Alan Shimel, who somehow finds the time to contribute to what seems like hundreds of security blogs (including SCR), recently asked a number of good questions in his follow-up to my most recent post on Top 5 Reasons Why Traditional Managed Security Services Will Fail in the Cloud. My response grew long enough to overflow the comment field on his blog, so I’m publishing it on SCR instead. You can read Alan’s post here.
Alan, note that I specifically called out "traditional managed security services" and by extension pure-play MSSPs, rather than the concept of a managed security service. I also want to be clear – I am not questioning the role of managed security services in cloud environments. On the contrary, I think the largest cloud providers are missing the opportunity to deliver full solutions to customer problems, rather than just raw infrastructure.
I define MSSPs as companies that provide a broad set of outsourced security management and consulting services. In practical terms, this means that the problem they solve for customers is outsourcing the complexity/cost of managing and monitoring an otherwise unmanageable pile of security products from dozens of security vendors. The core value delivered by the MSSP model is staff augmentation, rather than unique technology capabilities. In fact, capabilities offered by most leading MSSPs are very similar and differentiation is achieved by breadth of services. The competitive model requires rapid integration of off-the-shelf technologies, while discouraging direct R&D investment.
The fundamental technology that allows MSSPs offer their services is software that collects, transports and correlates security logs from various products. In many cases this is a highly customized commercial SIEM deployment, some form of "secret sauce" and a customer portal that provides an interface into what the Security Operations Center through dashboards and reports. There have been MSSPs that attempted to build their technology stacks rather than integrate, such as Guardent, Counterpane and to some degree LUHRQ. Ultimately, every one of these early MSSPs gave in to customer demand of multi-vendor support and answered the need for broad capabilities by integrating commercially available software, rather than developing their own products and/or ultimately being acquired by more generalized service –focused companies.
Yes, all MSSPs build some software, but as an exception to the rule and at a very different level than serious software shops. If you look at resource allocation, I am willing to bet that the number of staff responsible for security monitoring and consulting at MSSPs outnumber software developers by a wide margin. In contrast, at Alert Logic we have more than 2X as many software developers as security staff. Trustwave is the lone MSSP that does not cleanly fit the prevailing model I’ve described, but software isn’t what drives their business. Most important, Trustwave is ill prepared to deliver security for the cloud – you can’t exactly build the next generation of cloud-ready security services by picking up a string of failing traditional software companies.
Finally, it’s not practical to get into a detailed discussion of just how much multi-tenancy is enough for cloud deployments here, but I’d caution against assuming that every provider with a multi-customer portal is inherently multi-tenant. Multi-tenancy is a software architecture concept and deals with being able to partition/control computing resources within software components, rather than separating customers by building discrete islands of infrastructure. There are security providers who have embedded these concepts into their architecture and use a cloud delivery model to create a disproportionate advantage over traditional MSSPs. Alert Logic is one example, companies like Qualys and Zscaler are others. Whitehat Security is an especially great example of a company that strikes a great balance between SaaS delivery model, managed services and programmable APIs. Because of the architecture decisions made by companies above, this new breed of service providers is much more likely to provide tightly integrated services to IaaS and PaaS customers than traditional MSSPs and that is the point I was trying to make with my original post.
You can find additional commentary that relates specifically to Alert Logic in my comment on Alan’s blog.
{ 1 comment… read it below or add one }
I think you have a good temporal point for the moment, but don't bet against continued human development. someone will continue to expend the development energy.
the biggest issue is the non-standardization of logging. if, when, that happens, your argument will be defeatable.
{ 4 trackbacks }