Security Industry Missing Ride On The Cloud
One of the things I was interested to investigate at this week's RSA
conference was whether SaaS and cloud services (compute, storage, etc.) had
entered into the horizon of the security market. The answer is easy. NO. Not
even close. Security doesn't get where the software market is headed and we need
to get after it now.
There's two perspectives to assess this from; What are security vendors doing to build products for the On Demand, SaaS and cloud computing world we are rapidly moving into? And, are security vendors moving into offerings based in the cloud themselves? Again, with a very few exceptions this isn't something that even appears on the radar screen of RSA exhibitors.
Regarding the first question, the themes of RSA is still very much in the world of data protection, data lose prevention, network access control, USB storage containment, and infatuation with the latest 10 gigabit doodad appliance box. Maybe its too early for security in the cloud to be the issue of the day - security in the virtualized world isn't even a topic for conversation. At least a few smart people like The Hoff are playing virtualization MythBuster, keeping us honest about what challenges and interesting problems need to be solved as virtualization continues its march into data centers, storage and applications.
How about those offering their security wares via the cloud? Clearly Qualys suffered the arrows of being an early SaaS security vendor but crazy frenchman Philippe Courtot is still riding high knowing the SaaS market is doing well within other segments of IT and security will eventually get there. But they are still pretty much a lone SaaS delivered security player. Another company doing SaaS delivered security products is Alertlogic, providing log management, analysis, and compliance software On Demand. I spent some time with Alertlogic CTO Misha Govshteyn, someone who has been through the transition to SaaS and learned the lessons needed to scale a multi-tenant product. (Misha's a smart guy, btw. You sooooo need to start blogging dude!)
I think Misha's approach also shows some insight into where we'll see SaaS enter into security - in the mid-enterprise and SME markets. Those are buyers who don't necessarily have access to full time security, storage or other specialized resources. They also are more accepting and can get over the perceived privacy concerns that surface when considering an On Demand service, especially private companies who don't fall under SOX compliance. I still recall selling against Qualys and pushing the issue of your vulnerability data being stored in the cloud - many saw the advantages and convenience from an On Demand offering, and for yet many others it was a no-op. But mid-enterprise and SME's adoption of On Demand software solutions could show us this is where security will make it's first SaaS market beachhead.
As security professionals, we can't wait for the market and vendors to catch up. We need to be creating the security dialog and debates about virtualization, on demand and cloud based services. While Microsoft may be trumpeting the call of End-To-End Trust, trying to get the other elephants to tap dance with them, we've got to working ahead of the curve on the tough problems, vocalizing the security needs while services are being created and moving into the cloud, not after. I'm glad that Hoff, Misha and others are thinking ahead of the curve.
Comments