Security firms must retool as clients move to the cloud

The risk of disintermediation meets a promise of collaboration.

This should be flush times for firms selling security solutions, such as Symantec, McAfee, Trend Micro, and RSA. Front-page news about cyber attacks provides free advertising, and security capabilities swell with new techniques such as security analysis (permit me a plug here for our book Network Security Through Data Analysis). But according to Jane Wright, senior analyst covering security at Technology Business Research, security vendors are faced with an existential threat as clients run their applications in the cloud and rely on their cloud service providers for their security controls.

Most of security vendors’ bread and butter — firewalls; intrusion detection; and, to a lesser extent, anti-virus scanning — are installed on the client’s premises and run by the client’s own IT team. But Wright told me that 41% of the businesses interviewed by TBR (businesses using SaaS in a public cloud) want the cloud provider to handle all that.

Cloud service providers are also eager to meet client concerns about security. Many potential customers are held back from choosing cloud solutions out of worries over security, with 75% telling the Technology Business Research investigators that security has an impact on their cloud decisions. So, according to Wright, cloud service providers trumpet the measures they take to cover security at all levels: content scanning, data encryption, user authentication, and so on.

There does, in fact, seem to be a tipping point toward cloud use. Highly regulated industries such as health care and finance, which used to say they were barred from using cloud solutions, now see them as a boon to security.

The vigilance of cloud providers makes them turn to traditional security providers so that standard measures can be built in the cloud solutions. This offers security firms a new market, but it may not enhance their business stability. Wright said that cloud providers usually don’t like to advertise which security firms they’re partnering with so they can switch them around if needed. Thus, the partnerships fail to provide publicity to the security firms, and they live in a chronically uncertain environment.

Technology Business Research says that the adoption of open standards will help the best solutions be more widely adopted. But I think that, like other open standards, they can also lead to commoditization and lower revenues. Meanwhile, providing bulk security to cloud providers will probably be less lucrative than providing it on an individual basis to stand-alone clients, although the difference may be made up by increases in scale as virtually every firm comes to depend more and more heavily on the Internet.

What interests me is whether security vendors can rethink the concept of the security they provide and recapture the market for business security. Whether you’re running applications in your own data center or on servers provisioned in a cloud, employees still need to follow policies and good practices. Maybe security firms can expand their roles and maintain their relevance to end-users by smoothing the path toward proper use of resources in the cloud. It’s worth looking for creative business opportunities.

tags: ,

Get the O’Reilly Web Platform Newsletter

Stay informed. Receive weekly insight from industry insiders—plus exclusive content and offers.

  • I’d suggest that a cloud vendor would wish to have a strong degree of security between and among its customers, and also think of itself as a the equivalent of a customer.

    At the NSA recently discovered, letting one’s sysadmins have full control without the kind of accounting-like controls one uses in physical security can lead to huge leaks.

    Were I managing a system providing services to a collection of competing customers again, I’d want
    – the customer’s data encrypted so I can’t get it (or be accused of getting it)
    – two-person controls on security-sensitive materials like key storage
    – similar access controls on export-capable devices.

    Many moons ago, my boss sent me on a Trusted Solaris (orange book) course, because we had just that kind of problem: TS solved about 80% of it. Were I a time-sharing vendor (ie, a cloud vendor these days) I’d want it yesterday, and would be looking for a vendor to offer it to me.

    If I were the NSA, I’d have had an RFP out some time last year (;-))


  • Scott Hogrefe

    Hi Andy. I enjoyed the post. As a follow up I think it would be worth discussing the cloud security brokers that have emerged to address this challenge. If you’d like, I’d be happy to set up a time to share what Netskope is doing. Just let me know. Thanks.

  • This is going to be a big switch around for the security industry. We have already see it with PCI where a PCI cloud solution picks up all the merchants and ensures that they are all PCI compliant.

    However, the merchants still have to confirm that they are PCI compliant and have to go through the form filling to confirm that they outsourced to a compliant supplier.

    The same is happening in the government space, and the UK government is leading the way with its G-Cloud framework that allows government to purchase accredited secure solutions.

    This is a huge benefit to government since they do not need to individually secure and certify each project.

    There is always going to be a need to secure the end users device and whilst this is windows based anti-virus etc will remain along with on premise firewalls etc, etc. Unless organizations switch to having no local internet connectivity and just have a direct connection into a cloud data centre. However, this immediately becomes a single point of failure and removes the distributed reliance of a good cloud platform.

    In the PCI example the industry is moving in two directions. Providing automated simple compliance to small business who have already out sourced and sophisticated services to large cloud providers for whom security is mission critical, and normally over spec their compliance e.g. Daily scans vs the quarterly requirement 6 month or quarterly audit vs annual requirement, use of multiple vendors for both services.

    However, if the device mobile, tablet, desktop/whatever is compromised, the cloud security is not going to help, so end user/device security is not going to go away, and has just become 10x more difficult with byod.

    e.g. Standard android keyboards require access to all emails, texts and messages to optimize predictive typing and send the lot out to the “cloud” for analysis. In the case of samsung this is managed by an undisclosed 3rd party.

    I predict lots of interesting security discussions in this area!

  • It’s really about time that security vendors pay attention on how to integrate a more solid security tool that can be use on a daily basis without hassle and spending too much.