There used to be a time when large enterprises, in particular, took pride in the idea of managing all their various and sundry IT functions, every backend process, in-house. The idea was that these organizations fielded such depth and breadth of talent and infrastructure that they could manage all their IT tasks, store all their data and manage their security quite well.
But, arguably, the pendulum has swung in the opposite direction, directed by the prevailing winds of reducing capital investments and ongoing maintenance costs, improving technology assets more rapidly, and a growing appreciation for outsourcing opportunities. With that in mind, more and more organizations are utilizing cloud computing, software-as-a service (SaaS) and managed security services providers (MSSPs) to gain greater efficiencies and better scalability and taking advantage of newer technologies and more specialized expertise.
“The market for cloud computing and SaaS is exploding,” says Danelle Au, vice president of strategy and marketing for Adallom, a cloud access security broker based in Palo Alto, Calif., that delivers visibility, governance and protection for cloud applications like Salesforce, Office 365, Box, Dropbox and Google Apps. “Development and engineering teams were the first to reap the quick-to-deploy advantages of infrastructure-as-a-service (IaaS),” she says.
OUR EXPERTS: CloudVidur Apparao, CTO, Agari
Danelle Au, VP of strategy and marketing, Adallom
Sean Cordero, director of client services for the Office of the CISO, Optiv Security
Feyzi Fatehi, CEO, Corent Technology
Gabriel Friedlander, co-founder and CTO, ObserveIT
Farshad Ghazi, global product manager, HP Security Voltage
Fengmin Gong, co-founder and chief strategy officer, Cyphort
Rob Marano, co-founder, The Hackerati
Michael Viscuso, chief strategy officer, Carbon Black
The next wave of cloud computing that we are already seeing is software-as-a-service, Au says. “Instead of dealing with the day-to-day maintenance of supporting an application, IT can just purchase complete application systems via best-of-breed cloud providers, such as Microsoft Office 365 or Google Apps for email and collaboration, Workday for human capital, Salesforce for customer relationship management, and Box for content management.”
Farshad Ghazi, global product manager for HP Security Voltage, an enterprise data security solutions provider, also sees a “big shift overall toward all things cloud.” There are obvious reasons for the migration, he says, including cost reduction, lack of internal expertise and limiting the need for more infrastructure and space to house hardware and software internally. These third parties are “doing a better job at providing the full suite of resources, they have the bandwidth to address [customers'] needs, and an elastic format to expand usage,” Ghazi says.
Indeed, the global market for managed security services alone is expected to grow an average of nearly 16 percent compound annual growth rate from 2014 to 2020, reaching an expected $29.9 billion market value by 2020, according to a report released earlier this year by Allied Market Research of Portland, Ore. And, according to KPMG's “2014 Cloud Survey Report: Elevating Business in the Cloud,” nearly three-fourths of enterprises (73 percent) report improved business performance from implementing cloud-based applications and strategies.
Sean Cordero, director of client services for the Office of the CISO at Optiv Security, a newly launched information security services provider (the result of a merger this summer between Accuvant and FishNet Security), believes the managed provider market “is in a massive state of growth as the value proposition is starting to be realized by enterprises that have made the investment into SaaS and MSSP models.
“With this growth has come a greater awareness of the importance of understanding the security posture of each of their service providers,” Cordero says. “This has led to a shifting in the discussion related to security, which has helped drive improved transparency between the provider and the customer.”
This trend has been exacerbated, he adds, by the adoption of standards like the Cloud Security Alliance's [CSA] Cloud Controls Matrix, designed to provide fundamental security guidance to cloud vendors and assist potential cloud customers in assessing security risk; the CSA's Security, Trust and Assurance Registry [STAR] program, a publicly accessible registry designed to recognize the varied assurance requirements and maturity levels of cloud service providers; and review standards like the Service Organization Controls Type II, accounting standards that measure the control of financial information for a service organization, and in particular, tests operating effectiveness over time. Cordero is co-chair of the CSA's Cloud Control Matrix.
“The market is quickly gaining steam,” says Rob Marano (left), co-founder of The Hackerati, a boutique engineering consultancy based in New York City. “However, there is natural inertia despite the increased scrutiny given increasing high-profile breaches, especially with the government.”
The key message to enterprises these days, Marano says, is that if you own your own infrastructure, you have a high probability of being breached. The common denominator of many of today's high-profile breaches is that they are corporate-owned and -operated infrastructures, not necessarily cloud computing-based, he adds.
Vidur Apparao, chief technology officer for Agari, a San Mateo, Calif.-based email SaaS security solutions provider, says that at this point the adoption of some cloud or SaaS solution in the enterprise, across all sectors and sizes, seems “ubiquitous.” The difference in actual penetration within an enterprise – in other words, the number of use cases and departments using cloud or SaaS offerings in a company – varies by sector and security sensitivity, he says. Although, more recently, new offerings have emerged that appeal to specific regulated sectors, such as industry-specific clouds for financial services, government and health care. These cloud offerings take into account the regulations governing each specific sector, Apparao says, and are therefore more attractive to compliance- and security-sensitive organizations and agencies.
Another recent change is the realization by many SaaS companies that they need to adopt a more “security-first approach” to convince prospective enterprise customers to make the jump from on-premise solutions, especially for sensitive data. Apparao singles out Box as one such security-first provider, since Box has focused at a marketing and product level on demonstrating to customers that their business-critical documents are safe in the cloud. “Security at most companies has been a back-office function,” Apparao says, “but now it's a business enabler and differentiator for progressive cloud and SaaS companies.”