Cloud Security Architect

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 4/22
14/7/2020 Guide to Cloud Security Concepts

All this complexity leads to the need for a new role inside your organization: the cloud security
architect. This role will lead the strategy and architecture for your organization as you adopt and
secure the cloud. This person will need knowledge in multiple disciplines, including security, IT,
operations, architecture, development and people skills, to help bring the business and technical
sides of the organization together. They will own building your cloud security strategy and
architecture, and build the roadmap for cloud security tools. A cloud security architect can come
from the security team, enterprise architecture (EA) or IT architecture. This can be a job title or a
responsibility for EA, but needs to be defined and put in place as a mission-critical role for your
organization. Figure 3 shows the skills broken down by relevance, impact to security, learning curve
and possible impedance to applying in the organization.

Figure 3: Cloud Security Architecture Skills Scope

Gartner

For more information, see “Essential Skills for Cloud Security Architects.”

Cloud Risk Assessment

The security risks of cloud deployments are detailed in “Performing Effective Security Risk
Assessments of Public Cloud Deployments.” Understand how to handle risks addressed by security
controls in the cloud and the challenges that cloud deployments can cause. These could include:
https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 5/22
14/7/2020 Guide to Cloud Security Concepts

■ Existing systems and processes are not well-understood. Understanding the requirements,
including ones not explicitly identified by stakeholders, is a key element for the migration of any
service, to the cloud or otherwise. You must account for this element during your cloud service risk
assessment. You can’t evaluate a service for requirements or functions that are not known.

■ Organizations struggle to create meaningful risk assessments. Evaluating the risks in public
cloud service relationships is challenging, and risks continue to evolve. Often, security and risk
management technical professionals are required to express judgments on the adequacy or
insufficiency of vendor controls. Organizations frequently create massive risk assessment
questionnaires inspired by audit checklists, only to find that the results are difficult to evaluate if
not outright ignored by their cloud service providers (CSPs). Checklists might have a role to play in
your assessment process, but they can’t be relied upon as “the risk assessment process” itself.

■ Cloud service assessments require deeper involvement of stakeholders. Business and IT

stakeholders will both have a role in the risk evaluation and in the mitigation or acceptance of any
security or service gaps. In many situations, the gap will simply be a difference in practice. These
decisions about gaps and differences must be understood with respect to business impacts and
risk tolerance. Decisions to be made may include:

■ Can the organization tolerate losing all of the data housed in the service?

■ How about data created since last Saturday?

■ Can the organization service customers and meet contractual obligations when the cloud
service is unavailable?

■ Do stakeholders understand how the use of the internet for connectivity can impact the
performance and availability of these services?

Work with stakeholders to understand agility risks (i.e., technology debt situations with inflexible
CSPs), and avoid overspending risks by working closely with I&O and accounting.

■ Often, assessments of this nature expand into a more comprehensive examination of security and
service risks from the IT perspective. The business may see these cloud service assessments as
an obstacle to progress. However, such assessments are vital to ensuring that critical business
services are adopted within the actual risk tolerances and appetites of the organization. That is,
such assessments result in a better overall understanding of the cloud services being adopted.
You can read further about setting up a governance framework with stakeholders in “How to
Develop a SaaS Governance Framework.”

■ The volume and pace of assessments are challenging. Organizations are trying to increase their
adoption of new services of all types, not just cloud services. Regulated industries are

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 6/22
14/7/2020 Guide to Cloud Security Concepts

experiencing increased interest from regulators regarding oversight of third parties of all types.
These industries often begin with skepticism about cloud-based services, but now are starting to
realize the safety and benefits of cloud-based security. Implementing a vendor risk management
process within the organization could prove to be a winning solution; however. ensure that the
level of effort for assessments is proportional to significance of the cloud use-case. Careful
choices and pragmatism are the key.

Too often, information security and IT risk become fixated on rigid requirements. This is a natural
outcome of these groups being subjected to external examinations, audits and certifications that
have rigid requirements (such as the Payment Card Industry Data Security Standard [PCI DSS]).
However, security should not be accountable for all possible failures (otherwise security teams will
always try to prevent or delay moves to the cloud). Additionally, when these prescriptive requirements
become expressed in checklists, organizations equate the assessment with the checklist itself and
lose sight of the broader risk assessment process. Even worse, they apply scoring methods that
gloss over the details regarding gaps in control or service expectations.

Native Cloud Provider Security

Cloud service providers offer an ever-expanding wide spectrum of native tools to use to help enforce
security. Some are rudimentary and basic, whereas others are approaching equivalency to enterprise-
class vendor products. Taking a native cloud security tools-first approach can be cost-effective and
address many security requirements quickly and easily due to existing control integration with the
cloud service. It is important to understand the use cases and best fits for native tools to help make
decisions when vendor tools may be needed to augment or replace them. Native security tools are
available for SaaS, PaaS and IaaS cloud services. Figure 4 below illustrates the complex arrangement
of native tooling available for Office 365 SaaS service.

Figure 4: Office 365 Native Security Tools

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 7/22
14/7/2020 Guide to Cloud Security Concepts

Native cloud security tools are evolving fast, and architects must work to keep informed about
capabilities using all available methods from online insights provided by cloud service providers to
formal training. Gartner research offers important guidance on native cloud security tooling.

In particular for detailed Solution Comparisons for IaaS and application PaaS (aPaaS), visit our cloud
interactive tool  Cloud Decisions as well as our new Scorecards at  Solution Scorecard Comparison
This tool will allow you to drill down and compare top vendors in multiple capabilities especially their
security and identity features.

Relevant research includes:

■ “Understanding and Implementing Security in Office 365: Exchange Online, SharePoint Online,
OneDrive for Business and Teams”

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 8/22
14/7/2020 Guide to Cloud Security Concepts

■ “Comparing Native Microsoft Azure Controls in Azure, Hybrid and Multicloud Environments”

■ “Comparing Security Controls and Paradigms in AWS, Google Cloud Platform and Microsoft Azure”

■ “Implementing Cloud Security Monitoring and Compliance Using Amazon Web Services”

■ “Assessing the Security Capabilities of Salesforce”

■ “Understanding and Implementing Security in Google Cloud Platform”

Cloud Access Security Broker

A cloud access security broker (CASB) is a critical control to ensure the secure adoption of SaaS-
based cloud apps. As more organizations move sensitive data into approved cloud apps such as
Office 365, G Suite, Dropbox and Box, CASB helps identify and protect sensitive data in these cloud
apps. CASB policies in API mode connect to cloud apps out of band to identify sensitive data with
various content inspection techniques, remove risky external sharing, encrypt files in place or revoke
risky cloud-to-cloud connections. CASB policies in reverse proxy mode are deployed in front of
approved cloud apps to provide risk-based adaptive access control, functionally limited access to
unmanaged devices, in-line real-time content inspection-based data loss prevention or ad hoc rights
management protection upon download of sensitive files. CASB in forward proxy mode provides
granular context aware access controls to both approved and unapproved cloud apps. CASB cloud
app discovery provides visibility into the usage of all cloud apps regardless of their approval status or
risk posture. Its built-in cloud app risk database can feed into existing Secure Web Gateways (SWGs)
or enterprise firewalls (EFWs)to block access to high-risk cloud apps. CASBs have also been adding
features to monitor and protect the larger, more well-known IaaS providers.

Figure 5. CASB Architecture

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 9/22
14/7/2020 Guide to Cloud Security Concepts

Gartner

See “How to Secure Cloud Applications Using Cloud Access Security Brokers” for a detailed
description of CASB capabilities, architecture best practices and enterprise integration
considerations. Use common CASB use cases discussed in “Best Practices for Planning, Selecting,
Deploying and Operating a CASB” as a start point to develop your own CASB use case and SaaS
security requirement document. Refer to “Solution Comparison for Cloud Access Security Brokers” to
fast track RFP process in shortlisting CASB vendors.

Cloud Security Posture Management

Cloud security posture management (CSPM) tools go beyond assessment of security configuration
at the cloud control plane (usually for IaaS and CSP-provided PaaS services) to provide management
capabilities, including the ability of these providers to take action on policy violations. They deliver
risk identification and alerting capabilities by reviewing cloud audit and operational events. CSPM
https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 10/22
14/7/2020 Guide to Cloud Security Concepts

can provide visualization and reporting mapped to defined security frameworks and standards to
support compliance.

A CSPM tool can be used to provide the following capabilities:

■ Compliance assessment — Review of subscription and deployed environment configuration

against best practices and hardening guidance. Assessment is frequently defined against given
standards, such as PCI DSS, Health Insurance Portability and Accountability Act (HIPAA) Security
Rule and NIST Cybersecurity Framework (CSF).

■ Operational monitoring — Ingestion of log feeds from cloud subscriptions and deployed
environment sources, as well as alerting capabilities.

■ DevOps integration — Platform exposes service APIs to support deeper DevOps automation of
continuous integration/continuous deployment (CI/CD) processes, such as providing detail for
remediation steps back into a configuration management process for deployment.

■ Incident response — Aligns with monitoring and alerting, and provides capabilities to handle and
mitigate incidents.

■ Risk identification — Takes combinations of monitoring, assessment and compliance information

and provides a means to identify and prioritize risks with the cloud environment.

■ Risk visualization — Provides a means to easily visualize identified risks. Permits “drill-down” into
risk to identify lower-level information and details to support operations, triage and incident
response.

Figure 6 shows the most common use case that employs CSPM.

Figure 6: Typical Multicloud Use Case for CSPM

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 11/22
14/7/2020 Guide to Cloud Security Concepts

Gartner

Architects use CSPM to validate and enforce cloud-native data and application controls. It enables
delegated management and security control of IaaS cloud environments. CSPM provides the means
to alert and, in some cases, automate remediation of given security risks. It also offers live risk
triangulation between configuration issues, vulnerabilities, threats and actual events.

CSPM is used to identify workload issues and potential attack surfaces/exposures by detecting
configuration issues/deviation from best practices. This helps provide technical insight for the
security operations center and incident teams. Many tools interoperate with native monitoring and
alerting to provide effective incident identification and escalation.

CSPMs ensure the correct configuration of IaaS cloud deployment from the host/workload to the
cloud management layer. Many CSPM systems process CSP-native security logs and third-party

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 12/22
14/7/2020 Guide to Cloud Security Concepts

security output to provide deeper context. Some integrate with identity platforms or native cloud
identity to help provide privileged access control to IaaS cloud administration.

Cloud Workload Protection Platforms

Cloud workload protection platforms (CWPPs) offer a very broad set of capabilities focused almost
solely on infrastructure workloads. Vendor solutions vary across categories; some offer wide-ranging
capabilities, while others focus on a protection approach or a deployment pattern, such as
containerization. Read “Improve Your Cloud Security With Cloud Workload Protection Platforms” to
provide a good grounding.

CWPP vendor services offer a spectrum of mixed capabilities to suit your IaaS deployment given that
your cloud native-first approach may be already addressing some security requirements. Select the
right tool by understanding CWPP capabilities and what vendors offer. Figure 7 shows the sets of
minimum capabilities identified in different groupings of CWPP tools — of course, vendors offer
differentiated services in addition to the ones shown .

Figure 7: CWPP Types and Their Minimum Capabilities

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 13/22
14/7/2020 Guide to Cloud Security Concepts

Source: Gartner (March 2020)

Secure Access Service Edge

IT architectures are evolving in the face of demands for scalability, flexibility and increased security,
and also because of network challenges such as requirements for low-latency and WAN-edge needs.
This broad set of drivers defines a unified service model that is called secure access service edge
(SASE). Cloud security architects must be cognizant of these expectations, and as cloud and
distributed services grow, must implement SASE-aligned capabilities.

Two key trends are driving a move toward a SASE architecture:

1. Organizational data is distributed across different service boundaries, typically outside of the
enterprise data center. Data is likely to be processed and stored in a variety of public cloud
services of all types — IaaS, PaaS and SaaS.

2. Processing of data closer to users is becoming more prevalent to increase user experience. Given
the first trend to distribute data, this challenges the organization to manage traffic flow much
more effectively, without reliance on a centralized architecture with the data center at the core.

Figure 8. SASE Architecture

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 14/22
14/7/2020 Guide to Cloud Security Concepts

Source: Gartner (March 2020)Gartner

Figure 8 shows typical SASE capabilities, these are endpoint and identity centric in nature. This is
especially important because it is the identity and role of humans, and the identity and health of
devices, that organizations always maintain control over, regardless of the various cloud styles
chosen for any given application. The contextual situation of the user (whether, human, device or
machine) drives the access to core services. The core services themselves are negotiated by
combinations of layered and complementary security controls which define a risk-based access to
services. They take into account:

■ Information such as the identity or credential itself

■ Trust relationships between users and applications, including permissions and entitlements

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 15/22
14/7/2020 Guide to Cloud Security Concepts

■ The organizations, including real-time assessment based on the context of the connection

■ Technical security and compliance policy enforcement

■ Geographic constraints

■ Information about the connecting device

SASE core capabilities distribute across conventional areas such as network, application and data
security. They also include capabilities to more effectively manage and present distributed data.
Services include software-defined WAN (SD-WAN), SWG, CASB and zero trust network access
(ZTNA), as well as firewall as a service (FWaaS) with capabilities to secure data in transit, including
encryption and threat detection monitoring. Recommended capabilities include web application and
API protection (WAAP), remote browser isolation, recursive DNS, and network sandbox. Additional
optional capabilities are more use-case-specific and situational, including Wi-Fi hot spot protection,
network obfuscation, support for legacy VPN and edge compute protection, with capabilities for
offline or cached protection. Future benefits when SASE becomes practical to implement for SaaS
will include API-based access control for data context and support for both managed and
unmanaged devices may become available in future. Note that SASE is not widely applied yet, but
offers emerging capabilities to solve key security problems.

Cloud Security Logical Architecture

Now that we have discussed all the layers and components you can now build a logical architecture
and see how all the pieces of cloud security fit together. You still need your on-premises EFW and
SWGs to be configured properly and in some cases, like Office 365 traffic, you will need to bypass
these solutions and have the traffic routed straight to Microsoft. This is why it is important to
understand the deployment options like API and in-line proxy modes to establish your cloud security
solutions. Figure 9 shows a logical representation of cloud security architecture when incorporating
all of the possible cloud security solutions and processes.

Figure 9: Cloud Security Logical Architecture

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 16/22
14/7/2020 Guide to Cloud Security Concepts

Source: Gartner (March 2020)Gartner

Recommendations
Gartner recommends starting with defining your cloud security architecture roles and responsibilities
to lead the strategy. Then build your cloud security strategy, which will be composed of cloud-native
and third-party tools based on identified requirements.

Next, if your organization has a single IaaS cloud provider, utilize built-in security capabilities in your
IaaS, SaaS and PaaS providers first. If your organization already has multicloud defined as their
strategy, or you have matured and started adding new providers, look at solutions like CASB, CSPM
and CWPP. Most organizations start with CASB as it provides capabilities for SaaS and IaaS. A CASB
will provide the following:

■ A single pane of glass for monitoring, policy creation and threat mitigation across multiple cloud
applications

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 17/22
14/7/2020 Guide to Cloud Security Concepts

■ A way to gain visibility into shadow IT cloud app utilization, integrating with your existing SWG and
EFW infrastructure

■ An effective tool to do basic cloud risk assessment with the cloud app risk databases

As you determine more in-depth requirements for IaaS and aPaaS, use CSPM tools to provide
visibility into the cloud control plane, its security configuration and the IaaS security perimeter. Use
CWPP vendor tools to provide visibility and control over security configuration of workloads,
increasingly including containers and serverless functions.

CSPM tools will help with:

■ Automated security scanning and remediation

■ Preventing customer misconfiguration, which is the biggest reason for cloud breaches

■ Operational monitoring of cloud services

While CWPPs will help with:

■ Exploit protection for containers and virtual machines

■ Network segmentation policy creation and monitoring

■ Workload configuration management

■ Application allow-listing

■ System integrity assurance

Once you get some of these advanced solutions implemented, start looking to SASE to create a
reliable and scalable remote access architecture for the mid- to long-term future.

Conclusion
High complexity surrounds cloud security, and the impact to your existing security architecture is
significant. The good news is that cloud providers have continued to mature and so have the cloud
security solutions. Cloud security architecture and the cloud security architect role have been defined
with best practices, guidance from governing bodies and real-world examples, which are provided in
the links throughout this document as well as in the recommended reading links that accompany this
research.

This guide will continue to be updated as new acronyms and concepts arise in the space of cloud
security. This core topic is a rapidly changing area for security and risk management technical
https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 18/22
14/7/2020 Guide to Cloud Security Concepts

professionals; your strategy will need to embrace change in a more agile process to ensure your
cloud-based infrastructure is protected from the latest and greatest security threats. But by following
the recommendations outlined by Gartner, both here and in forthcoming research, you will be able to
build a strong cloud security strategy and architecture that will protect your organization in the cloud.

Acronym Key and Glossary Terms

AAC Adaptive Access Control

aPaaS Application Platform as a Service

API Application Programing Interface

AWS Amazon Web Services

Azure AD Microsoft Azure Active Directory

BYOK Bring Your Own Key

CASB Cloud Access Security Broker

CCSP Certified Cloud Security Professional

CCSS Certified Cloud Security Specialist

CIS Center for Information Security

COBIT Control Objectives for Information and Related Technologies

CSA Cloud Security Alliance

CSPM Cloud Security Posture Management

CWPP Cloud Workload Protection Platform

DLP Data Loss Prevention

EDR Endpoint Detection and Response

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 19/22
14/7/2020 Guide to Cloud Security Concepts

ENFW Enterprise Network Firewall

GCP Google Cloud Platform

HIPAA Health Insurance Portability and Accountability Act

HITRUST Health Information Trust Alliance

HSM Hardware Security Module

HTTP Hypertext Transfer Protocol

IaaS Infrastructure as a Service

ISAE International Standard for Assurance Engagement

ISO International Standards Organization

ITIL Information Technology Infrastructure Library

KEK Key Encryption Key

KMS Key Management Service

MFA Multifactor Authentication

NIST National Institute of Standards and Technology

PaaS Platform as a Service

PAC Proxy Autoconfiguration

RACI Responsible, Accountable, Consulted, Informed Matrix

SaaS Software as a Service

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 20/22
14/7/2020 Guide to Cloud Security Concepts

SABSA Sherwood Applied Business Security Architecture

SASE Secure Access Service Edge

SMP SasS Management Platform

SSL Secure Sockets Layer

SSO Single Sign-On

STAR Security Trust and Assurance Registry From CSA

SWG Secure Web Gateway

TLS Transport Layer Security

UEBA User and Entity Behavior Analysis

Recommended by the Authors

Performing Effective Security Risk Assessments of Public Cloud Deployments
Understanding and Implementing Security in Office 365: Exchange Online, SharePoint Online,
OneDrive for Business and Teams

How to Secure Cloud Applications Using Cloud Access Security Brokers

Best Practices for Planning, Selecting, Deploying and Operating a CASB
Comparing Security Controls and Paradigms in AWS, Google Cloud Platform and Microsoft Azure
Comparing the Use of CASB, CSPM and CWPP Solutions to Protect Public Cloud Services
Implementing Cloud Security Monitoring and Compliance Using Amazon Web Services

Solution Comparison for Cloud Access Security Brokers

Solution Path for Security in the Public Cloud
Improve Your Cloud Security With Cloud Workload Protection Platforms
Using Native IaaS Workload Security Capabilities in Amazon Web Services, Microsoft Azure and
Google Cloud Platform

Recommended For You

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 21/22
14/7/2020 Guide to Cloud Security Concepts

Decision Point for Postmodern Security Zones

Solution Path for Security in the Public Cloud
Solution Comparison for DDoS Cloud Scrubbing Centers
Mitigating the Risk of Phishing When Technical Security Controls Fail
5 Core Security Patterns to Protect Against Highly Evasive Attacks

© 2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its
affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written
permission. It consists of the opinions of Gartner's research organization, which should not be construed as
statements of fact. While the information contained in this publication has been obtained from sources believed to
be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment
advice and its research should not be construed or used as such. Your access and use of this publication are
governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any third party. For
further information, see "Guiding Principles on Independence and Objectivity."

About Gartner Careers Newsroom Policies Privacy Policy Contact Us Site Index Help Get the App

© 2020 Gartner, Inc. and/or its Affiliates. All rights reserved.

https://www.gartner.com/document/3982651?ref=solrAll&refval=256244300 22/22