Security as a Service (SecaaS)?
30/03/2012 1 Comment
The paradigm shift to Cloud Computing is probably the most significant one in IT our industry has experienced since the internet. The move to utility computing goes from infrastructures over platforms to software and to applications. However there’s been a great deal of confusion in the industry about Cloud Computing. The cloud can be seen as the next phase in the evolution of the internet.
The call for Cloud Computing is not new. 15 years ago, when the dot.com bubble took off and broadband connections became more and more available, the term ‘on demand’ was used referring to a scalable and customized service. New business models with service offering like ‘video on Demand’ and ‘software on Demand’ brought a new class of centralized computing, called Application Service Providers (ASP). However it took still some years to mature this new computing model. Now that broadband connections are ubiquitous present with even higher speeds than ever before, more mobility and powerful end-user devices, the cloud – a metaphor for the internet of today- became a reality.
ASPs are now called Cloud Computing Providers and through the cloud, everything will be delivered not ‘on Demand’ but ‘as a service‘, from raw computing power to high-end business processes and personal computing. IT seems like everything can be offered ‘as a Service’. In the blog of Peter Laird the ‘as a Service’ is presented as minestrone soup with several aaS-terms categorized in several group as shown in his map:
Here we will focus on ‘Security as a Service’ (SecaaS). With the centralizing of computer resources cloud consumers have recognized the need for secure service offerings from providers. Computer security is defined as the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). Cloud computing is mainly focused on availability but is quite elusive on integrity and confidentiality. We hear all kind of rumors of large Cloud providers that harvest the stored data in their huge data centers to offer new and personalized marketing information to advertisers. Cloud vendors has attempted to satisfy the (implicit) call for security by offering security services, but these services can take many forms and lack transparency regarding deployed security controls. Common known areas of security that can be of interest are: Network security, Web security, Business Continuity and Disaster Recovery, Data Loss Prevention, Access Controls, Malicious software, Identity Services, IDS/IPS, CERT (Computer Emergency Response Team), Security Management, Security Audit, … The market of IT security products and services seems to go in the direction of a Lemon market. Since security products are difficult to measure for users, vendors are unable to charge a premium for extra security due to the information asymmetry. Still the market for security products is very prosperous and is growing continuously. According to Gartner cloud-based security service usage will more than triple in many sectors by 2013 (Cloud Security Alliance).
But if businesses migrate to the cloud, does this imply also a migration of all necessary security measures? In other words: is the risk for security breaches transferred to the cloud provider? If we give a positive answer to that question, we come to the next question: can computer security than be seen as a utility that can be delivered on demand or should it be seen as a necessary requirement incorporated in every computing service offering?
Computer (and information) security has become strategic for most businesses and enables an organization to accomplish its mission however security is not at the center of a competitive advantage. Slowly, it becomes a business process but it has no clear focus. It is a game of chance with no one understanding the odds. Security is often unaccountable and unmanaged. On a broader perspective computer security is an expanding element of global warfare. Therefore I do not believe that the full risk for security breaches can be transferred in a cloud computing agreement. The agent setting will again prevail in the relation between a customer and a cloud computing provider. In that way security will be sold as a service. Since we lack the necessary standards, transparency and trust will be the necessary ingredients to obtain third party security assurance services. Customers will have to negotiate on the specific metrics defining the required service level to achieve security objectives together with the more familiar SLAs already present in a tenant agreement. For most customers this can only be done with the help a third party audit or by a SLA mediation service.
My prognosis is that Security as a Service (SecaaS) will soon overshadow Saas, IaaS and PaaS.