Gartner, a US-based information technology research and advisory company, has stated that avoiding the use of software as a service (SaaS) for critical or sensitive data remains a significant form of risk control for many organisations. But those that do use SaaS for such data are more likely to use it for sensitive data than for mission-critical data.
These findings are based on Gartner's latest annual survey of the state of risk management programmes globally, which questioned 425 respondents from IT risk management disciplines in the US, the UK, Germany and Canada from December 2011 to January 2012.
The survey results show that organisations take different approaches to risk management when confronted with a need or opportunity to share data with different types of external party. Compared with platform as a service (PaaS) or infrastructure as a service (IaaS), organisations are about 30 percent more likely to have a policy against putting sensitive data into SaaS (26 percent), and about 45 percent more likely to have a policy against putting it into outsourced data centres (29 percent).
Only 57 percent of IaaS/PaaS buyers are using a questionnaire to support their risk assessment, and unlike for SaaS, the questionnaire is more likely to be a proprietary one, unique to the buyer's organisation, and less likely to be based on standards. As in the case of SaaS, 26 percent are also evaluating information from the provider. The most dramatic change over the past three years is the increased willingness to use IaaS and PaaS for sensitive processes.
Thirty-six percent of respondents said they had a policy against putting mission-critical data into an outsourced data centre, making avoidance the most chosen mechanism for dealing with data centre risk. The level of response for this choice is significantly higher than for either of the other two service models. Twenty-nine percent said this policy applied to SaaS, and only 22 percent said it applied to IaaS/PaaS.
The most significant reduction in the use of risk assessment practices has been in the practice of sending company staff to evaluate a partner's controls on-site, which has dropped by over 40 percent over three years. Use of standards-based questionnaires has increased, while the use of proprietary surveys has dropped by the same degree, leaving the prevalence of questionnaires virtually the same.
Additional information is available in the report: "Survey Analysis: Assessment Practices for Cloud, SaaS and Partner Risks, 2012," which is available on Gartner's website at http://www.gartner.com/resId=2000315.
