With the release of Amazon Marketplace and security solutions like Alert Logic’s Threat Manager available a profound change in how we choose and consume cloud security may be underway. Where does security and the security vendor fit into this brave new world? This is exactly the topic of a panel on cloud security which I chaired at the recent America’s Growth Capital Partners Conference during RSA week in San Francisco.
The panel was comprised of an all star cast. I was very lucky to be joined by Grey Hall, CEO of Alert Logic, Gary Fish, CEO of Fishnet, Simon Crosby, formerly of Xen and Citrix and now Bromium, Jay Chaudry, CEO of Zscaler and Don Gray, Chief Security Strategist at Solutionary.
Here is the abstract from that panel discussion:
The Cloud has evolved and matured since it burst on the scene just a few years ago. Likewise our views around cloud security have also evolved and matured. No longer are we asking, “Can we secure the cloud?” or “Will we secure the cloud?”. Instead we are asking “How will we secure the cloud?”
Like it or not cloud security is here to stay. Just as the cloud itself brings both the promise and the threat of disruptive technology and business model change, so does cloud security bring both the threat and promise of disruptive change to the security industry.
The consensus now seems to be that any cloud security strategy that has a chance to succeed will have to be a hybrid model, where the cloud service provider will provide some of the necessary security and the end user will have to supply some element of the cloud security formula. Which party is responsible for supplying which element of security may vary from provider to provider and model to model. But where does that leave the security vendor?
Does the security vendor sell to the end user directly? Is the cloud provider a customer or reseller of the security vendor? If cloud security takes a village, where does the security vendor live? The answer to this question will determine the cloud strategy and the survival or failure of many security vendors.
One of the initial questions to the panel was what would be the nature of the relationship between the security vendor and the cloud customer. Specifically what if cloud security became a commodity, available in an app store, self-serve model. This commoditization of cloud security would determine significant parts of that relationship.
Would choosing a security solution become who could yell the loudest? The loudest bling wins? What about apps in smartphone marketplaces? Would you buy your security solution based on reviews of others? How popular it was? The answers by the panel members were very revealing.
Simon Crosby and Jay Chaudry said something along the lines that with the cloud, security as we used to know it was obsolete. Don Gray at Solutionary had a very different view. He said the cloud didn’t change anything and it would still be the same kind of solutions being used, with the cloud providers being both resellers and consumers. Grey Hall had a very different view than Don. He said that fundamentally cloud security had to be different than traditional security in its design, in what and how it protects and (in light of the Amazon marketplace very true) how it was provisioned.
We talked about a model where physical servers certainly would not scale in a cloud environment (though Don Gray I am not sure agreed with this), but that even virtual servers are probably an evolutionary step, but dead end. Jay and Grey both felt pretty strongly about this. True multi-tenant architecture was going to be required in order to endow cloud security offerings with the same elasticity as the cloud itself features.
In order for this to be a reality you needed solutions not only designed for the cloud, but in the cloud. By the cloud, for the cloud was what most of the panel agreed was necessary (again except Don Gray).
Frankly, this is exactly what Alert Logic has been building and developing for several years. So it is no surprise that with the launch of Amazon Marketplace, Alert Logic would have one of the first security solutions available in it. The inevitability of Security-as-a-Service is something they have believed in for some time. We will look at why Security-as-a-Service is the right model for the cloud in a later post.
But back to the question of where does this leave the relationship of the security vendor, the cloud provider and the cloud customer. Does the security vendor deal directly with the end user? What does that makes the cloud provider?
In the case of Alert Logic they partner with cloud providers and jointly offer solutions to end users. But some security areas will be covered by the cloud provider and some by the end user customer. Some security companies will offer solutions to both. So while a cloud provider is a partner of a security vendor, they can also be a direct customer.
In our Amazon Marketplace example, an end user is buying the security vendors product. But it is billed and integrated into the AWS. So at some level Amazon’s stamp of approval is an integral part of the trust relationship.
As can be seen this is a much harder question to answer than first blush would indicate. Real world cloud security experience such as what Alert Logic has experienced shows that the relationship will change depending on the technology, mission and infrastructure. But it is fair to say that both the security vendor and the cloud provider are in a joint relationship with the end user. The end user must have confidence and trust that both their security vendor and provider are working together. Being listed in the Amazon Marketplace is an indication of this.