Top 5 Reasons Why Traditional Managed Security Services Will Fail in the Cloud

If you’ve been following our series on Service Providers of Tomorrow, you probably saw the point made by Gray Hall in his last post – MSSPs will find themselves in a world of trouble as IaaS and PaaS models gain momentum. I’ve always thought this conclusion was natural, but had to think twice when Alan Shimel asked me "why?".

Here are the top five reasons why MSSPs will find themselves out of place in the cloud:

1. MSSPs lack the ability to develop technology. MSSPs typically integrate commercially available security products, rather than build their software from the ground up. In contrast, most notable cloud services today are closed environments that make heavy use of proprietary software for provisioning, management and even basic networking. Cloud environments are not easily supported by commercially available security products and will not be for some time, requiring an expertise in developing purpose built technology MSSPs lack today.
2. Cloud and MSSP architecture and delivery models are like oil & water. They just don’t mix. This is a complex topic that doesn’t fit neatly into a single bullet in this post, but suffice it to say that cloud environments have a very different architecture model, performance profile and provisioning requirements from what MSSPs have historically encountered with on-premise enterprise deployments. To picture this culture clash in full color consider this – MSSPs measure their provisioning timeframes in weeks (if not months), while cloud providers allocate resources in minutes. 
3. Scaling up is hard. Start with an assumption that cloud provider networks are often flat, already push upwards of 60-100gbps in throughput in some data centers and are designed provide elastic capacity for rapidly provisioned, transient computing resources on demand and you quickly realize that most MSSPs were not designed to  handle this kind of load. As in Texas, everything in the  cloud is bigger and MSSPs must re-architect their products using web-scale fundamentals to be viable long term.
4. Scaling down is just as difficult as scaling up. This is counterintuitive at first, but scaling down is sometimes harder than scaling up. Aside from reporting interfaces, most of the technologies used by MSSPs still operate at single-tenant level, making cloud deployments largely untenable. Here’s one example: scaling down a log management service for a cloud environment means being able to operate at the smallest consumable unit – a single customer using a single cloud server instance. Most MSSPs scale down in units far larger than that. Each tenant can only get as small as the cheapest appliance they can buy from ArcSight or LogLogic or Log Rhythm, effectively crippling the cost and delivery model.
5. Virtual appliances are next to useless in many cloud environments, especially when it comes to Platform-as-a-Service. PaaS offerings expose the application stack, but obstruct access to the infrastructure that supports it. Virtual appliances may give MSSPs a limited ability to extend their services to IaaS products (at least until IaaS providers build security services directly into their infrastructure), but securing PaaS environments will require embedding security technologies directly within the application platform components themselves.

It’s too early to predict the end of the road for the traditional managed security providers. There are a handful of MSSPs that understand the challenge of remaining relevant as IaaS and PaaS models gain momentum and are actively hiring development teams to pave the way for cloud delivery, but it takes more than talent to change your culture and organizational identity.

For a logical reference point of what’s ahead for the MSSP space, look no further than unsuccessful and awkward transformation of traditional software companies into SaaS providers. Phil Wainewright has covered this topic extensively in his blog since 2005, yet software companies continue to attempt to deliver Same-Old-Software-as-a-Service (SoSaaS) and examples of this proliferate to this day.

Will MSSPs be able to change their stripes and successfully port their traditional delivery models for cloud delivery? I suspect the answer is no.