Security and Privacy Quadrant
Assume that you have decided to move to the cloud and have found a few cloud providers that offer your sought service for almost the same price. Suppose that security and privacy are also important for your type of business. It is then likely that you want to make sure that your data and that of your customers are sufficiently protected. It is not uncommon that the cloud providers state that to a certain extent they are secure and that they take the necessary measures to meet privacy regulations. How do you validate those claims and decide if that is enough assurance for you? Moreover, how are those competing cloud providers positioned compared to each other when it comes to security and privacy?
Privacy has a broad legal coverage and includes also intellectual protection right (IPR) and copyrights. It does not include the technical controls of privacy, like encryption. Security covers all aspects ranging from Identity and access management, data encryption till physical security and operational security. It does not, however, include the legal aspects of privacy. IISRI uses a standard set of evaluation criteria for each of those dimensions based on international standards to form their opinion. Since the evaluation is performed on the basis of only publicly available information, the position of a service provider in the quadrant indicates the level of information security and privacy of their services according to IISRI’s opinion.
Organizations and individuals may use IISRI’s Quadrant when considering using or investing in specific service providers and triggers them to question these service providers about their security and privacy when making business decisions. The IISRI Quadrant distinguishes between four types of service providers.
- I. Conservative service providers focus more on establishing the services and optimizing their performance than on security and privacy. Their security technologies are limited and traditional. Their legal framework to protect privacy and intellectual property rights of their customers shows gaps or lacks information.
- II. Innovative service providers have matured their services with optimized performance and have the newest technologies to deal with security and privacy. Their legal framework to protect privacy and intellectual property rights of their customers shows gaps or lacks of information.
- III. Progressive service providers have matured their services with optimized performance. Besides leading with the newest technologies to deal with security and privacy they also lead in ensuring the best legal framework to protect privacy and intellectual property rights of their customers.
- IV. Legislative service providers have matured their services with optimized performance. Since their security technologies are limited, they manage security and privacy by disclaiming liability of breaches to others. A strong legal framework is their way of protecting privacy and IPR of their customers.
The Cloud Sector depicted in the Security and Privacy Quadrant
IISRI has applied its security and privacy quadrant to depict the position of cloud providers compared to each other. IISRI evaluated cloud providers from the USA and from the East-Asian market on the basis of general available public information around their security and privacy posture. The results are depicted in the next figure to show their position relative to each other. It shows that almost all provide a moderate to sufficient level of security assurance, but that especially privacy and IPR is where some separate themselves from the other.
AWS and Azure are closely followed by their Asian counterpart Tencent cloud. While Alibaba cloud is struggling with privacy but innovate with their security services, Tencent cloud is clearly dominating the East-Asian cloud market when it comes to both privacy and security. The rest of the East-Asian providers are more innovative and some possibly conservative. This means that while their security posture and how it is presented can be improved, privacy and IPR protection of tenants requires most attention.