But security isn’t the bugaboo it used to be. In fact, “security as a service” that matches the agility and ease of use of the cloud is a huge potential market current security vendors aren’t reaching. And therein lies potential opportunity for security vendors.
That was the message from customers, analysts and cloud providers at a dinner discussion hosted by security software and services provider StillSecure the other night in Boston. Customer surveys show security dropping as a barrier to cloud adoption by customers, said Carl Brooks, an analyst at Tier1 Research. Compliance, however, is holding steady as a major concern.
Security vs. Compliance
That rang a bell with many around my table, who lamented that security is a “nice to have” that companies are reluctant to spend on until they’ve been breached, while compliance is forced on them by outsiders such as regulators. They also pointed out that the security provided by cloud players such as Amazon is at least as strong as that most organizations can provide themselves, at least at the infrastructure level of servers and networks.
Application-level security is another story, though, and where cloud security (while achievable) is often too expensive and cumbersome. While businesses do want more “visibility” into security through dashboards and reports, the last thing they need are endless reams of log file data that don’t mean anything to them, said Brooks. Nor, said StillSecure Chairman and CEO Rajat Bhargava, do they want to manage security themselves.
Wanted: “Click and Go” Security
What they do want was described to me by David Greenstein, co-founder and CTO of startup Kibits, a mobile micro social-networking and information sharing platform. He wants “click and go” cloud security that allows him to instantly apply security policies to new servers as he spins them up in the cloud, without the need for manual configuration. As for reports, he only wants to receive alerts for an attack or vulnerability he needs to do something about. Trying to grow a company on a limited budget, he doesn’t want to spend any more time, money or effort than absolutely necessary for functions such as security that aren’t his core competence.
While there are “frameworks” for cloud development and deployment (a topic of an upcoming story I’m doing for Computerworld) no one around my table knew of a comparable framework for security. Larger security and systems management vendors, it seems, are either too busy solving security problems in current customer environments or not sufficiently clued in to the needs of the new, cloud-based corporate infrastructures.
Hurdles and Opportunities
Some of the hurdles to this “security as a service” include educating customers (especially small to mid-size businesses) about basics such as firewalls and the dangers of giving users root (or administrator) access to systems. Assuring compliance is even trickier given the vague requirements of regulations such as HIPAA (governing patient care) and Sarbanes-Oxley (protecting corporate financial information.) But given customers’ desire to cut costs, services that could boost both compliance and security could be a huge win.
But there does seem to be a market out there for automatic, policy-based, server and application layer security services that can be applied and monitored as easily as spinning up a server in the public cloud. What companies out there are offering such services we at the dinner haven’t heard about?
Filed under: Tech Trends
Like this post? Subscribe to my RSS feed and get loads more!