It’s time to embrace (and prepare for) the shift to the cloud

The software industry is entering another age of astonishing innovation. It's a time when not only is software advancing at an astounding rate, but so are hardware devices – where power is increasing as quickly as size is decreasing. This is making software and computing power near ubiquitous.

Consider this: a handful of years ago, few would have believed that customer relationship management software would have moved almost completely to the cloud. Or that Lotus Notes, that gray old lady of IT, would have made the jump as well. Even among the proponents of cloud computing, few believed corporate software and data wanted to be liberated so quickly – and make itself readily available anywhere, anytime, on any device, and from within any web browser. Today, it seems more unusual not to have a software as a service (SaaS) or cloud offering that complements, or completely replaces, a software maker's traditional software applications.

Yet, I believe that the SaaS and cloud computing revolution holds the potential to benefit everyone in the software industry, and all who rely on it for their business. For instance, we in the industry are well aware that software is evolving too quickly. It's a never-ending process of software enhancements, upgrades, security fixes and new installations. And, few would disagree that there are too many vulnerabilities affecting too many applications. In this disorder, most of the burden has fallen on the shoulders of corporations that have had to dedicate extraordinary resources to patch and mitigate the security holes.

Here is an interesting statistic that reveals the magnitude of the challenge. According to Qualys' The Laws of Vulnerabilities 2.0 research, companies take an average of 59 days to patch their vulnerabilities. Five years ago, that number was 60 days. That's a reduction of one day in the past five years. When one considers all the effort and automation that has gone into patch management in the past five years, that's not much in the way of improvement. And this shows not just how steep the challenge is, but just how broken the current ecosystem of traditional software is.

Fortunately, the SaaS and cloud computing models are positive disruptions on the infrastructure of both private networks and the internet. Unlike when individual organizations patch (work that must be duplicated for every installation), when SaaS vendors update their software applications, all of their customers are patched instantaneously as well. Because of this simple fact, many of the security problems that plague today's business-technology systems — such as patches and software misconfiguration issues — are solved. So, in this, and many other ways, the burden of maintaining a secure application largely is transferred from the software user to the software service provider. The effect of proper patching is amplified throughout all the IT systems the SaaS and cloud providers touch.

Some still are fighting the shift to SaaS and cloud computing. But, I don't believe that resistance to the transformation of on-premise business IT to cloud computing-based IT is a viable option. Not for long. The business benefits, cost savings and reduction in complexity are just too compelling for businesses to overlook. Actually, today, the strongest resistance we see is emanating from IT departments and IT security staff — mainly out of fear of what might happen if one were to lose control of data. This is a false choice, and the market will not reward cloud or SaaS providers that attempt customer data lock-in.

Nevertheless, despite reservations from IT, businesses will march forward, because the business has no choice but the path that simplifies many of today's IT complexities. And in this, the primary — and strategic — role of IT security will be successfully and securely managing the privacy and security risks associated with data living in the cloud.

While the SaaS and cloud computing revolution is well underway, there still is much work to be achieved before the core infrastructure and associated services are as secure, reliable and trustworthy as they can be. For instance, we need ISPs to coordinate so that network traffic flows more cleanly and is free of malicious packets. We'll also need a simple, universal way to recognize and manage the identities of people and devices.

There also is the crucial business of defining accurately how enterprises can integrate and secure their current infrastructure as more of it is moved to cloud services. For this effort, I encourage all businesses, security professionals, CIOs and vendors to work together to make the transformation as beneficial as possible for all. Some of the organizations working hard to ensure that we build this new cloud infrastructure right from the beginning include the Cloud Security Alliance and the Jericho Forum, both of which are promoting cloud computing best practices.

While the visible shift to cloud computing to date has been the movement of applications and data to the cloud, it's not going to stop there. Soon, the day will come when companies outsource not only their software but their network infrastructure as well. One day, most everything we do on private networks — manage information, applications, infrastructure and services — will be accessible instantly and securely from anywhere and from any web browser. It's time to prepare.

Philippe Courtot

Demonstrating a unique mix of technical vision, marketing and business acumen, Philippe Courtot has repeatedly built innovative companies into industry leaders. As CEO of Qualys, Philippe has worked with thousands of companies to improve their IT security and compliance postures. Philippe received the SC Magazine Editor’s Award in 2004 for bringing on demand technology to the network security industry and for co-founding the CSO Interchange to provide a forum for sharing information in the security industry. He was also named the 2011 CEO of the Year by SC Magazine Awards Europe. Before joining Qualys, Philippe was the Chairman and CEO of Signio, an electronic payment start-up that he repositioned to become a significant e-commerce player. In February 2000, VeriSign acquired Signio for more than a billion dollars. Today, VeriSign’s payment division, based on the Signio technology, handles 30% of electronic transaction in the U.S., processing $100-million in daily sales. Prior to Signio, Philippe was President and CEO of Verity, where he re-engineered the company to become the leader in enterprise knowledge retrieval solutions. Under Philippe’s direction, the company completed its initial public offering in November 1995. Philippe also turned an unknown company of 12 people, cc:Mail, into the dominant e-mail platform provider, achieving a 40% market share while competing directly against IBM and Microsoft. Acknowledging the market leading position of cc:Mail and the significance of e-mail in corporate environments, Lotus acquired the company in 1991. In 1986, as CEO of Thomson CGR Medical, a medical imaging company, Philippe received the Benjamin Franklin award for his role in the creation of a nationwide advertising campaign promoting the life-saving benefits of mammography. Philippe served on the Board of Trustees for The Internet Society, an international non-profit organization that fosters global cooperation and coordination on the development of the Internet. French and Basque born, he holds a master’s degree in physics from the University of Paris, came to the US in 1981 and has lived in Silicon Valley since 1987.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.