Cloud Security Strategies, GDPR, and Vendor Lock-In

Subscribe To Download This Insight

By Dan Shey | 3Q 2019 | IN-5552

The security offerings of the top cloud providers were discussed in a recent ABI Research Application Analysis Report, IoT Cloud Services: A Comparison of Public, Private, and Hybrid Solutions from Leading Cloud Suppliers (AN-2418). This ABI Insight provides a quick review of some of the more interesting tidbits, including a core cloud security service, identity access management, the impact of the E.U. General Data Protection Regulation (GDPR) on cloud strategies, and where highly secure solutions may mean greater vendor lock-in.

Registered users can unlock up to five pieces of premium content each month.

Log in or register to unlock this Insight.


Cloud Vendor Security Strategies: Identity Access Management Services


While there are many cloud security products, such as Alibaba’s Attacker Intrusion Detection, Azure Sphere for Internet of Things (IoT), IBM Cloud App ID, and Oracle’s User & Entity Behavior Analytics (UEBA), a core security service of any cloud provider is Identity and Access Management (IAM). IAM provides authentication and access controls to ensure the proper people gain access to cloud services and from which the baseline for other security services can be formed.

The main debate here is about the use of a core, authoritative directory service to authenticate access to a wide range of networks and services, as opposed to a third party called Directory-as-a-Service (DaaS) that can extend vendor identities to a wide range of Information Technology (IT) services. The former approach has been adopted by Microsoft Azure, while the latter is used by Google, Huawei, and many others.

The security risks of both arrangements need to be carefully considered by prospective end users. In the case of a core, authoritative directory service, there is a danger that dependence on a single directory managed by a single vendor does nothing to spread or mitigate security risk. On the other hand, the use of a third-party service extends an already complex cloud security supply chain and makes an enterprise prone to security risks from a wide range of additional end users.

IoT solutions will need to resolve this issue because IoT data will increasingly be made available to multiple parties. In industrial markets, for example, machine data will be sought by the machine Original Equipment Manufacturer (OEM), and third-party field services team in addition to several functional groups internal to the factory that may not be on-site.

GDPR and Multicloud


One of the outcomes of more countries enacting data localization laws is more enterprises moving to multicloud strategies across their IoT portfolios to optimize the costs of cloud services and leverage the innovative services of particular cloud suppliers. For example, an enterprise may want to use a private cloud vendor to meet data localization laws in a specific country/region while using a public cloud vendor to store the most sensitive data in a country/region with less stringent data localization laws. A case in point is how China’s data localization laws cause many foreign retailers to place data in a Chinese vendor public cloud (Alibaba being the big winner) for transactional data but use a private cloud for storing E.U. citizen transactional data located in one of the E.U. member countries.

However, this strategy has its caveats when considering the full force of the E.U. General Data Protection Regulation (GDPR). If data pertains to an E.U. resident, the cloud solution must comply with the GDPR regardless of where it is stored. Therefore, choosing cloud storage based on less restrictive data localization laws only works for E.U. resident data if the storage solution complies with the GDPR.

Vendor Lock-In and Multicloud


Microsoft is a case in point of advancing End-to-End (E2E) IoT security but at the expense of vendor lock-in. Microsoft offers an advanced solution for cloud computing security and E2E IoT solution security. Confidential computing is its approach to protecting the computing cycles of an application processed in the public cloud. Instead of processing data on standard Microprocessing Units (MPUs) in the server infrastructure, clients have the option of using Trusted Execution Environments (TEEs), or secure portions of an MPU, for application computing.

The second offering in Microsoft’s portfolio is Azure Sphere, which is targeted at IoT applications. The offering is composed of three elements: certified Microcontroller Units (MCUs), a purpose-built Operating System (OS) that combines Real-Time Operating System (RTOS) and IoT features, and a security service for brokering trust for Device-to-Device (D2D) and Device-to-Cloud (D2C) communication. The service will include certificate-based authentication, online failure reporting, software updates, and threat detection across the entire Azure Sphere ecosystem.

While Microsoft’s solution offers end-to-end IoT security, is vendor lock-in desirable, or even an option, if connected device deployments are worldwide and multiple cloud providers may offer compelling services to address their local markets? The bottom line is that no one size fits all. As shown by this ABI Insight, enterprises will constantly be confronted with choices when assessing their IoT security posture versus the factors of cloud supplier security services, cloud supply chain complexity, regulations, and long-term Return on Investment (ROI).


Companies Mentioned