I was reading an article on GigaOm about a presentation at the Structure 2012 conference in San Francisco today. At first I thought it was going to be the usual “security is still the biggest obstacle to the cloud” drivel that we have all read before. It was based on a presentation by Juergen Urbanski of Deutsche Telekom’s T-Systems. While Urbanski did say that security perceptions were still the biggest obstacle to wider cloud adoption in Europe (a mistaken perception according to Urbanski), he also noted a fear that seems to be almost bordering on paranoia by Europeans of the far reach of the US Patriot Act.

Regardless of your politics or feelings on the Patriot Act, I was not aware that in many parts of the world they view the Patriot Act as a means for the US Government to gain access to your data. I have seen in cloud computing where customers want to make sure that their data in the cloud is stored in data centers within certain geographies. Frankly, being from the US, I always assumed that US companies and especially US Government agencies wanted their data stored in US based clouds. It would seem that many outside the US have very different feelings about storing in the US.

Urbanski had this to say about security in the cloud concerns in general and Patriot Act fears in particular,

“If you peel back the onion a little bit, about 90 percent of those concerns are really perception versus reality — in other words, it’s evident to everyone that your money is better off in the bank, but with data, people are like ‘is it really safer in the cloud?’”

“Keep in mind that the issue of the U.S. Patriot Act is way overblown in the minds of European customers,” he added. “They will go to great length to keep their data outside the realm of discoverability, outside of U.S. data centers or U.S.-run data centers.”

But oftentimes one’s perception is their reality. It would seem that as long as the Patriot Act is on the books, we will see some reluctance from foreign companies to using the cloud, at least US based or US owned clouds.

Enhanced by Zemanta


I am fresh off a 10 day visit to SE Asia where I had a chance to teach a security workshop to IT and security folks from organizations throughout the region. There were folks from Thailand, Malaysia, Cambodia, Vietnam, Singapore, Papua New Guinea,  Brunei and other places.  It was a great opportunity to not only teach security, but to learn as well.

One of my observations is that while here in the US cloud security may be brought up as an obstacle to greater cloud adoption, in that region of the world not so much.  The IT culture there is already rich in outsourcing. The idea of outsourcing your data, hosting and security with it is not terribly upsetting. In fact the expectation is that the cloud or hosting provider would of course have better security than any one organization.  This was both refreshing and enlightening. It proves once again that once you get past control issues, service provider provided security is a superior choice in most instances.

The bigger obstacle to the cloud that I heard was the whole idea of Iaas vs PaaS, public versus private cloud, hybrid, etc. These are all still very new concepts. Virtualization itself is just starting to catch on.  I don’t know, maybe as they become better versed in all of these concepts, security will become more important. But I think not, as outsourcing is just so ingrained.

One thing that I did hear loud and clear though was the need for better log management solutions.  Many of the folks I spoke to were dismayed by the amount of information they were logging and even more dismayed by the fact that they really didn’t do anything with all of that information. It would seem that a log-as-a-service or log management service would be very well received there. Note to Alert Logic folks!

Anyway, my biggest lesson learned was that no matter in the US, in Europe or Asia, security admins face the same challenges. Getting budget approved, staying on top of the latest threats and understanding how security can better advance the goals of the organizations they work for.

Enhanced by Zemanta


With the launch of the Amazon AWS Marketplace the promise of change for how cloud apps products are sold, consumed and used is very real. What the app store did for phone apps, the marketplace could do for cloud apps.  This could be especially so for cloud security.

In the case of Alert Logic’s Amazon Marketplace offerings, the integration of provisioning and billing into the EC2 infrastructure will make it easier than ever to use these best-in-class offerings. But let’s face it, there are other security offerings available in the marketplace as well.  What kind of changes will the marketplace bring?

Some folks say it could lead to the commoditization of cloud security. If I have a multitude of IDS solutions for instance to choose from, how do I pick or even do I care which one I pick.  Do I read the reviews of other users? Look at the star rating of the app? I think for a certain segment of the market, yes that is how they are going to pick their cloud security. But security is also somewhat unique.

For an analogy let’s look at the firewall market. Even though there are many choices in the firewall market, there are customers who pick and choose among the many options based on their own unique needs. The same will hold true to picking cloud security in the marketplace.

Customers are going to look at what is delivered. Ease of provisioning, ease of billing and perhaps most of all what kind of support options are available are going to be big factors. For more sophisticated buyers, the scalability and design of the solution will come into play.

For Alert Logic this is frankly what they have been pointing to for some time.  The Threat Manager solution available in the Amazon AWS Marketplace was designed to run in the cloud for the cloud. It features a multi-tenant back end that is scalable to public cloud levels of use.  The integration into the IaaS infrastructure of the Amazon EC2 is deep, with provisioning and billing working seamlessly with Amazon’s own services via an Alert Logic developed API. But most of all, Alert Logic has the security research team and expertise to make your security and compliance burden a lot lighter.

Managed services and security support will prove to be the killer app of the marketplace for cloud security.  Making security as easy to provision and pay for is a great start, but many customers need help in the day to day operation and management of their security and compliance solutions.  Security-as-a-Service as Alert Logic calls it will allow their solutions to stand out from the marketplace crowd and become the preferred cloud security solution available.

Cloud Marketplaces and app stores will continue to make cloud security solutions available to customers. The differences between them may cloud (no pun intended) from one solution to the other. But there is no substitute for support in security. Managed security services will separate the leaders from the also rans in the security marketplace.

Enhanced by Zemanta


With the release of Amazon Marketplace and security solutions like Alert Logic’s Threat Manager available a profound change in how we choose and consume cloud security may be underway. Where does security and the security vendor fit into this brave new world? This is exactly the topic of a panel on cloud security which I chaired at the recent America’s Growth Capital Partners Conference during RSA week in San Francisco.

The panel was comprised of an all star cast. I was very lucky to be joined by Grey Hall, CEO of Alert Logic, Gary Fish, CEO of Fishnet, Simon Crosby, formerly of Xen and Citrix and now Bromium, Jay Chaudry, CEO  of Zscaler and Don Gray, Chief Security Strategist at Solutionary.

Here is the abstract from that panel discussion:

The Cloud has evolved and matured since it burst on the scene just a few years ago.  Likewise our views around cloud security have also evolved and matured. No longer are we asking, “Can we secure the cloud?” or “Will we secure the cloud?”. Instead we are asking “How will we secure the cloud?” 

 Like it or not cloud security is here to stay. Just as the cloud itself brings both the promise and the threat of disruptive technology and business model change, so does cloud security bring both the threat and promise of disruptive change to the security industry.

 The consensus now seems to be that any cloud security strategy that has a chance to succeed will have to be a hybrid model, where the cloud service provider will provide some of the necessary security and the end user will have to supply some element of the cloud security formula.  Which party is responsible for supplying which element of security may vary from provider to provider and model to model.  But where does that leave the security vendor?

 Does the security vendor sell to the end user directly? Is the cloud provider a customer or reseller of the security vendor? If cloud security takes a village, where does the security vendor live? The answer to this question will determine the cloud strategy and the survival or failure of many security vendors.

One of the initial questions to the panel was what would be the nature of the relationship between the security vendor and the cloud customer.  Specifically what if cloud security became a commodity, available in an app store, self-serve model. This commoditization of cloud security would determine significant parts of that relationship.

Would choosing a security solution become who could yell the loudest? The loudest bling wins? What about apps in smartphone marketplaces? Would you buy your security solution based on reviews of others? How popular it was? The answers by the panel members were very revealing.

Simon Crosby and Jay Chaudry said something along the lines that with the cloud, security as we used to know it was obsolete. Don Gray at Solutionary had a very different view. He said the cloud didn’t change anything and it would still be the same kind of solutions being used, with the cloud providers being both resellers and consumers.  Grey Hall had a very different view than Don. He said that fundamentally cloud security had to be different than traditional security in its design, in what and how it protects and (in light of the Amazon marketplace very true) how it was provisioned.

We talked about a model where physical servers certainly would not scale in a cloud environment (though Don Gray I am not sure agreed with this), but that even virtual servers are probably an evolutionary step, but dead end.  Jay and Grey both felt pretty strongly about this.  True multi-tenant architecture was going to be required in order to endow cloud security offerings with the same elasticity as the cloud itself features.

In order for this to be a reality you needed solutions not only designed for the cloud, but in the cloud. By the cloud, for the cloud was what most of the panel agreed was necessary (again except Don Gray).

Frankly, this is exactly what Alert Logic has been building and developing for several years. So it is no surprise that with the launch of Amazon Marketplace, Alert Logic would have one of the first security solutions available in it.  The inevitability of Security-as-a-Service is something they have believed in for some time. We will look at why Security-as-a-Service is the right model for the cloud in a later post.

But back to the question of where does this leave the relationship of the security vendor, the cloud provider and the cloud customer. Does the security vendor deal directly with the end user? What does that makes the cloud provider?

In the case of Alert Logic they partner with cloud providers and jointly offer solutions to end users. But some security areas will be covered by the cloud provider and some by the end user customer. Some security companies will offer solutions to both. So while a cloud provider is a partner of a security vendor, they can also be a direct customer.

In our Amazon Marketplace example, an end user is buying the security vendors product. But it is billed and integrated into the AWS. So at some level Amazon’s stamp of approval is an integral part of the trust relationship.

As can be seen this is a much harder question to answer than first blush would indicate.  Real world cloud security experience such as what Alert Logic has experienced shows that the relationship will change depending on the technology, mission and infrastructure. But it is fair to say that both the security vendor and the cloud provider are in a joint relationship with the end user. The end user must have confidence and trust that both their security vendor and provider are working together.  Being listed in the Amazon Marketplace is an indication of this.

Enhanced by Zemanta


The much-anticipated Marketplace for Amazon Web Services (AWS) officially launched today. The marketplace has the potential to transform the way apps and services for the Amazon Cloud infrastructure are bought, provisioned and used. What the iTunes app store did for smartphone apps, the Amazon Marketplace could do for cloud apps and services.

With the launch of the Amazon Marketplace, one of the first security solutions available in the marketplace is the Alert Logic Threat Manager for Amazon Elastic Compute Cloud (EC2). Building on the existing relationship between AWS and Alert Logic as well as the availability of Alert Logic security solutions and services, the Marketplace offering by Alert Logic “represents a major change in how customers acquire Alert Logic’s network security services. Customers seeking vulnerability assessment and intrusion detection can quickly provision Alert Logic Threat Manager for Amazon EC2, and immediately start protecting their infrastructure running on the AWS platform in a cost effective way.”

New management APIs from Alert Logic provide 100 percent automation for all provisioning functions, and customers will be able to purchase Threat Manager for EC2 via their regular AWS bill, using the same payment method they use for the rest of their AWS infrastructure. Misha Govsteyn, VP of Emerging Products at Alert Logic said, “Alert Logic Threat Manager for Amazon EC2 is completely self-service and flexible, making it possible for customers to provision new resources and easily scale up or down as their needs change.”

For apps and services in general, and cloud security related apps and services in particular, a marketplace in which they have to compete for the attention of users promises to change the way we consume security and how security companies design and deliver security solutions.

This was a subject that was discussed at a panel on cloud security that I chaired at the recent America’s Growth Capital Partners Conference in San Francisco.  I was lucky to be surrounded by an all-star panel that included Gray Hall, CEO of Alert Logic, Simon Crosby of Xen, Citrix and now Bromium, Jay Chadury of Zscaler and Gary Fish of Fishnet.  I will discuss this in another blog post to follow.

For now, the story is that the Marketplace for AWS is finally here and Alert Logic is one of the first security offerings available there.

Enhanced by Zemanta


From CIO on “How Secure is the Cloud? IT Pros Speak Up”  Happy Friday!

{ 1 comment }

Image representing Amazon Web Services as depi...

Image via CrunchBase

The public cloud security landscape took a step forward today with the official announcement that Alert Logic‘s Threat Manager and ActiveWatch for Amazon Web Services (AWS) was released for general availability today. Built from the ground up for the Amazon EC2 platform, the offering allows Amazon customers to quickly and cost effectively add the Alert Logic managed security services to their cloud instance.

The offering includes both Threat Manager which combines intrusion detection and vulnerability management using Alert Logic’s “patented expert system, which includes 7-Factor Threat Scenario Modeling, purpose-built grid computing infrastructure and API-driven provisioning capabilities” and Active Watch, “which provides 24×7 monitoring and expert guidance services from Alert Logic’s Security Operations Center (SOC) staffed by certified security analysts”.  So customers can choose to either use the SaaS based Threat Manager or the fully managed Security-as-a-Service Active Watch as well.

Up until now security solutions for public cloud environments have been a combination of what the cloud provider has built into the IaaS platform itself and a hodgepodge of other solutions cobbled together that don’t always work in the massive scale of a public cloud.  Alert Logic has been working with Amazon on this solution for many months.

“We are pleased to have Alert Logic as an AWS Solution Provider focused on enhancing security for customers,” said Terry Wise, Director of Business Development, Amazon Web Services. “Security is paramount, and with our shared-responsibility security model, customers are able to choose a solution that best meets their applications’ needs, while AWS remains focused on providing secure, on-demand, pay-as-you-go cloud infrastructure.”

Several customers have been using the solution for some time already. One customer. Element115.net was featured in the press release:

“After a lot of consideration, we migrated to Amazon Web Services to achieve cost efficiencies and elastic scalability, but we were mindful that our customers entrust us with not just delivering application availability, but also advanced data security,” said Venkatesh Korla, CEO of Element115.net. “We are impressed with Alert Logic’s ability to cost effectively satisfy the demands of our customers for advanced network security services in the Amazon Web Services environment.”

While this solution is unique to Amazon, one can plainly see that this is a first step in rolling out similar solutions in other public cloud environments. As we see more solutions built exclusively for public cloud environments, customers should have more choices and options to securing their public cloud infrastructure.

Full blown Security-as-a-Service solutions such as this will allow customers to focus on their core business, allow cloud providers like Amazon to focus on their infrastructure offering while a dedicated security expert like Alert Logic handles the security. This is the future of public cloud security available today!

If you are interested in signing up for the Alert Logic AWS solution you can do sign up at: http://cloud.alertlogic.com/

Enhanced by Zemanta


At my panel at the America’s Growth Capital Partners Conference today a threshold question was is their a difference between cloud security and on premises security. The answer was almost a unanimous yes.  But that was more based on gut feelings and small scale observations.  We now have a definitive answer to the question though.  Alert Logic‘s State of Cloud Security Report has answered the question once and for all. We have qualitative proof of the difference in the frequency and types of attacks we see in the different type of environments.

Examining over 2B security incidents across a variety of environments a picture emerges that we see very different kinds of attacks in the cloud than what we see on premises.  You can download the report for free (and I strongly urge you too) to get all of the details yourself.  Alert Logic looked at both the frequency and type of occurrences. There is plainly a difference between what we see on premises versus what we see in the in security on premises versus security in the cloud.

Alert Logic with over 1500 customers and many hosting/cloud providers was a in a great position to pull all of this data together from across their data collection activities. Analyzing this data to find the trends that matter was a terrific piece of work by the Alert Logic security research team.


Now this does not mean that the cloud is safer than on premises per say, but it does give you pause to think.  I think after looking at the data and analysis, it is hard to say that on premises is safer than the cloud though too. So those who seem hesitant to move to the cloud due to security concerns should take a close look here and maybe consider about rethinking that assumption.

It also makes a good case for what we need to protect against in terms of cloud based attacks. Clearly web application security was a key driver in the kinds of attacks we see in the cloud. I am sure that observation played heavily into Alert Logic’s decision to acquire the ArmorLogic and its WAF technology.

Alert Logic is planning to publish and update to the report twice a year.  The State of Cloud Security Report should provide some great insight for anyone interested in the kinds of incidents and reports we see in the cloud.


Enhanced by Zemanta


Alert Logic announced today that they had acquired ArmorLogic, makers of the Profense web application firewall (WAF). The acquisition immediately gives Alert Logic a solution in is what is probably one of the hottest areas of information security, web application security.

In addition to the announcement link above, Alert Logic has published a full FAQ on on the acquisition here. ArmorLogic has sold their WAF as a traditional product up until this point. Alert Logic will be offering it as a Security-as-a-Service offering with a managed services option in the very near future.

I wanted to include Gray Hall, CEO of Alert Logic’s quote from the press release because I think sums up pretty well the thinking of Alert Logic on this acquisition:

“Armorlogic has a reputation among its customers and partners for delivering world-class protection for Web applications while being easy to use,” said Alert Logic CEO Gray Hall. “As is often the case for emerging technology companies, great products meeting real customer needs are unable to achieve broad market penetration. Alert Logic’s ability to transform Armorlogic’s product into a fully managed SaaS offering, coupled with our outstanding partner network including the leading hosting and cloud service providers in the world, gives us the ability to bring a market-leading WAF solution to the market segment that needs it most.”


I think the idea of offering WAF as a Security-as-a-Service type of offering is a key enabler to WAF reaching critical mass.  Making it easy to deploy, more affordable and offering help in managing WAF are three of the biggest reasons we have not seen WAF more widely adopted, even though it is practically mandated by the PCI DSS.

Of course WAF is an important technology for Alert Logic’s partners in the hosting and cloud provider channel.  This would seem to be a perfect fit for the AL channel.

Having been involved in my own share of acquisitions and sales, it is always a proud day for both the company acquiring and the folks selling. The ArmorLogic team should be congratulated for building a product and business that the market valued so highly that Alert Logic thought it worthy to acquire.  Congratulations are also in order for the Alert Logic team for recognizing a need in the market that they know they can fill and going out and executing on acquiring the solution.

I will have more to say about WAF and this acquisition in the coming days.


Enhanced by Zemanta


Nicholas Popp over on the Symantec blog had a post up earlier this week called “The Virtualization of Security and the Rise of Security as a Service“. I think Popp makes several points I agree with, but overall I think his definition of Security-as-a-Service differs from mine.

Let us first concentrate on what I agree with Nicholas on. Of course I agree that we are seeing IT move to the cloud. We are seeing a progression of private, cloud to hybrid cloud and eventually to public cloud. Security is going to be an important part of this, as both an enabler of the migration and a requirement.  Most importantly I agree with Popp that this will inevitability lead to Security-as-a-Service.  As Popp says in his last paragraph:

 Can it mean that security companies must become specialized security infrastructure providers? Is their fate to become exclusive arm dealers to enterprise cloud builders, instead? Interestingly, security may well be the only viable answer to the infrastructure commoditization strategy embraced by the likes of Amazon and Google. This fact alone will make it worthwhile watching the enterprise security and infrastructure markets. So let us stay tuned. The security revolution is being televised. In fact, it appears that it will be streamed straight from the cloud.

Here is the graphic he has in his post:

But before we all light a campfire and sing Cumbaya let me say that I have real disagreements with some of Popp’s views.  I think it is a case of when you are a hammer, everything looks like a nail.  So for Popp from Symantec, the move to the cloud and the Security as a Service looks like taking Symantec’s security offerings, putting them in a virtual gateway and adding water.

That is not addressing the issue.  What Popp has us doing is taking on premises security and merely virtualizing it on a security gateway.  This way by removing the security from the infrastructure, you can take the infrastructure anywhere and still keep the security.

This is in contrast to what most people believe the future of cloud security will look like.  An end user customer is not going to provide all of the security themselves.  Security will be a shared responsibility between the cloud services provider and the customer.  There is just no way that some virtualized security gateway sitting on customer perimeter is going to secure the cloud providers infrastructure.  The Security-as-a-Service has to be built in at the cloud provider level as well.

How the security vendor manages to serve both the cloud services provider, as well as the end user customer is the real question about the future of Security-as-a-Service.  It is exactly this question that I will be address on the Monday of  RSA week at the America’s Growth Capital Conference. Joining me on this panel to discuss the question are Gray Hall, CEO of Alert Logic, Gary Fish, CEO of Fishnet Security, Simon Crosby of Bromium, Jay Chaudhry, CEO of zScaler and Don Gray, Chief Security Strategist of Solutionary.

There has got to be more to cloud security, that what happens at the gateway. Also as I have written before, there is more to cloud security than just virtualizing everything.  While virtualization is important, it is not the only factor in security or Security as a Service.

So Nicholas is correct, we are going to see a revolution in security and it will be streamed live from the cloud. It just won’t all be going through a virtualized security gateway.

Enhanced by Zemanta