Security as a Service (SecaaS)?

The paradigm shift to Cloud Computing is probably the most significant one in IT our industry has experienced since the internet. The move to utility computing goes from infrastructures over platforms to software and to applications.  However there’s been a great deal of confusion in the industry about Cloud Computing. The cloud can be seen as the next phase in the evolution of the internet.

The call for Cloud Computing is not new. 15 years ago, when the bubble took off and broadband connections became more and more available, the term ‘on demand’ was used referring to a scalable and customized service. New business models with service offering like ‘video on Demand’ and ‘software on Demand’ brought a new class of centralized computing, called Application Service Providers (ASP). However it took still some years to mature this new computing model. Now that broadband connections are ubiquitous present with even higher speeds than ever before, more mobility and powerful end-user devices, the cloud – a metaphor for the internet of today-  became a reality.

ASPs are now called Cloud Computing Providers and through the cloud, everything will be delivered not ‘on Demand’ but ‘as a service‘, from raw computing power to high-end business processes and personal computing. IT seems like everything can be offered ‘as a Service’. In the blog of Peter Laird the ‘as a Service’ is presented as minestrone soup with several aaS-terms categorized in several group as shown in his map:

Here we will focus on ‘Security as a Service’ (SecaaS). With the centralizing of computer resources cloud consumers have recognized the need for secure service offerings from providers. Computer security is defined as the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). Cloud computing is mainly focused on availability but is quite elusive on integrity and confidentiality. We hear all kind of rumors of large Cloud providers that harvest the stored data in their huge data centers to offer new and personalized marketing information to advertisers. Cloud vendors has attempted to satisfy the (implicit) call for security by offering security services, but these services can take many forms and lack transparency regarding deployed security controls. Common known areas of security that can be of interest are: Network security, Web security, Business Continuity and Disaster Recovery, Data Loss Prevention, Access Controls, Malicious software, Identity Services, IDS/IPS, CERT (Computer Emergency Response Team), Security Management, Security Audit, … The market of IT security products and services seems to go in the direction of a Lemon market. Since security products are difficult to measure for users, vendors are unable to charge a premium for extra security due to the information asymmetry. Still the market for security products is very prosperous and is growing continuously. According to Gartner cloud-based security service usage will more than triple in many sectors by 2013 (Cloud Security Alliance).

But if businesses migrate to the cloud, does this imply also a migration of all necessary security measures? In other words: is the risk for security breaches transferred to the cloud provider? If we give a positive answer to that question, we come to the next question: can computer security than be seen as a utility that can be delivered on demand or should it be seen as a necessary requirement incorporated in every computing service offering?

Computer (and information) security has become strategic for most businesses and enables an organization to accomplish its mission however security is not at the center of a competitive advantage. Slowly, it becomes a business process but it has no clear focus. It is a game of chance with no one understanding the odds. Security is often unaccountable and unmanaged. On a broader perspective computer security is an expanding element of global warfare. Therefore I do not believe that the full risk for security breaches can be transferred in a cloud computing agreement. The agent setting will again prevail in the relation between a customer and a cloud computing provider. In that way security will be sold as a service. Since we lack the necessary standards, transparency and trust will be the necessary ingredients to obtain third party security assurance services. Customers will have to negotiate on the specific metrics defining the required service level to achieve security objectives together with the more familiar SLAs already present in a tenant agreement. For most customers this can only be done with the help a third party audit or by a SLA mediation service.

My prognosis is that Security as a Service (SecaaS) will soon overshadow Saas, IaaS and PaaS.

jan devos


About jangdevos
I'm an IT/IS professor, a late Baby Boomer, married with Ann and father of Hélène and Willem, a Stones fan and interested in almost everything. I work at the UGent (campus Kortrijk), Belgium. My research domain are: IT Governance in SMEs, IT/IS Security, IT Management, IT Project Management, IT Trends and IT/IS failures.

One Response to Security as a Service (SecaaS)?

  1. Khawar Ayub says:

    Cloud service providers must ensure that their customers’ applications and data are secure if they hope to retain their customer base and competitiveness. Today, enterprises are looking towards cloud computing horizons to expand their on-premises infrastructure, but most cannot afford the risk of compromising the security of their applications and data.

    Security ranks first as the greatest challenge or issue of cloud computing.

    However, the ultimate challenge in cloud computing is data-level security, and sensitive data is the domain of the enterprise, not the cloud computing provider.

    Security will need to move to the data level so that enterprises can be sure their data is protected wherever it goes.

    Encryption of certain types of data, with permission to only specified users to access the data is the logical solution. The extension of virtualization and virtual machines into the cloud is affecting enterprise security as a result of the evaporating enterprise network seclusion. This is the only way we can achieve isolation of the enterprise privacy.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: