Security firms must retool as clients move to the cloud

The risk of disintermediation meets a promise of collaboration.

This should be flush times for firms selling security solutions, such as Symantec, McAfee, Trend Micro, and RSA. Front-page news about cyber attacks provides free advertising, and security capabilities swell with new techniques such as security analysis (permit me a plug here for our book Network Security Through Data Analysis). But according to Jane Wright, senior analyst covering security at Technology Business Research, security vendors are faced with an existential threat as clients run their applications in the cloud and rely on their cloud service providers for their security controls.

Most of security vendors’ bread and butter — firewalls; intrusion detection; and, to a lesser extent, anti-virus scanning — are installed on the client’s premises and run by the client’s own IT team. But Wright told me that 41% of the businesses interviewed by TBR (businesses using SaaS in a public cloud) want the cloud provider to handle all that.

Cloud service providers are also eager to meet client concerns about security. Many potential customers are held back from choosing cloud solutions out of worries over security, with 75% telling the Technology Business Research investigators that security has an impact on their cloud decisions. So, according to Wright, cloud service providers trumpet the measures they take to cover security at all levels: content scanning, data encryption, user authentication, and so on.

There does, in fact, seem to be a tipping point toward cloud use. Highly regulated industries such as health care and finance, which used to say they were barred from using cloud solutions, now see them as a boon to security.

The vigilance of cloud providers makes them turn to traditional security providers so that standard measures can be built in the cloud solutions. This offers security firms a new market, but it may not enhance their business stability. Wright said that cloud providers usually don’t like to advertise which security firms they’re partnering with so they can switch them around if needed. Thus, the partnerships fail to provide publicity to the security firms, and they live in a chronically uncertain environment.

Technology Business Research says that the adoption of open standards will help the best solutions be more widely adopted. But I think that, like other open standards, they can also lead to commoditization and lower revenues. Meanwhile, providing bulk security to cloud providers will probably be less lucrative than providing it on an individual basis to stand-alone clients, although the difference may be made up by increases in scale as virtually every firm comes to depend more and more heavily on the Internet.

What interests me is whether security vendors can rethink the concept of the security they provide and recapture the market for business security. Whether you’re running applications in your own data center or on servers provisioned in a cloud, employees still need to follow policies and good practices. Maybe security firms can expand their roles and maintain their relevance to end-users by smoothing the path toward proper use of resources in the cloud. It’s worth looking for creative business opportunities.

tags: ,