The Virtualization of Security and the Rise of Security as a Service
In the same way, the cloud emerged from software virtualization, cloud security can only emerge from the process of virtualizing security itself. As virtualization separated software from hardware, allowing enterprise software to freely move first across servers and eventually to external cloud infrastructures, security must now be separated from enterprise applications so themselves can be replaced with new cloud applications and eventually move to specialized clouds. Enterprises worldwide are already embracing the cloud for email, CRM, file sharing, collaboration, HR and other functional business applications. To properly manage cloud risk and compliance, IT needs a consistent way to inject its own security policy across cloud applications. Since these applications are operated by different cloud providers with different security capabilities, distinct security frameworks and diverse APIs, the security needs to be implemented outside these cloud applications.
That separation or virtualization of application security is the raison d'etre ofSymantec O3: the creation of a security control point outside the application and under the governance of IT. The cloud security gateway integrates with the legacy security infrastructure that it fully leverages to externalize application security. In doing so, the cloud security gateway separates the security infrastructure from the application infrastructure. The application software is then free to move to the cloud. The complex security infrastructure does not need to follow it. All IT security controls remain in place. This approach of security virtualization can be applied to any type of application, internal or external, whether it is running on a private or a public infrastructure. This allows CIOs to morph their cloud strategy overtime. An enterprise can start with SaaS and virtualized application running on a private corporate cloud. These private clouds can then transform into semi-private clouds (virtual private clouds or hybrid clouds). Eventually the whole IT infrastructure for application can be replaced with public clouds such as IaaS or PaaS. The security infrastructure, on the other hand can persist. The same security policies can be enforced. There lies the true benefit of cloud security virtualization: a single security infrastructure independent of the cloud providers.
What happens next? As CIOs become increasingly comfortable with not running the infrastructure, the complex security infrastructure must also go to the cloud. Security becomes its own cloud. The cloud transformation is complete. First the cloud security gateway, then security infrastructure as a service. Like virtualization was the catalyst for infrastructure as a service, the application security gateway becomes the catalyst for security as a service.
Can it mean that security companies must become specialized security infrastructure providers? Is their fate to become exclusive arm dealers to enterprise cloud builders, instead? Interestingly, security may well be the only viable answer to the infrastructure commoditization strategy embraced by the likes of Amazon and Google. This fact alone will make it worthwhile watching the enterprise security and infrastructure markets. So let us stay tuned. The security revolution is being televised. In fact, it appears that it will be streamed straight from the cloud.