One of the most common arguments against using cloud services of any kind is that corporate data is too valuable and sensitive to be entrusted to a third party. So it's rather ironic that one particular cloud service attracting a great deal of attention from companies of all sizes is the provision of security itself.
The number of companies choosing to use cloud-based security products is growing all the time, according to Fran Howarth, a senior analyst at Bloor Research. "I would say that about 50 percent of the companies we talk to use security as a service, and the market is growing at about 30 percent per year, " she says.
Security provided as a service from the cloud is attractive because it promises organizations a way to reduce security costs while reducing security risk as well.
Reducing security costs
The ways that security as a cloud service promises to cut cost will be familiar to anyone who has investigate cloud services of almost any kind. Essentially they include:
- Reduced capital expenditure: Running your own security systems inevitably involves a high level of up-front costs, including servers and software licenses or, in some cases, security appliances. These costs are entirely eliminated with cloud security services
- Reduced administrative burden: Running your own security systems can take up a lot of skilled IT staff time, and all this time has to be paid for. These costs can be particularly significant if your organization has a number of relatively small branch offices which don't have their own IT staff. Using cloud-based security services the majority of administration is carried out by the service provider.
If you accept that cloud-based security services could reduce your costs by exchanging high capital and administrative costs with a recurring fixed monthly fee based on usage (and this may depend on the size of your organization, how many offices you have, and many other factors) then the crucial question is whether your security is increased or, at the very least, stays at the same level as that which you could provide in-house.
Security categories and features
When you investigate cloud-based security providers, here are some of the features that may be provided in each service category:
- Anti-malware scanning: Some service providers maintain research centers which search for new malware variations and use heuristics to spot previously unknown threats as they emerge. When this happens a good security provider should be able to react very quickly to ensure that your network is protected by updating its own systems in the cloud, which will provide you with immediate protection, or by pushing updates to individual machines on your network automatically.
- Web filtering and monitoring: URL filtering and reputation-based systems are just a starting point. Look for providers that offer inline scanning of every page of content looking for malware and other exploits.
- Firewalling/intrusion prevention: A feature of cloud security is that security is moved "closer to the threat" so that any intrusion attempts can be dealt with before they reach your network. A good provider should be able to intercept distributed denial of service (DDOS) attacks in the cloud before they reach and overwhelm your own equipment.
- Data loss protection: Scanning should be able to detect and block sensitive data such as credit card details before it leaves your organization.
- Secure remote access: Cloud security services can offer access controls which protect mobile workers and enable them to access permitted corporate data and assets without having to connect to your network using a VPN
- Insider threat mitigation: Thanks to the high degree of policy granularity and policy enforcement that some cloud security services offer, it should be possible to restrict individual users' access to data and even physical assets such as printers very precisely
- Centralized reporting: Most security service providers offer an integrated set of services with a simple browser based dashboard which enables you to easily monitor the security status of all users and devices. This is often much simpler than looking at event logs of different proprietary systems
- Multi-site, low latency service: watch out for service providers that offer their cloud security services from data centers designed to cover a small geographic area. Good providers have multiple sites around the world to ensure that mobile workers can connect to the services anywhere, with low latency.
Who is buying and providing cloud based security service?
Bloor Research has found that while companies of all sizes have been moving their security into the cloud, there are two types of companies that have found cloud security particularly attractive, according to Howarth. "For small companies with very little budget for security and few if any IT staff, security as a service is a no-brainer and there has been very high take up at the low end," she says. "Conversely, it is particularly attractive to companies with branch offices and mobile workers, so there has also been significant uptake at the high end."
As far as cloud security providers are concerned, there are many familiar, and some not so familiar, names involved. These include:
Over the coming weeks we'll be looking at some of these vendors' offerings in more detail.