Search

Security and Privacy Quadrant

27. April 2017


Assume that you have decided to move to the cloud and have found a few cloud providers that offer your sought service for almost the same price. Suppose that security and privacy are also important for your type of business. It is then likely that you want to make sure that your data and that of your customers are sufficiently protected. It is not uncommon that the cloud providers state that to a certain extent they are secure and that they take the necessary measures to meet privacy regulations. How do you validate those claims and decide if that is enough assurance for you? Moreover, how are those competing cloud providers positioned compared to each other when it comes to security and privacy?


The Independent Information Security Institute (IISRI) has developed for this purpose the Security and Privacy Quadrant. The Quadrant depicts graphically the relative positions of service providers along two dimensions: security and privacy.




Privacy has a broad legal coverage and includes also intellectual protection right (IPR) and copyrights. It does not include the technical controls of privacy, like encryption. Security covers all aspects ranging from Identity and access management, data encryption till physical security and operational security. It does not, however, include the legal aspects of privacy. IISRI uses a standard set of evaluation criteria for each of those dimensions based on international standards to form their opinion. Since the evaluation is performed on the basis of only publicly available information, the position of a service provider in the quadrant indicates the level of information security and privacy of their services according to IISRI’s opinion.

Organizations and individuals may use IISRI’s Quadrant when considering using or investing in specific service providers and triggers them to question these service providers about their security and privacy when making business decisions. The IISRI Quadrant distinguishes between four types of service providers.

  • I. Conservative service providers focus more on establishing the services and optimizing their performance than on security and privacy. Their security technologies are limited and traditional. Their legal framework to protect privacy and intellectual property rights of their customers shows gaps or lacks information.

  • II. Innovative service providers have matured their services with optimized performance and have the newest technologies to deal with security and privacy. Their legal framework to protect privacy and intellectual property rights of their customers shows gaps or lacks of information.

  • III. Progressive service providers have matured their services with optimized performance. Besides leading with the newest technologies to deal with security and privacy they also lead in ensuring the best legal framework to protect privacy and intellectual property rights of their customers.

  • IV. Legislative service providers have matured their services with optimized performance. Since their security technologies are limited, they manage security and privacy by disclaiming liability of breaches to others. A strong legal framework is their way of protecting privacy and IPR of their customers.



The Cloud Sector depicted in the Security and Privacy Quadrant




IISRI has applied its security and privacy quadrant to depict the position of cloud providers compared to each other. IISRI evaluated cloud providers from the USA and from the East-Asian market on the basis of general available public information around their security and privacy posture. The results are depicted in the next figure to show their position relative to each other. It shows that almost all provide a moderate to sufficient level of security assurance, but that especially privacy and IPR is where some separate themselves from the other.



We noticed that Amazon Cloud (AWS) and Microsoft Azure are not only leading the cloud sector in terms of market share, but they also lead by demonstrating a progressive approach towards security and privacy. They utilize different security technologies to protect the shared cloud infrastructure and provide them also as a service to tenants. But they also comply with numerous security standards and privacy regulations across different regions.

3 views0 comments

Recent Posts

See All