Gartner Says Organizations More Likely to Use SaaS for Sensitive Data Than Mission-Critical Data
August 23, 2012
Share this

Avoiding the use of software as a service (SaaS) for critical or sensitive data remains a significant form of risk control for many organizations, according to Gartner, Inc. But those that do use SaaS for such data are more likely to use it for sensitive data than for mission-critical data.

These findings are based on Gartner's latest annual survey of the state of risk management programs globally, which questioned 425 respondents from IT risk management disciplines in the U.S., U.K., Germany and Canada from December 2011 to January 2012.

The survey results show that organizations take different approaches to risk management when confronted with a need or opportunity to share data with different types of external party.

Assessment Practices for External Parties

Survey respondents were asked if they had processes in place to assess external party security, risk management, compliance, privacy and BCP/DR for four different situations. Respondents answered: “Do not allow use for sensitive data or processes" almost twice as often in the case of business partners (38 percent) as for platform as a service (PaaS) and infrastructure as a service (IaaS) (20 percent).

Compared with PaaS/IaaS, organizations are about 30 percent more likely to have a policy against putting sensitive data into SaaS (26 percent), and about 45 percent more likely to have a policy against putting it into outsourced data centers (29 percent).

"These results make sense, given that sharing data with a partner almost certainly means that one or more of its employees will be accessing the data, while in a SaaS scenario, the data is typically only accessible to the primary customer," said Jay Heiser, Research VP at Gartner. "This year we asked about both data availability and data confidentiality policies. Survey respondents indicated 10 percent less willingness to place mission-critical data into a SaaS offering than to place sensitive data into it. They were even less willing to place mission-critical data into outsourced data centers, with over one-third of respondents saying that they do not allow it."

Platform-as-a-Service/Infrastructure-as-a-Service Risk Assessment Practices

Only 57 percent of IaaS/PaaS buyers are using a questionnaire to support their risk assessment, and unlike for SaaS, the questionnaire is more likely to be a proprietary one, unique to the buyer's organization, and less likely to be based on standards. As in the case of SaaS, 26 percent are also evaluating information from the provider. The most dramatic change over the past three years is the increased willingness to use IaaS and PaaS for sensitive processes.

Outsourced Data Center Risk Assessment Practices

Thirty-six percent of respondents said they had a policy against putting mission-critical data into an outsourced data center, making avoidance the most chosen mechanism for dealing with data center risk. The level of response for this choice is significantly higher than for either of the other two service models. Twenty-nine percent said this policy applied to SaaS, and only 22 percent said it applied to IaaS/PaaS.

"One of the biggest drivers is probably an expectation that the packaged service offerings, which typically claim to be based on cloud computing, are more reliable," said Mr Heiser. "While fault tolerance is a feature of many such offerings, we consider it premature to assume that mission-critical data is safer in a cloud than in a traditional data center in which buyers usually make very specific choices about how data will be backed up."

The most significant reduction in the use of risk assessment practices has been in the practice of sending company staff to evaluate a partner's controls on-site, which has dropped by over 40 percent over three years. Use of standards-based questionnaires has increased, while the use of proprietary surveys has dropped by the same degree, leaving the prevalence of questionnaires virtually the same.

Share this

The Latest

October 10, 2019

The requirements of an APM tool are now much more complex than they've ever been. Not only do they need to trace a user transaction across numerous microservices on the same system, but they also need to happen pretty fast ...

October 09, 2019

Performance monitoring is an old problem. As technology has advanced, we've had to evolve how we monitor applications. Initially, performance monitoring largely involved sending ICMP messages to start troubleshooting a down or slow application. Applications have gotten much more complex, so this is no longer enough. Now we need to know not just whether an application is broken, but why it broke. So APM has had to evolve over the years for us to get there. But how did this evolution take place, and what happens next? Let's find out ...

October 08, 2019

There are some IT organizations that are using DevOps methodology but are wary of getting bogged down in ITSM procedures. But without at least some ITSM controls in place, organizations lose their focus on systematic customer engagement, making it harder for them to scale ...

October 07, 2019
OK, I admit it. "Service modeling" is an awkward term, especially when you're trying to frame three rather controversial acronyms in the same overall place: CMDB, CMS and DDM. Nevertheless, that's exactly what we did in EMA's most recent research: <span style="font-style: italic;">Service Modeling in the Age of Cloud and Containers</span>. The goal was to establish a more holistic context for looking at the synergies and differences across all these areas ...
October 03, 2019

If you have deployed a Java application in production, you've probably encountered a situation where the application suddenly starts to take up a large amount of CPU. When this happens, application response becomes sluggish and users begin to complain about slow response. Often the solution to this problem is to restart the application and, lo and behold, the problem goes away — only to reappear a few days later. A key question then is: how to troubleshoot high CPU usage of a Java application? ...

October 02, 2019

Operations are no longer tethered tightly to a main office, as the headquarters-centric model has been retired in favor of a more decentralized enterprise structure. Rather than focus the business around a single location, enterprises are now comprised of a web of remote offices and individuals, where network connectivity has broken down the geographic barriers that in the past limited the availability of talent and resources. Key to the success of the decentralized enterprise model is a new generation of collaboration and communication tools ...

October 01, 2019

To better understand the AI maturity of businesses, Dotscience conducted a survey of 500 industry professionals. Research findings indicate that although enterprises are dedicating significant time and resources towards their AI deployments, many data science and ML teams don't have the adequate tools needed to properly collaborate on, build and deploy AI models efficiently ...

September 30, 2019

Digital transformation, migration to the enterprise cloud and increasing customer demands are creating a surge in IT complexity and the associated costs of managing it. Technical leaders around the world are concerned about the effect this has on IT performance and ultimately, their business according to a new report from Dynatrace, based on an independent global survey of 800 CIOs, Top Challenges for CIOs in a Software-Driven, Hybrid, Multi-Cloud World ...

September 26, 2019

APM tools are your window into your application's performance — its capacity and levels of service. However, traditional APM tools are now struggling due to the mismatch between their specifications and expectations. Modern application architectures are multi-faceted; they contain hybrid components across a variety of on-premise and cloud applications. Modern enterprises often generate data in silos with each outflow having its own data structure. This data comes from several tools over different periods of time. Such diversity in sources, structure, and formats present unique challenges for traditional enterprise tools ...

September 25, 2019

Today's organizations clearly understand the value of digital transformation and its ability to spark innovation. It's surprising that fewer than half of organizations have undertaken a digital transformation project. Workfront has identified five of the top challenges that IT teams face in digital transformation — and how to overcome them ...