Monday, April 20, 2009

Defining a true Cloud Security Service (Part 1)

I got excited by the title of this article in Channel Pro, "Cloud-based security services - will 2009 be the year this much hyped sector comes of age?", hoping it was a spiritual successor to Craig Baldings earlier posting. Sadly it was not (guess it's my fault for reading a trade rag). The Channel Pro article quickly headed towards product flog land (nothing wrong with that, if you don't try to sell, you don't sell) but it did give a brief consideration towards the reasons that security in the cloud hasn't happened:
no doubt resistance to some of the changes in thinking and internal processes needed to implement a SaaS strategy is a significant factor
Then I realized, the logic was sort of nonsense given that MSSPs (Managed Security Service Providers) are alive and well. Once a company is willing to outsource, whether it's on-premise and remotely managed, in someone else's data centre or in the cloud really comes down a price/functionality/trust debate. Consider the following crop of cloud security services: enStratus provides security services for the cloud; Rozmic has emailcloud (which seems to be a competitor to ProofPoint, Frontbridge prior to rebranding and lets not forget Postini); and Zscaler provides anti-X solutions. This list is by no means canonical, but with the exception of enStratus, all of the cloud security services use a route-through implementation to provide the service. So does that make this current crop simply souped-up MSSPs? McKinsey's report on cloud computing (with all its vagaries) tried for a three part definition of "the cloud" (see page 12) that goes like this: 1) Hardware management is highly abstracted from the buyer 2) Buyers incur infrastructure costs as variable OPEX 3) Infrastructure capacity is highly elastic (up or down) Cloud services are defined as only two of the three, specifically: 1) Hardware management is highly abstracted from the buyer 3) Infrastructure capacity is highly elastic (up or down) MSSP's are clearly not cloud or cloud service, you buy a firewall or an IPS and if you need more capacity your MSSP will sell you another device. If you look at McKinsey's definitions, I think it's important to clarify that abstraction should be so great, that not even the cloud operator really deals with the hardware - in the extreme, they simply plug in the raw physical substrate and the cloud subsumes it (look at Google - do you think they do any manual provisioning outside of putting their servers together). For the variability of the OPEX cost, periodicity counts (think by the hour, not the month). Finally, infrastructure elasticity should be automatic and not require the purchase of additional equipment on a per customer basis. With that in mind, it's clear that services like ZScaler are not souped-up MSSPs, so does McKinsey's definition for clouds and clouds services work for cloud security services? I think so, but there's an interesting distinction to be made between services like enStratus and Rozmic's emailcloud.

No comments:

Post a Comment