As CTO, I spend my days (largely) on two things: technology and the customer.
So what I hear from our market on topics such as security is of paramount importance in driving HOSTING’s delivery strategy. However, while we certainly offer an array of security components and solutions, such as cloud firewall, threat and log management, SSL VPN, file integrity monitoring, etc., I wanted to share my high-level, business-driving thoughts on security — arguably the hottest topic in cloud technology — through the lens of a service provider.
I’ll position this blog in terms of the questions I most often receive from prospects, customers, analysts and others in the industry.
Do your customers consider security to be optional?
It’s very rare when a customer would consider security — as a whole — to be optional. “Of course security is important to my business!” The good news is, services such as firewall are becoming commonplace in deals and are not considered optional. However, others, which frankly constitute “security as a whole” are far less prevalent in deals, e.g., centralized log management with alerting, even though it is often called for based on compliance/regulatory requirements.
To whom does the responsibility belong for overall security — the customer or the cloud services provider?
Does a customer consider it to be the cloud service provider’s responsibility to secure the entire application stack? Or, do they consider it the service provider’s responsibility to secure only the core cloud infrastructure, sharing the responsibility to secure the customer-specific infrastructure and application environment?
Initially a customer that brings a cloud service provider a greenfield application — even an app previously run in-house — will oftentimes consider security in total to be the service provider’s responsibility. It’s important to proactively educate your customer. Many service providers provide RACI matrices that delineate where the responsibilities for security lie — with the provider or the customer.
As an example, many cloud service providers offer a File Integrity Monitoring (FIM) service that runs integrity checks against files and reports on inconsistencies or changes in the environment. The cloud service provider installs and provides controls and automation for monitoring and checking the customer’s file-set. However, the service provider likely does not provide remediation, as they are unlikely to know the customer’s application and codebase. Once a file has been changed and is potentially a compromised file, the customer must act — as only they know their application.
Have you found that delivering security solutions is inherently different than delivering other IT infrastructure services such as storage and backup?
Education is the top challenge that we face. As IT leaders tackle moving their applications to the cloud, they likely understand compute, storage, and memory requirements. That being said, understanding the cloud service provider’s built-in or baseline security solutions versus customer-driven optional features is tricky. These need to be clearly defined (and chosen) during the solution discovery phase of a deal. For example, most cloud service providers likely have security zone isolation — through firewall vLAN services or similar practices — built into the design of their solution. However, the customer may not understand the problem that a service such as threat management solves until it’s too late — and the customer environment has been compromised.
Do you believe there will be a time when security is positioned as a core cloud service, alongside compute, storage and networking?
I do, but there is a long way to go. It will take cloud service providers, working together, to step back, look at regulations and compliance requirements, and develop standards that will continue to drive us there. Committees such as the Cloud Security Alliance are helping to drive some of this.
We all know that security comes up in customer surveys as one of the leading inhibitors to cloud adoption. Do you find that it also comes up in day-to-day selling situations as an objection?
Yes. Expertise and cost of entry is a barrier for some today. Again, it all comes back to education. Exactly which customer problems are being solved by the inclusion of threat management into a deal? The sales team must become proactive in addressing the fear of the unknown with security in the cloud. Only then will the customer dip their toe in cloud adoption waters. Reading through the PCI DSS 2.0 document, as an example, is a beast of an exercise. Cloud service providers should be that expert that puts the customer at ease. Show the security service you provide, who owns the responsibility of supporting each, how it fills the gap/inhibitors as they relate to business issues. In short, show some value!
Is the security industry doing enough to provide cloud service providers what is needed to deliver security solutions to meet the requirements of your end customers?
Not yet. Cloud service providers need to build more services to enable their customers to solve a problem alongside them. In order to do that both efficiently and effectively they need access to tools such as feature-rich API’s that differentiate their services. Many organizations in the security industry are still trying to position their products in the market as the silver bullet. This is fine, but typically they need a cloud service provider to put all of the pieces together. In order to do that, the security providers must make their solutions flexible in terms of consumption and integration.
Are there enough security solutions that are cloud-friendly?
We’re getting there. Many devices now have OVF/VMDK (virtual) options. This enables the cloud service provider to put security solutions into their deployment tools to make it easy for customer to consume. Believe it or not, on-boarding challenges rank very high for the top barrier to entry. We need to make it easier to consume security across the board – even for the cloud service provider.
What can security vendors do to improve their understanding of cloud service provider delivery models?
I would advocate for a journey mapping exercise: Map how the cloud service provider delivers their services today. Sit with this service provider and understand — from time of quote to the delivery of the service — what that experience is like. Then find ways to make it a more seamless process for both the end user and the cloud service provider customer. HOSTING did this with one of our security partners, Alertlogic, earlier in 2013 to make the customer on-boarding process easier. It resulted in building a stable of happy security customers.
What can security vendors do to better enable cloud customers to consume security “as a service”?
Simple: Feature-rich API. Packaged applications (VMDK/OVF). Automated workflows to on-board the customer. Deeper alerting processes when a customer is not following standards (once the service is deployed). These would be a great start.
Thinking ahead 1 – 2 years, how do you see your company positioning security to your customers? Are there opportunities you’re particularly excited about?
Over the last year, HOSTING has focused on aggregating the status of many of our services into a single cloud visibility report — with summaries for both the business leader and the technology leader — as well as detailed performance that provides actionable information. We call it HOSTING 360° Report.
360° Report gives customers a monthly set of KPIs that shows the health of their environment via a score that is tailored to the specific business priorities of that customer. These KPIs roll up into scores for things like capacity, availability, recovery, and yes, security. We are excited to continue to expand this proprietary functionality, as our customer/CIOs are consistently asking for these high level reports. With this tool, they can make intelligent business decisions without necessarily being in the weeds.
However, in order to do this, we need security organizations to continue to give us the tools to differentiate in the market and solve the customers’ problem of “security uneasiness.”
If you want to learn more about some of the security services that HOSTING has out there, be sure to check out this page.