“There is a market here, and if a vendor can offer dramatic cost reduction and add capabilities, there is huge demand for moving to the cloud,” says Feyzi Fatehi (left), CEO of Corent Technology, an Aliso Viejo, Calif.-based company which offers a platform that migrates software applications into cloud or SaaS.
The changing face of managed services
Like any major shift in enterprise information technology, the move to managed or off-premise services like cloud, SaaS and MSSPs, has been several years in the works. Aside from the promise of cutting costs and increasing scale and flexibility, security has arguably played a key role in recent years as enterprises have weighed the pros and cons of moving out their operations.
Michael Viscuso, chief strategy officer of Bit9 + Carbon Black, a Waltham, Mass.-based provider of advanced threats solutions, says one factor that played a role in the evolution was the “inevitability-of-compromise mindset,” which gained popularity because of Operation Aurora, a series of cyberattacks on U.S. companies perpetrated by hackers in China that were first disclosed in 2010. While Viscuso says that at that time, “only the biggest companies came around to adopting that mindset, [lately] this has forced more businesses to reconsider their security people, processes and technologies and has led a lot of organizations to sign on with MSSPs.”
Each year, a major breach in another vertical makes headlines, forcing others in the same industry who thought it wouldn't happen to them to reconsider their position, says Viscuso, who was co-founder and CEO of Carbon Black, which merged with Bit9 in February 2014. “By now, the vast majority of businesses understand that a breach will invariably hit them at some point. As a result, they are taking an active approach with their security posture, and MSSPs are a great option to make that switch quickly.”
And, as a result, many organizations are opting to not manage their software and hardware themselves, and MSSPs are also growing at an “extraordinary rate,” according to Viscuso. Despite the fact that most large enterprises have their own internal teams, they increasingly want to see advanced threats and attacks beyond their own corporate walls. For these large businesses, having an MSSP that sees attacks against their other enterprise customers gives their security teams a heads-up on potential attacks before being attacked themselves.
Gabriel Friedlander, co-founder and chief technology officer for ObserveIT, a Boston-based provider of user activity monitoring security, agrees that the growing concern over cyberthreats has helped foster the rise in cloud computing, as well as an accompanying wave of innovation surrounding it. “Technologies built around emerging markets sectors of cloud computing are forcing the cloud security space to evolve and mature to handle new advanced cyberattack capabilities,” says Friedlander.
Indeed, according to Marano at The Hackerati, the market for third-party management has accelerated and expanded to include corporations that never before considered using infrastructure or IT services outside their own data center. “As more enterprises begin to consider these services, vendors are beginning to work directly with corporate IT departments to understand what level of business IT services and workloads their regulations and governance would allow to be run with cloud computing, SaaS or MSSPs,” says Marano, adding that the range of offerings now encompass solutions for every function within an enterprise, including selling, general and administrative expenses, finance, operations and customer support.
Further, managed IT services are not only broadening their reach to different sizes of enterprise customers, they are expanding in terms of the breadth of services they can manage, according to Adallom's Au. “There will be an increasing growth of SaaS in customer relationship management (CRM) and collaboration and human resource management (HRM) as traditional vendors choose to transition to only this model of delivery, like Adobe Cloud, and as more vendors create unique SaaS applications to address business needs,” says Au.
Now that there is a better understanding of the need to complement cloud provider security and take control of data in the cloud, the explosion of SaaS adoption is also leading to new technologies, like cloud access security brokers, to secure these applications, says Au.
The case for managed services
When it comes down to it, moving enterprise services and IT assets out to a third party is largely about the money – namely the money that is saved when enterprises do not have to invest as much capital in their own physical IT infrastructure, and the human resources to support and maintain it. According to KPMG's previously cited 2014 cloud computing survey, 49 percent of enterprise respondents cited driving cost efficiencies as the top reason they were embracing cloud computing models. (Enabling mobile workforces and improving alignment with customers and partners were the second and third most popular reasons, respectively, given by 42 percent and 37 percent of those surveyed.)
“Cost savings is a big factor,” says HP's Ghazi. “It's a main justification to go to the cloud. That, and the ability to scale more quickly. And time to market nowadays is crucial.”
Fengmin Gong, co-founder and chief strategy officer with Cyphort, a Santa Clara, Calif.-based malware security solutions company, believes cost savings as large as 85 percent are “in line” with what he has seen from enterprise customers, largely due to “consolidating many small data centers into a few big ones.”
Cost efficiency has become even more crucial in recent years, due to tough economic times as well as the fact that organizations are particularly concerned with outright capital purchases, like hardware, software and added office space, says Ron Arden, vice president and chief marketing officer for Fasoo, an East Brunswick, N.J.-based provider of digital rights management solutions. “There's been a significant switch in thinking,” Arden says. “If [enterprises] can get rid of capital and just make an item an operating expense, they clearly prefer that. It just makes the books look better.”
Marano agrees that the cost benefit, coupled with greater scalability, is important here since the key to the cost advantages is the tight coupling of and scaling between supply and demand of computing, storage and application needs. “Think ‘turn on, turn up, turn down, turn off,'” Marano says. “When the business needs more, they get it automatically without delay and tied to the business model. When the demand diminishes, the usage does too, efficiently tying together cash flow for the business. This is the Shangri-La for CFOs.”
And, as Viscuso at Bit9 + Carbon Black points out, it's not just lessening the capital investment in basics like hardware and software or getting to pay only for what you need when you need it, where an enterprise can derive savings, it's also in items like less need for space to house systems and a lower power bill. “The true test of savings really depends on how efficiently the hardware and software is being used prior to moving it to the cloud,” Viscuso says. “A major benefit of the cloud is economies of scale for hardware and software. Things like air conditioning, power, whether or not they are running their own data center, these all factor into the cost, and offloading these responsibilities to the cloud can offer significant efficiencies.”
While cost efficiency is arguably the largest check in the plus column, the move to cloud computing and other managed services offers other potential benefits as well, according to industry observers. For instance, SaaS enables businesses to buy and manage a range of software from leading software vendors – all with the convenience of a single login.
And MSSPs can greatly assist in the struggle against ever-evolving targeted assaults because they are typically working with the most up-to-date security products and drawing from a larger pool of threat information. “Cloud and SaaS have the potential to enable better content management and security than delivering applications on-premises,” Au says. For example, many cloud storage vendors can act as the content layer within multiple SaaS applications, Au points out. This centralizes content in the cloud so that when you combine this content with a cloud access security broker, an enterprise then gains comprehensive governance and security across converged content.
In addition, a cloud-based provider has the opportunity to dig into trends and stats for their customers faster and better than ever before, Viscuso points out. “Remember, they control the users, the data and the software,” he says. “As a result, they can modify the software to introduce new and timely features much faster than ever before and leverage users' actions to tailor the experience to each individual.”
Facebook and Google represent two examples of companies leveraging cloud data to make their software more effective, he adds. For example, he says, Facebook uses ‘friends of friends' to make recommendations for its users to connect with new people. “Facebook could have used any number of attributes to make that recommendation but it is that inherent relationship among people that makes their recommendations so strong,” says Viscuso. “If the user denies or ignores a ‘friend' suggestion, Facebook also uses that data to not recommend certain friends of friends that are in the same social circle as the person the user just ignored.”
Similarly, Viscuso says, Google uses relationships among information on the internet to provide the best search results. For example, if a user searches “Major League Baseball,” Google returns the MLB.com site since it has the most page references to the search term. When that list comes up, however, if more users click on the second most popular link, Google will change the order of the results to make the second link first, as determined by users, he says.
“From an MSSP perspective, something very similar happens,” says Viscuso. “MSSPs see a lot of data and can make a much better recommendation to customers to predict attacks. The recognition of an attack against one MSSP customer will benefit and protect the entire portfolio of MSSP customers.” With this depth of information, Viscuso believes that MSSPs can find the root cause of an attack to insure that other doors in their customer base aren't vulnerable. And that's a pretty valuable bonus for enterprises, considering that the average cost per breach these days is about $5.4 milllion, according to the Ponemon Institute.
Cyphort's Gong agrees. “The biggest benefit is that you naturally have a way of implementing a base to [fight] against the advanced threat. You gain better visibility, and you get a central place to monitor, which is really the key. Managed services providers are a place to pool talent.”
Lack of control?
However, critics point out that while moving operations to the cloud and other third-party providers can offer enterprises improved efficiencies and cost savings and better threat protection, it could potentially open organizations up to new risks.
According to Friedlander, one potential disadvantage to embracing cloud or third-party managed services is the security of assets on the cloud. “The million dollar question is ‘How safe do you feel about storing sensitive data on the internet?'” Friedlander says. “Essentially, cloud computing is internet computing, and if you don't feel comfortable about putting your data on the internet, then you shouldn't be on the cloud.”
Learning to “let go,” in a sense, is required to make the most of third-party vendor relationships such as these, experts say. Cordero sees many enterprises making the mistake of misunderstanding that uniformity is part of what is required for the service provider to be successful. Therefore, he says, many enterprises will respond by trying to recreate the exact same infrastructure or system within the cloud without understanding the differences.
Similarly, some larger businesses may have to get used to losing some control, Viscuso points out. Internal security teams may need to accept the MSSP's procedures versus continuing with their own, he adds. “Most businesses conduct a cost-benefit analysis and determine that the convenience of an MSSP and the management of their infrastructure are well worth it,” Vicuso says. “But that loss of control for larger businesses may be unsettling, as least initially, to some.”
As Au (left) sees it, embracing cloud applications requires enterprise to maintain “a different security mindset focused on users and usage.” Cloud application collaboration puts decisions about data sharing in the hands of users, not always IT. Existing security solutions do not work for SaaS applications, and a castle-like defense-in-depth architecture is also ineffective and non-existent, Au says. “What is required is a deep understanding of SaaS application usage, and active governance to reduce the attack surface by identifying unsafe behavior such as accidental sharing of sensitive files,” she says. “What is critical is also the mindset of ‘assume breach' and an approach to security that focuses on rapid detection and containment.”
Friedlander also cites the potential risk of possible downtime for an organization, since cloud computing makes businesses more reliant on their internet connections. “And when the internet goes down, which even the most reliable cloud providers suffer from, companies can experience [a loss of] production time or even revenue loss.”
Vendor lock-in is potentially another big concern, Arden says. While enterprises could arguably face similar issues in-house – with their chosen hardware and software choices – Arden points out that now enterprise management teams may have to consider what to do if they need to move their assets or systems to another provider. How easy or difficult is that to do? And, he adds, security questions still linger about the physical and digital security of co-mingling the systems and data assets of competing organizations.
In balancing these concerns, Marano calls to mind the “Black Swan Theory” and its message about “known knowns, known unknowns and unknown unknowns.” (In his book The Black Swan: The Impact of the Highly Improbable, risk analyst Nassim Nicolas Taleb discusses how “unknown unknowns” are responsible for the greatest changes in society.) Marano believes that organizations should be automating these so-called “known knowns and known unknowns” with elastic computing, storage, applications and basic security hygiene. Then, organizations would have a greater ability to focus on those all critical “unknown unknowns” – the most disruptive and important factors in their businesses – in order to discover new competitive advantages in business products or service innovations as well as new trends in cost reduction.
Cloud computing cost effectively allows for a more elastic model, as long as the internal process for enterprises seeks agility first in people, processes and technology, Marano says. Now, he says, with cloud and SaaS and MSSPs, rather than focus on short-lived cash cows, third-party service providers are unencumbering organizations so they are not burdened with traditional infrastructure. “New ventures and cloud-computing-aware enterprises, like Microsoft and SAP, are beginning to seek out new ways of business, increasing their competitive advantage, which is ephemeral and requires change to remain effective,” Marano says.