Gartner Says Organizations More Likely to Use SaaS for Sensitive Data Than Mission-Critical Data
August 23, 2012
Share this

Avoiding the use of software as a service (SaaS) for critical or sensitive data remains a significant form of risk control for many organizations, according to Gartner, Inc. But those that do use SaaS for such data are more likely to use it for sensitive data than for mission-critical data.

These findings are based on Gartner's latest annual survey of the state of risk management programs globally, which questioned 425 respondents from IT risk management disciplines in the U.S., U.K., Germany and Canada from December 2011 to January 2012.

The survey results show that organizations take different approaches to risk management when confronted with a need or opportunity to share data with different types of external party.

Assessment Practices for External Parties

Survey respondents were asked if they had processes in place to assess external party security, risk management, compliance, privacy and BCP/DR for four different situations. Respondents answered: “Do not allow use for sensitive data or processes" almost twice as often in the case of business partners (38 percent) as for platform as a service (PaaS) and infrastructure as a service (IaaS) (20 percent).

Compared with PaaS/IaaS, organizations are about 30 percent more likely to have a policy against putting sensitive data into SaaS (26 percent), and about 45 percent more likely to have a policy against putting it into outsourced data centers (29 percent).

"These results make sense, given that sharing data with a partner almost certainly means that one or more of its employees will be accessing the data, while in a SaaS scenario, the data is typically only accessible to the primary customer," said Jay Heiser, Research VP at Gartner. "This year we asked about both data availability and data confidentiality policies. Survey respondents indicated 10 percent less willingness to place mission-critical data into a SaaS offering than to place sensitive data into it. They were even less willing to place mission-critical data into outsourced data centers, with over one-third of respondents saying that they do not allow it."

Platform-as-a-Service/Infrastructure-as-a-Service Risk Assessment Practices

Only 57 percent of IaaS/PaaS buyers are using a questionnaire to support their risk assessment, and unlike for SaaS, the questionnaire is more likely to be a proprietary one, unique to the buyer's organization, and less likely to be based on standards. As in the case of SaaS, 26 percent are also evaluating information from the provider. The most dramatic change over the past three years is the increased willingness to use IaaS and PaaS for sensitive processes.

Outsourced Data Center Risk Assessment Practices

Thirty-six percent of respondents said they had a policy against putting mission-critical data into an outsourced data center, making avoidance the most chosen mechanism for dealing with data center risk. The level of response for this choice is significantly higher than for either of the other two service models. Twenty-nine percent said this policy applied to SaaS, and only 22 percent said it applied to IaaS/PaaS.

"One of the biggest drivers is probably an expectation that the packaged service offerings, which typically claim to be based on cloud computing, are more reliable," said Mr Heiser. "While fault tolerance is a feature of many such offerings, we consider it premature to assume that mission-critical data is safer in a cloud than in a traditional data center in which buyers usually make very specific choices about how data will be backed up."

The most significant reduction in the use of risk assessment practices has been in the practice of sending company staff to evaluate a partner's controls on-site, which has dropped by over 40 percent over three years. Use of standards-based questionnaires has increased, while the use of proprietary surveys has dropped by the same degree, leaving the prevalence of questionnaires virtually the same.

Share this

The Latest

October 03, 2022

IT engineers and executives are responsible for system reliability and availability. The volume of data can make it hard to be proactive and fix issues quickly. With over a decade of experience in the field, I know the importance of IT operations analytics and how it can help identify incidents and enable agile responses ...

September 30, 2022

For businesses with vast and distributed computing infrastructures, one of the main objectives of IT and network operations is to locate the cause of a service condition that is having an impact. The more human resources are put into the task of gathering, processing, and finally visual monitoring the massive volumes of event and log data that serve as the main source of symptomatic indications for emerging crises, the closer the service is to the company's source of revenue ...

September 29, 2022

Our digital economy is intolerant of downtime. But consumers haven't just come to expect always-on digital apps and services. They also expect continuous innovation, new functionality and lightening fast response times. Organizations have taken note, investing heavily in teams and tools that supposedly increase uptime and free resources for innovation. But leaders have not realized this "throw money at the problem" approach to monitoring is burning through resources without much improvement in availability outcomes ...

September 28, 2022

Although 83% of businesses are concerned about a recession in 2023, B2B tech marketers can look forward to growth — 51% of organizations plan to increase IT budgets in 2023 vs. a narrow 6% that plan to reduce their spend, according to the 2023 State of IT report from Spiceworks Ziff Davis ...

September 27, 2022

Users have high expectations around applications — quick loading times, look and feel visually advanced, with feature-rich content, video streaming, and multimedia capabilities — all of these devour network bandwidth. With millions of users accessing applications and mobile apps from multiple devices, most companies today generate seemingly unmanageable volumes of data and traffic on their networks ...

September 26, 2022

In Italy, it is customary to treat wine as part of the meal ... Too often, testing is treated with the same reverence as the post-meal task of loading the dishwasher, when it should be treated like an elegant wine pairing ...

September 23, 2022

In order to properly sort through all monitoring noise and identify true problems, their causes, and to prioritize them for response by the IT team, they have created and built a revolutionary new system using a meta-cognitive model ...

September 22, 2022

As we shift further into a digital-first world, where having a reliable online experience becomes more essential, Site Reliability Engineers remain in-demand among organizations of all sizes ... This diverse set of skills and values can be difficult to interview for. In this blog, we'll get you started with some example questions and processes to find your ideal SRE ...

September 21, 2022

US government agencies are bringing more of their employees back into the office and implementing hybrid work schedules, but federal workers are worried that their agencies' IT architectures aren't built to handle the "new normal." They fear that the reactive, manual methods used by the current systems in dealing with user, IT architecture and application problems will degrade the user experience and negatively affect productivity. In fact, according to a recent survey, many federal employees are concerned that they won't work as effectively back in the office as they did at home ...

September 20, 2022

Users today expect a seamless, uninterrupted experience when interacting with their web and mobile apps. Their expectations have continued to grow in tandem with their appetite for new features and consistent updates. Mobile apps have responded by increasing their release cadence by up to 40%, releasing a new full version of their app every 4-5 days, as determined in this year's SmartBear State of Software Quality | Application Stability Index report ...