Cloud Security

By Staff Writers on Oct 13, 2008 3:18PM
Cloud Security
There’s a scene in Lewis Carroll’s novel, Alice in Wonderland, where Humpty Dumpty says to Alice, “When I use a word, it means just what I choose it to mean, neither more nor less.”

A similar situation often arises with emerging technology because when something becomes a buzz word, vendors tend to define the particular emerging technology in terms of their product offering.

Security in-the-cloud is one of the latest examples of this phenomenon and it’s hard to read the IT press without coming across a reference to it somewhere.

So what then is security in-the-cloud? How does it work? And how can resellers and systems integrators educate themselves and their customers about it enough to make some money from it? To start off, Cloud Computing narrowly defined is a style of computing where IT-related capabilities are provided “as a service”, from the Internet (“in-the-cloud”) whereby users can ‘consume’ them without knowledge of, expertise with, or control over the technology infrastructure that supports them.

“Gartner defines Cloud Computing as a style of computing where massively scalable IT-related functions and information are provided as a service across the Internet, potentially to multiple external customers, where the consumers of the services need only care about what the service does for them, not how it is implemented.
Cloud Computing is not an architecture, a platform, a tool, an infrastructure, a website or a vendor. It is a style of computing. (Identity Services (in) the Cloud, Earl Perkins, 28 May 2008 ID: G00157908). ”

Similar levels of confusion exist when looking at security in-the-cloud, said James Turner, IBRS analyst.

“There are two takes on security in-the-cloud. The first is the purist angle which says security in-the-cloud is mitigation that is managed for you in-the-cloud.

It’s not kit you own, you’re paying per user, per licence and you don’t have to manage hardware, software, licences etc. It’s all done for you before it hits your front-end firewall.

“The second take is more abstract and this is more where we’re heading. It’s the idea that as a whole a lot of stuff is moving into the cloud, security has to give a lot more consideration to what’s already in-the-cloud. This is where we move beyond threat mitigation and into areas such as identity and access management, federated identities, rights and entitlements which is basically who does what and what they do to it.”

Mike Bosch, Australia, New Zealand and Africa senior director for IronPort, said “The gist of security in-the-cloud is that an organisation is processing and filtering its mail and all its web traffic externally by a third party off premises through a WAN connection. In short, you have outsourced the function to someone else.”

Peter Croft, Asia Pacific managing director, ClearSwift has a similar take.

“Security in-the-cloud is security at a point outside of the organisation’s infrastructure, done outside of the perimeter by an outside provider so the stream of data is cleaned before it gets through to the organisation.”

Mark Pullen, ANZ country manager for RSA, explained that they look at security in-the-cloud as the purest form of Cloud Computing.

“Cloud Computing is a service that you can outsource completely – Salesforce.com is the perfect example.
Security in-the-cloud is a service you can consume from the cloud without the need to deploy infrastructure, it’s simply a case of deploying an API call out to the service provider.”

By contrast, Paul Ducklin, Asia Pacific head of technology at Sophos, takes a broader view as to what security in-the-cloud means, arguing that “the nice thing about this idea of the cloud and SaaS and stuff that’s based in the cloud, is when it comes time to draw a diagram on a whiteboard, clouds are really easy to draw.

We still rely on end-point PCs to make use of so-called Software as a Service and it’s nice to have a computer that lets you work offline and update
stuff later which is the model most of us use.

We’re not permanently connected, we got over the mainframe years and years ago so the cloud really includes everything.

“It includes the network infrastructure, the ISP, if you’re in a business it includes your servers some of which will be purely internal while others will be partly internal and external. Really the boundaries are blurring between inside and outside the network, between online and offline. The [rather horrible] term often used is deperimeterisation and the days of having a big gate you close after hours are gone. Most company’s laptops spend time on multiple networks – home, office, airport, café, hotel – so are they an internal or an external PC? The answer is they’re both and organisations need to have a security outlook that takes into account both those situations.”

So how then is security in-the-cloud done? In the case of pure play cloud services it’s fairly straight forward.

For email, the managed security service provider (MSSP) deploys a content filter into a data centre which has access to the Internet and back to the customer.

Then it’s simply a case of making sure a customer’s MX records route through the MSSPs data centre which provides a secure service that is ideally mirrored and fault tolerant.

Content filtering is done in a similar way using a proxy server in concert
with a content filter.

When it comes to securing information, data and intellectual property that’s in-the-cloud, however, whether it’s residing in Salesforce.com or an online backup service such as Mozy or Carbonite, that’s another matter, said Turner. “There’s been very little talk about two very important aspects; encryption and who is able to access that data.

“Vendors can give broad sounding disclaimers [about encryption in-the-cloud], but until it actually has been tested and there’s surety about that, most organisations will and should shy away from it unless it’s been provided by a reputable vendor who can walk a customer through every single step and then prove it. With the access aspect, there needs to be a discussion about strong authentication, in-the-cloud identity management.”

The promise to all of us – organisations and consumers – is that by parking all our data in-the-cloud we’ll be able to access any of that information, anywhere in the world on any device, but that won’t happen until there’s strong authentication.

But isn’t Cloud Computing and security in-the-cloud just a lot of hype, the next round of vapourware? Well, it depends. Some Cloud Computing functions just aren’t quite there yet, Google Docs is a perfect example of this.

It’s a great idea and a lot of writers would use it if it was just a bit better, but it’s got some way to go.

With other services such as sales force automation, SaaS has proved to be outstandingly successful as evidenced by the continuing growth of Salesforce.com.

In other areas doing a function in-the-cloud is simply a no-brainer and organisations need to justify why they’re not using these services rather than why they should, but these examples tend to be very narrow and have been commoditised to some extent.

The perfect example of this sort of function is email filtering. With spam volumes approaching 70 to 80 percent of all email traffic it’s a case of why wouldn’t an organisation use a third party to intercept the flow of electronic effluent, cleanse it and send it on its way?

Croft has certainly been seeing steady growth in this area.

“For a couple of years there has been an appetite for in-the-cloud services, but I think there is a bit of a split emerging as originally a lot of services were long on promises and selling themselves as being able to provide full security in-the-cloud for mail and web. That’s split a little because the mail services in particular are now bought for what they’re really good at which is bulk low-level security for spam and viruses.”

While it might seem like a no-brainer now, nearly 10 years ago spam filtering in-the-cloud was a confronting, way out of left field proposition for many organisations.

Many factors have been driving take up of security in-the-cloud since then with the rising tide of spam and the sheer quantity of viruses, worms and Trojans being a major one, said Mark Sunner, chief security analyst at MessageLabs.

“In 1999 we started off selling the idea of email hitting MessageLabs first, us cleaning it and then sending it down a clean pipe to the customer and it was a very confronting concept,” he recalls.

“People had huge issues, it was flying in the face of years of companies doing all that sort of thing themselves.

Now the SaaS model has been validated and with the Zero Hour threat likely to head towards the net – it’s entirely logical to be purifying major parts of the Internet such as email, web and Instant Messenger at an Internet level.

“The whole model in 1999 was a real struggle to portray what MessageLabs was offering, but those fortunes changed about 2003, ironically fuelled by spam. Worms such as Sobig, Netsky and Slammer had hit which woke people up a bit and then we had spam going through the roof and the first botnets etc.

“When people found they were receiving 10,000 emails an hour, burning huge amounts of bandwidth and processing power and the level of spam went to 60, 70, 80 percent there was a switch from our staff making proactive calls to our phones ringing. It wasn’t so much that people became enamoured with our technology, it was that the environment had changed.”

Phil Vasic, ANZ country manager, Websense, said the main driver follows the well-established principle of organisations sticking to core businesses and outsourcing anything that’s expensive or difficult to a specialist.

“There are a couple of key points when you’re talking about commoditised email and web filtering-style products. Return on investment from a cost perspective is a huge advantage for security in-the-cloud, as is not having to constantly patch and upgrade the IT environment. And companies generally recognise that spam is not going away, it’s only getting worse and it’s not a core business to have someone spending hours a day working out what should and shouldn’t go through.”

Another major driver for cloud-based security services is the increasing premium the employment market is placing on security skills, said Turner.

“As a nation, as a world economy, we don’t have enough security-trained people to go around so there’s a huge disincentive for mid-size organisations to invest in security. For SMEs wage pressure and being able to get their hands on the right people is a continual issue, so if they can get it taken care of in-the-cloud why wouldn’t they?” For larger organisations that may well be able to afford to pay there’s still the issue of getting people to stay.

“If you’ve got a highly trained, competent security administrator you wouldn’t give them a laptop to fix, so even large organisations can provide better job satisfaction by outsourcing the more commoditised security functions,” Turner added.

Pullen added that there is another factor, yet to hit the market, that will be really big and recent events around the hacking of American vice-presidential candidate, Sarah Palin’s email account bears this out.

“The Gartner research report ‘The Business Impact of Social Computing on Identity Management (G00160622)’ argues that if you look at all the information that is out there on the Internet on sites such as MySpace, Facebook, Twitter etc, if you can aggregate all of that, personal information will no longer be an effective way to authenticate people. Companies are going to need to develop an authentication and identity management architecture and it’s only logical to put it into the cloud as it’s going to be very, very expensive to build and maintain and the cost will need to be spread across as many users as possible.”

But while there has been a lot of growth in security services in-the-cloud, growth seems likely to continue for some time, there are still some major inhibitors.

Some of these are functional; areas which in-the-cloud security services address poorly, while others are more emotional or cultural.

Croft admits that in-the-cloud security services “are not good at the policy or more complex elements of security application such as outbound control.

Once information is outside the organisation it’s in the wild and you’ve lost control. So there’s a limit to what in-the-cloud mail security services can do.

“On the web side you’ve got the same issue about protecting outbound with something existing outside of your organisation’s perimeter. On top of that in-the-cloud services for web suffer from the technical issue of having to have all your web services and all your web browsing proxied through something which is away from your infrastructure which introduces a latency and a reduced end-user experience. A lot of security services can’t be outsourced, and in-the-cloud services need to be standardised, commodity services to get economies of scale. Also a lot of organisations have a large investment in people and infrastructure so if you have to have a service outside doing the simple stuff and people inside doing the hard stuff then you’re paying double in some ways.”

Sophos’s Ducklin is even less upbeat about the whole idea of security in-the-cloud and believes that there comes a point where organisations have to look at what doing security in-the-cloud really means.

“Some people will try and sell you SaaS which means someone will do your mail scanning for you somewhere else, web scanning and filtering someone else will do it for you, someone will run your email for you and in many cases will actually run your email offshore.

Which means that your emails will be stored in another country, possibly even in a range of other countries and the security will be implemented by
the nationals of other countries who are able to read your email.

“That’s a terribly bad idea, it’s crazy, you really shouldn’t do it. If you can’t take charge of your own intellectual property, email etc. the idea of giving it over to a service where you’re not sure whose jurisdiction your mail falls under is crazy.

And the idea of doing everything in-the-cloud begs the question of how are you going to access the cloud? Are we all going to have thin-clients? The problem is that today thin-clients now are like the Asus Eee PC, full- blown PCs in their own right because people want to be able to work offline as well online.

“There’s a good reason to have some software services implemented in-the-cloud, the idea of turning over everything to someone else is not a good idea. What happens if the service is not available? You can’t do anything, you have no resilience over even temporary outages and you don’t have direct personal control over your own data which could be a problem. Abrogating all rights and responsibilities over your own data is going far too far but it does help to have some of security related data pre-filtered by your ISP for example so you don’t have to download it and then delete it.”

Turner believes that for many organisations there’s still an issue of control.

“If people can reach out and touch it, it’s theirs.”

Sunner added that in many ways security in-the-cloud is still quite new as a technology.

“It’s very easy to forget that this not easy for some people and when you’re talking about SaaS you’re talking about something that has only been around for several years and you’re up against the practice of an organisation doing security for itself for decades.”

So how can resellers make money out of security services in-the-cloud?

In many respects in-the-cloud services can be very attractive for a reseller.

Either reselling an MSSPs services, or developing in-house capability, can lead to recurring revenue as the existing customer base is signed up and there’s the added advantage of making it that bit harder for customers
to go to another company.

“If you’re reselling web and email filtering, you’re getting annualised recurring revenue for the lifetime of that customer contract,” said Sunner.

“And the low touch nature of the approach is very attractive, there’s no hardware or software, but the downside is that it may seem new and alien and it can be difficult to describe what the service is and its true benefits rather than the technology.”

Vasic said vendors should be providing their partner base with training through a variety of modes such as webinars and road shows.

He added there are also advantages of shorter sales cycles and greater margins.

“It’s also very easy to trial and a high proportion of customers who do the trial tend to sign up.”

RSA’s Pullen was more downbeat about resellers and SI’s prospects as more and more capability migrates into the cloud. “It’s going to be a challenge.

If you look at the evolution from reseller to SI to Unified Communications to Web 2.0, the shape of the organisations in those segments is quite different. And as a lot of these capabilities become available to be consumed over the Internet the role of the SI is going to decrease.

Do you need to go to an SI to buy Salesforce.com?

No.

Do you need a business process consulting organisation to help you define how you use Salesforce.com?

Probably.

“So if anything, it’s going to be the consulting services from a business perspective about how to use these tools rather than selling software.

And that’s the challenge because when you get to that level you have to have highly skilled and there needs to a lift in knowledge in the reseller channel base to do that.

“You can just go and buy Salesforce.com but if you’re buying for 5000 seats there has to be a whole change management process; education, what do the screens look like, how does the workflow work, how do you integrate it with your other systems? It’s business consulting rather than IT consulting and that will be the shift in the marketplace and resellers and SIs need to recognise that that’s what’s going to happen and work out how to do it.”

Neil Readshaw, Australia Development Laboratory senior software engineer, IBM, echoed this view.

“The way to be successful in selling it to customers is to start by really understanding the customer from the business perspective of what they want to achieve and making sure that anything you consider from a security perspective is consistent with enabling those business outcomes rather than selling technology for technology’s sake.
And particularly in security where there are some very technological solutions it’s easy to get dragged into a speeds and feeds discussion rather than remembering that IT security needs to align with the business objective.”
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
cloud security

Sponsored Whitepapers

Tech Data
Tech Data
Coro
Coro
Huntress
Huntress
Hosted Network
Hosted Network
Dicker Data
Dicker Data

Events

Huntress Cybersecurity Roadshow Sydney
Huntress Cybersecurity Roadshow Sydney
Huntress Cybersecurity Roadshow Melbourne
Huntress Cybersecurity Roadshow Melbourne
techpartner.news Benchmark Security Awards 2025
techpartner.news Benchmark Security Awards 2025

Most read articles

Perth's Austin Technology acquires fellow MSP Lumity Technology Solutions

Perth's Austin Technology acquires fellow MSP Lumity Technology Solutions
Save-the-dates for Pipeline 2026: We're levelling up to Hamilton Island in May!

Save-the-dates for Pipeline 2026: We're levelling up to Hamilton Island in May!
NSW govt creates Office for Artificial Intelligence

NSW govt creates Office for Artificial Intelligence
WA local government looking for MS 365 solutions provider

WA local government looking for MS 365 solutions provider

Log in

Email:
Password:
  |  Forgot your password?