There used to be a time when large enterprises, in particular, took pride in the idea of managing all their various and sundry IT functions, every backend process, in-house. The idea was that these organizations fielded such depth and breadth of talent and infrastructure that they could manage all their IT tasks, store all their data and manage their security quite well.
But, arguably, the pendulum has swung in the opposite direction, directed by the prevailing winds of reducing capital investments and ongoing maintenance costs, improving technology assets more rapidly, and a growing appreciation for outsourcing opportunities. With that in mind, more and more organizations are utilizing cloud computing, software-as-a service (SaaS) and managed security services providers (MSSPs) to gain greater efficiencies and better scalability and taking advantage of newer technologies and more specialized expertise.
“The market for cloud computing and SaaS is exploding,” says Danelle Au, vice president of strategy and marketing for Adallom, a cloud access security broker based in Palo Alto, Calif., that delivers visibility, governance and protection for cloud applications like Salesforce, Office 365, Box, Dropbox and Google Apps. “Development and engineering teams were the first to reap the quick-to-deploy advantages of infrastructure-as-a-service (IaaS),” she says.
OUR EXPERTS: Cloud
Vidur Apparao, CTO, Agari
The next wave of cloud computing that we are already seeing is software-as-a-service, Au says. “Instead of dealing with the day-to-day maintenance of supporting an application, IT can just purchase complete application systems via best-of-breed cloud providers, such as Microsoft Office 365 or Google Apps for email and collaboration, Workday for human capital, Salesforce for customer relationship management, and Box for content management.”
Farshad Ghazi, global product manager for HP Security Voltage, an enterprise data security solutions provider, also sees a “big shift overall toward all things cloud.” There are obvious reasons for the migration, he says, including cost reduction, lack of internal expertise and limiting the need for more infrastructure and space to house hardware and software internally. These third parties are “doing a better job at providing the full suite of resources, they have the bandwidth to address [customers’] needs, and an elastic format to expand usage,” Ghazi says.
Indeed, the global market for managed security services alone is expected to grow an average of nearly 16 percent compound annual growth rate from 2014 to 2020, reaching an expected $29.9 billion market value by 2020, according to a report released earlier this year by Allied Market Research of Portland, Ore. And, according to KPMG’s “2014 Cloud Survey Report: Elevating Business in the Cloud,” nearly three-fourths of enterprises (73 percent) report improved business performance from implementing cloud-based applications and strategies.
Sean Cordero, director of client services for the Office of the CISO at Optiv Security, a newly launched information security services provider (the result of a merger this summer between Accuvant and FishNet Security), believes the managed provider market “is in a massive state of growth as the value proposition is starting to be realized by enterprises that have made the investment into SaaS and MSSP models.
“With this growth has come a greater awareness of the importance of understanding the security posture of each of their service providers,” Cordero says. “This has led to a shifting in the discussion related to security, which has helped drive improved transparency between the provider and the customer.”
This trend has been exacerbated, he adds, by the adoption of standards like the Cloud Security Alliance’s [CSA] Cloud Controls Matrix, designed to provide fundamental security guidance to cloud vendors and assist potential cloud customers in assessing security risk; the CSA’s Security, Trust and Assurance Registry [STAR] program, a publicly accessible registry designed to recognize the varied assurance requirements and maturity levels of cloud service providers; and review standards like the Service Organization Controls Type II, accounting standards that measure the control of financial information for a service organization, and in particular, tests operating effectiveness over time. Cordero is co-chair of the CSA’s Cloud Control Matrix.
“The market is quickly gaining steam,” says Rob Marano (left), co-founder of The Hackerati, a boutique engineering consultancy based in New York City. “However, there is natural inertia despite the increased scrutiny given increasing high-profile breaches, especially with the government.”
The key message to enterprises these days, Marano says, is that if you own your own infrastructure, you have a high probability of being breached. The common denominator of many of today’s high-profile breaches is that they are corporate-owned and -operated infrastructures, not necessarily cloud computing-based, he adds.
Vidur Apparao, chief technology officer for Agari, a San Mateo, Calif.-based email SaaS security solutions provider, says that at this point the adoption of some cloud or SaaS solution in the enterprise, across all sectors and sizes, seems “ubiquitous.” The difference in actual penetration within an enterprise – in other words, the number of use cases and departments using cloud or SaaS offerings in a company – varies by sector and security sensitivity, he says. Although, more recently, new offerings have emerged that appeal to specific regulated sectors, such as industry-specific clouds for financial services, government and health care. These cloud offerings take into account the regulations governing each specific sector, Apparao says, and are therefore more attractive to compliance- and security-sensitive organizations and agencies.
Another recent change is the realization by many SaaS companies that they need to adopt a more “security-first approach” to convince prospective enterprise customers to make the jump from on-premise solutions, especially for sensitive data. Apparao singles out Box as one such security-first provider, since Box has focused at a marketing and product level on demonstrating to customers that their business-critical documents are safe in the cloud. “Security at most companies has been a back-office function,” Apparao says, “but now it’s a business enabler and differentiator for progressive cloud and SaaS companies.”
Total cloud IT infrastructure spending, including servers, disk storage and Ethernet, will grow 21 percent year over year to $32 billion this year, and will account for one-third of all IT infrastructure spending – up from $26.4 billion and 28 percent of the overall IT infrastructure budget in 2014, according to IDC research released in April. And industry insiders believe that the increased number of options – including sector-specific ones, a stronger focus on security and an emerging focus on guidelines and controls – is making the case for them.
“There is a market here, and if a vendor can offer dramatic cost reduction and add capabilities, there is huge demand for moving to the cloud,” says Feyzi Fatehi (left), CEO of Corent Technology, an Aliso Viejo, Calif.-based company which offers a platform that migrates software applications into cloud or SaaS.
The changing face of managed services
Like any major shift in enterprise information technology, the move to managed or off-premise services like cloud, SaaS and MSSPs, has been several years in the works. Aside from the promise of cutting costs and increasing scale and flexibility, security has arguably played a key role in recent years as enterprises have weighed the pros and cons of moving out their operations.
Michael Viscuso, chief strategy officer of Bit9 + Carbon Black, a Waltham, Mass.-based provider of advanced threats solutions, says one factor that played a role in the evolution was the “inevitability-of-compromise mindset,” which gained popularity because of Operation Aurora, a series of cyberattacks on U.S. companies perpetrated by hackers in China that were first disclosed in 2010. While Viscuso says that at that time, “only the biggest companies came around to adopting that mindset, [lately] this has forced more businesses to reconsider their security people, processes and technologies and has led a lot of organizations to sign on with MSSPs.”
Each year, a major breach in another vertical makes headlines, forcing others in the same industry who thought it wouldn’t happen to them to reconsider their position, says Viscuso, who was co-founder and CEO of Carbon Black, which merged with Bit9 in February 2014. “By now, the vast majority of businesses understand that a breach will invariably hit them at some point. As a result, they are taking an active approach with their security posture, and MSSPs are a great option to make that switch quickly.”
And, as a result, many organizations are opting to not manage their software and hardware themselves, and MSSPs are also growing at an “extraordinary rate,” according to Viscuso. Despite the fact that most large enterprises have their own internal teams, they increasingly want to see advanced threats and attacks beyond their own corporate walls. For these large businesses, having an MSSP that sees attacks against their other enterprise customers gives their security teams a heads-up on potential attacks before being attacked themselves.
Gabriel Friedlander, co-founder and chief technology officer for ObserveIT, a Boston-based provider of user activity monitoring security, agrees that the growing concern over cyberthreats has helped foster the rise in cloud computing, as well as an accompanying wave of innovation surrounding it. “Technologies built around emerging markets sectors of cloud computing are forcing the cloud security space to evolve and mature to handle new advanced cyberattack capabilities,” says Friedlander.
Indeed, according to Marano at The Hackerati, the market for third-party management has accelerated and expanded to include corporations that never before considered using infrastructure or IT services outside their own data center. “As more enterprises begin to consider these services, vendors are beginning to work directly with corporate IT departments to understand what level of business IT services and workloads their regulations and governance would allow to be run with cloud computing, SaaS or MSSPs,” says Marano, adding that the range of offerings now encompass solutions for every function within an enterprise, including selling, general and administrative expenses, finance, operations and customer support.
Further, managed IT services are not only broadening their reach to different sizes of enterprise customers, they are expanding in terms of the breadth of services they can manage, according to Adallom’s Au. “There will be an increasing growth of SaaS in customer relationship management (CRM) and collaboration and human resource management (HRM) as traditional vendors choose to transition to only this model of delivery, like Adobe Cloud, and as more vendors create unique SaaS applications to address business needs,” says Au.
Now that there is a better understanding of the need to complement cloud provider security and take control of data in the cloud, the explosion of SaaS adoption is also leading to new technologies, like cloud access security brokers, to secure these applications, says Au.
The case for managed services
When it comes down to it, moving enterprise services and IT assets out to a third party is largely about the money – namely the money that is saved when enterprises do not have to invest as much capital in their own physical IT infrastructure, and the human resources to support and maintain it. According to KPMG’s previously cited 2014 cloud computing survey, 49 percent of enterprise respondents cited driving cost efficiencies as the top reason they were embracing cloud computing models. (Enabling mobile workforces and improving alignment with customers and partners were the second and third most popular reasons, respectively, given by 42 percent and 37 percent of those surveyed.)
“Cost savings is a big factor,” says HP’s Ghazi. “It’s a main justification to go to the cloud. That, and the ability to scale more quickly. And time to market nowadays is crucial.”
Fengmin Gong, co-founder and chief strategy officer with Cyphort, a Santa Clara, Calif.-based malware security solutions company, believes cost savings as large as 85 percent are “in line” with what he has seen from enterprise customers, largely due to “consolidating many small data centers into a few big ones.”
Cost efficiency has become even more crucial in recent years, due to tough economic times as well as the fact that organizations are particularly concerned with outright capital purchases, like hardware, software and added office space, says Ron Arden, vice president and chief marketing officer for Fasoo, an East Brunswick, N.J.-based provider of digital rights management solutions. “There’s been a significant switch in thinking,” Arden says. “If [enterprises] can get rid of capital and just make an item an operating expense, they clearly prefer that. It just makes the books look better.”
Marano agrees that the cost benefit, coupled with greater scalability, is important here since the key to the cost advantages is the tight coupling of and scaling between supply and demand of computing, storage and application needs. “Think ‘turn on, turn up, turn down, turn off,’” Marano says. “When the business needs more, they get it automatically without delay and tied to the business model. When the demand diminishes, the usage does too, efficiently tying together cash flow for the business. This is the Shangri-La for CFOs.”
And, as Viscuso at Bit9 + Carbon Black points out, it’s not just lessening the capital investment in basics like hardware and software or getting to pay only for what you need when you need it, where an enterprise can derive savings, it’s also in items like less need for space to house systems and a lower power bill. “The true test of savings really depends on how efficiently the hardware and software is being used prior to moving it to the cloud,” Viscuso says. “A major benefit of the cloud is economies of scale for hardware and software. Things like air conditioning, power, whether or not they are running their own data center, these all factor into the cost, and offloading these responsibilities to the cloud can offer significant efficiencies.”
While cost efficiency is arguably the largest check in the plus column, the move to cloud computing and other managed services offers other potential benefits as well, according to industry observers. For instance, SaaS enables businesses to buy and manage a range of software from leading software vendors – all with the convenience of a single login.
And MSSPs can greatly assist in the struggle against ever-evolving targeted assaults because they are typically working with the most up-to-date security products and drawing from a larger pool of threat information. “Cloud and SaaS have the potential to enable better content management and security than delivering applications on-premises,” Au says. For example, many cloud storage vendors can act as the content layer within multiple SaaS applications, Au points out. This centralizes content in the cloud so that when you combine this content with a cloud access security broker, an enterprise then gains comprehensive governance and security across converged content.
In addition, a cloud-based provider has the opportunity to dig into trends and stats for their customers faster and better than ever before, Viscuso points out. “Remember, they control the users, the data and the software,” he says. “As a result, they can modify the software to introduce new and timely features much faster than ever before and leverage users’ actions to tailor the experience to each individual.”
Facebook and Google represent two examples of companies leveraging cloud data to make their software more effective, he adds. For example, he says, Facebook uses ‘friends of friends’ to make recommendations for its users to connect with new people. “Facebook could have used any number of attributes to make that recommendation but it is that inherent relationship among people that makes their recommendations so strong,” says Viscuso. “If the user denies or ignores a ‘friend’ suggestion, Facebook also uses that data to not recommend certain friends of friends that are in the same social circle as the person the user just ignored.”
Similarly, Viscuso says, Google uses relationships among information on the internet to provide the best search results. For example, if a user searches “Major League Baseball,” Google returns the MLB.com site since it has the most page references to the search term. When that list comes up, however, if more users click on the second most popular link, Google will change the order of the results to make the second link first, as determined by users, he says.
“From an MSSP perspective, something very similar happens,” says Viscuso. “MSSPs see a lot of data and can make a much better recommendation to customers to predict attacks. The recognition of an attack against one MSSP customer will benefit and protect the entire portfolio of MSSP customers.” With this depth of information, Viscuso believes that MSSPs can find the root cause of an attack to insure that other doors in their customer base aren’t vulnerable. And that’s a pretty valuable bonus for enterprises, considering that the average cost per breach these days is about $5.4 milllion, according to the Ponemon Institute.
Cyphort’s Gong agrees. “The biggest benefit is that you naturally have a way of implementing a base to [fight] against the advanced threat. You gain better visibility, and you get a central place to monitor, which is really the key. Managed services providers are a place to pool talent.”
Lack of control?
However, critics point out that while moving operations to the cloud and other third-party providers can offer enterprises improved efficiencies and cost savings and better threat protection, it could potentially open organizations up to new risks.
According to Friedlander, one potential disadvantage to embracing cloud or third-party managed services is the security of assets on the cloud. “The million dollar question is ‘How safe do you feel about storing sensitive data on the internet?’” Friedlander says. “Essentially, cloud computing is internet computing, and if you don’t feel comfortable about putting your data on the internet, then you shouldn’t be on the cloud.”
Learning to “let go,” in a sense, is required to make the most of third-party vendor relationships such as these, experts say. Cordero sees many enterprises making the mistake of misunderstanding that uniformity is part of what is required for the service provider to be successful. Therefore, he says, many enterprises will respond by trying to recreate the exact same infrastructure or system within the cloud without understanding the differences.
Similarly, some larger businesses may have to get used to losing some control, Viscuso points out. Internal security teams may need to accept the MSSP’s procedures versus continuing with their own, he adds. “Most businesses conduct a cost-benefit analysis and determine that the convenience of an MSSP and the management of their infrastructure are well worth it,” Vicuso says. “But that loss of control for larger businesses may be unsettling, as least initially, to some.”
As Au (left) sees it, embracing cloud applications requires enterprise to maintain “a different security mindset focused on users and usage.” Cloud application collaboration puts decisions about data sharing in the hands of users, not always IT. Existing security solutions do not work for SaaS applications, and a castle-like defense-in-depth architecture is also ineffective and non-existent, Au says. “What is required is a deep understanding of SaaS application usage, and active governance to reduce the attack surface by identifying unsafe behavior such as accidental sharing of sensitive files,” she says. “What is critical is also the mindset of ‘assume breach’ and an approach to security that focuses on rapid detection and containment.”
Friedlander also cites the potential risk of possible downtime for an organization, since cloud computing makes businesses more reliant on their internet connections. “And when the internet goes down, which even the most reliable cloud providers suffer from, companies can experience [a loss of] production time or even revenue loss.”
Vendor lock-in is potentially another big concern, Arden says. While enterprises could arguably face similar issues in-house – with their chosen hardware and software choices – Arden points out that now enterprise management teams may have to consider what to do if they need to move their assets or systems to another provider. How easy or difficult is that to do? And, he adds, security questions still linger about the physical and digital security of co-mingling the systems and data assets of competing organizations.
In balancing these concerns, Marano calls to mind the “Black Swan Theory” and its message about “known knowns, known unknowns and unknown unknowns.” (In his book The Black Swan: The Impact of the Highly Improbable, risk analyst Nassim Nicolas Taleb discusses how “unknown unknowns” are responsible for the greatest changes in society.) Marano believes that organizations should be automating these so-called “known knowns and known unknowns” with elastic computing, storage, applications and basic security hygiene. Then, organizations would have a greater ability to focus on those all critical “unknown unknowns” – the most disruptive and important factors in their businesses – in order to discover new competitive advantages in business products or service innovations as well as new trends in cost reduction.
Cloud computing cost effectively allows for a more elastic model, as long as the internal process for enterprises seeks agility first in people, processes and technology, Marano says. Now, he says, with cloud and SaaS and MSSPs, rather than focus on short-lived cash cows, third-party service providers are unencumbering organizations so they are not burdened with traditional infrastructure. “New ventures and cloud-computing-aware enterprises, like Microsoft and SAP, are beginning to seek out new ways of business, increasing their competitive advantage, which is ephemeral and requires change to remain effective,” Marano says.