Concerns for the security of application run in the cloud are running high. The perceived lack of security of cloud platforms is often cited as the primary obstacle to adoption. Whether "cloud" is defined as infrastructure as a service (storage and compute services ala Amazon), platform as a service (application deployment environment ala Google App Engine), or simply as application outsourcing (SAAS ala SuccessFactor), almost everyone is lamenting at the security inadequacies of these new computing platforms.
This raises the question whether cloud providers should envision becoming security companies. After all, why would CIOs ever shift their entire IT infrastructure to the cloud unless the cloud came with strong security, compliance assurance and operational risk management? Conversely, should security companies rapidly transform themselves into cloud providers? After all, why would an enterprise that has crossed the Rubicon of moving the IT infrastructure to the cloud ever want to keep on buying security from a security company? Instead, would not enterprises customers expect cloud service providers to bake in security as part of the cloud offering? Despite the need for secure clouds, security companies are not yet focusing on IT infrastructure as a service. Instead, most security vendors are exploring security as a service, that is the cloud as a delivery mechanism for traditional security services. The MessageLabs acquisitions by Symantec, the MX Logic acquisition by McAfee and the recent acquisition of ScanSafe by Cisco gives credence to the popularity of the cloud as the savior for all enterprise security companies faced with the spectrum of contracting software licenses revenue and profit margins.
Interestingly, the so-called insecurity of the cloud does not need to be a perennial curse. The shift of IT to the cloud actually provides a significant opportunity to improve the way we do IT security today. In the same way as the cloud is transforming IT deployment and management, it will transform security. Consider for example, vulnerability and patch management. From a security standpoint, the most tangible risk is the failure to keep up with the constant, labor-intensive process of patching, maintaining and securing each server in a company. Although vulnerability assessment can be automated through external network and application penetration testing, there is still a lot of labor-intensive process and extreme customer pain in patching networks, servers and software: ports must be closed, networks must be segmented, patches must be installed installed, application code needs to be changed, etc.
Contrast this to what the cloud can enable. If an application is running in the cloud, the cloud provider takes responsibility for the hardware, OS, network, and third party software, making sure they are hardened and certified. A choice of infrastructure elements with varying security assurance levels is offered, but the customer internal security policies govern deployment. All infrastructure elements are periodically pen-tested for known and zero-day exploits. As new vulnerabilities are identified, an automated patch process is implemented. New virtual images are built and automatically deployed across the virtualized infrastructure. Virtual switch segments and firewall rules are updated in real-time. When vulnerabilities are found in the custom IT application code, a virtual Web Application firewall automatically blocks them. Virtual IPS and IDS capture, correlate and log all security events. Compliance logs, reports and scan results are automatically sent to customers and auditors whilst being securely archived. An end to end managed security model, orchestrated by a pool of specialized and over-trained security administrators becomes possible; a far cry from today's reality of patching and software security maintenance.
Therefore, far from being a security liability, the shift to the cloud is an opportunity to streamline, automate and strengthen IT security. For progressive security companies, this could be game changing. For those unable to renounce their addiction to an aging licensing business model, it could be doomsday. In the same way that the cloud is challenging software platform vendors and ISVs, the cloud is about to disrupt the world of security. The quest for security differentiation in cloud platforms may even drive industry consolidation. Of course, skeptics will assert that the cloud is a fad and that nothing is really changing (watch Larry Ellison at the Churchill Club exposing the hype). Denying the transformational nature of virtualization (the genuine cloud OS) and multi-core computing technologies may be shortsighted. Ignoring the business model disruption of pay-as-you-go over software licensing may prove unwise. Personally, after a year of contracting GDP and anemic recovery forecast, I find it invigorating to believe that one in a decade technology disruptor and market breaker lies right in front of our industry. Displeases Mr Elisson, for once, keeping your head in the cloud may be the smartest IT business strategy for the many years to come.