3 min read

Cloud security: As a service?

Venturing to the cloud can provide many benefits, but also security risksrn

When a customer stares at a cloud computing proposal from a channel partner he or she knows that a complete leap of faith is required. Cloud computing has a lot of momentum behind it, mainly because it drives costs out of a business’s IT infrastructure, while enabling a mobile work force to be more efficient.

But it’s also a calculated risk, hence the leap of faith, because the more data a customer puts up in the cloud the more susceptible it will be to attacks.

The seventh annual Global Information Security survey, conducted by sister publication CIO, found cloud-based business endured many interruptions. Another report from four researchers at MIT and the University of California at San Diego indicate that attackers could locate and spy on virtual machines in the cloud.

The report was conducted against Amazon’s Elastic Computer Cloud (EC2) service. The vulnerabilities found by the researchers are generic and would likely affect other cloud providers. These reports puts cloud security into question. The assumption has been that data in the cloud was relatively safe because it’s hard to know where in the cloud the data is located.

Jumping onto the cloud without a well thought-out security plan developed by a channel partner with security know-how is not the best course of action, said Marc Olesen, senior vice president and general manager, Software-as-a-Service for McAfee.

Customers are taking a hard look at in-the-cloud solutions for email security and compliance, Olesen said.

“It’s that doing more with less philosophy and business leaders are being stretched and are asking their IT departments to drive competitive differentiation with less money and resources. The cloud can help them reconcile that. The cloud operates effectively and gives them cost savings and ROI. There’s no deployment time and you can take advantage of it right away,” Olesen said.

Risk and ROI

He added that with ROI comes risk in the form of securing the business. Olesen said that SaaS solutions and hybrid deployments are becoming more popular because it offers cost reduction along with ease of management and flexibility.McAfee is one vendor that is offering this hybrid solution for the cloud with a SaaS-based email filtering, continuity and archiving along with an on-premise email appliance gateway that handles the same functions along with encryption.Another vendor who offers a cloud-based hybrid solution is Finjan.

According to the San Jose, Calif.-based security player, more businesses are becoming borderless entities with employees working remotely instead of being behind a desk.

Finjan believes that these types of customers will turn to cloud-based Web security for data protection.

Selling points for the channel here are: Customers still maintain full control of their Web security and policy both on-premise and in the cloud.

And that data stays within the company’s boundaries and is not stored in the cloud for privacy and regulatory compliance reasons.

Ophir Shalitin, director of marketing for Finjan, said a natural approach to this business opportunity for the channel would be to work with managed security service providers. “Many of them want to expand their security portfolio and this is a very good fit,” Shalitin said.

Finjan has released Vital Cloud and Vital Cloud Hybrid, two Web security solutions that address the needs of enterprises as well as managed security service providers.

These two solutions use active real-time content inspected technology for malware attacks, while being integrated into Amazon’s EC2 cloud-based platform.

Shalitin said that Amazon is a key differentiator. “With Amazon we have a cost structure that is effective.

If you compare other security-as-a-service providers we are 20 per cent lower in price and more MSPs and channel partners want to work with us,” he said.

However, one of the problems may be a lack of qualified solution providers that can handle cloud security and provide it as service.Charles Var, director of communications for MxLogic, which was recently acquired by McAfee, said the channel is still evolving with the cloud.

“As the cloud and SaaS solutions accelerate it will be mandatory for them to get up to speed quickly,” Var said.

McAfee has seen this acceleration in the market place and has had several talks with managed security service providers on sourcing, leveraging other channel partners, and partnering with a vendor who has an offering that can satisfy customers.

“Partners are coming to me in desperation saying that customers are asking about security on a SaaS model and what is it, how do I sell it and can you help me demo it for me,” Var said.

Taking that leap

SaaS would be the perfect engine for cloud security, Var added, but partners are concerned about their “bread and butter” services.Var said that integration, process re-engineering, training, and advising on security policies will still be there as a revenue opportunity with services.

There is something else that might be more important, Var said, and that is the value a solution provider can bring to a customer who is about to change its internal processes. Or as they say that, leap of faith moment.