Nicholas Popp over on the Symantec blog had a post up earlier this week called “The Virtualization of Security and the Rise of Security as a Service“. I think Popp makes several points I agree with, but overall I think his definition of Security-as-a-Service differs from mine.
Let us first concentrate on what I agree with Nicholas on. Of course I agree that we are seeing IT move to the cloud. We are seeing a progression of private, cloud to hybrid cloud and eventually to public cloud. Security is going to be an important part of this, as both an enabler of the migration and a requirement. Most importantly I agree with Popp that this will inevitability lead to Security-as-a-Service. As Popp says in his last paragraph:
Can it mean that security companies must become specialized security infrastructure providers? Is their fate to become exclusive arm dealers to enterprise cloud builders, instead? Interestingly, security may well be the only viable answer to the infrastructure commoditization strategy embraced by the likes of Amazon and Google. This fact alone will make it worthwhile watching the enterprise security and infrastructure markets. So let us stay tuned. The security revolution is being televised. In fact, it appears that it will be streamed straight from the cloud.
Here is the graphic he has in his post:
But before we all light a campfire and sing Cumbaya let me say that I have real disagreements with some of Popp’s views. I think it is a case of when you are a hammer, everything looks like a nail. So for Popp from Symantec, the move to the cloud and the Security as a Service looks like taking Symantec’s security offerings, putting them in a virtual gateway and adding water.
That is not addressing the issue. What Popp has us doing is taking on premises security and merely virtualizing it on a security gateway. This way by removing the security from the infrastructure, you can take the infrastructure anywhere and still keep the security.
This is in contrast to what most people believe the future of cloud security will look like. An end user customer is not going to provide all of the security themselves. Security will be a shared responsibility between the cloud services provider and the customer. There is just no way that some virtualized security gateway sitting on customer perimeter is going to secure the cloud providers infrastructure. The Security-as-a-Service has to be built in at the cloud provider level as well.
How the security vendor manages to serve both the cloud services provider, as well as the end user customer is the real question about the future of Security-as-a-Service. It is exactly this question that I will be address on the Monday of RSA week at the America’s Growth Capital Conference. Joining me on this panel to discuss the question are Gray Hall, CEO of Alert Logic, Gary Fish, CEO of Fishnet Security, Simon Crosby of Bromium, Jay Chaudhry, CEO of zScaler and Don Gray, Chief Security Strategist of Solutionary.
There has got to be more to cloud security, that what happens at the gateway. Also as I have written before, there is more to cloud security than just virtualizing everything. While virtualization is important, it is not the only factor in security or Security as a Service.
So Nicholas is correct, we are going to see a revolution in security and it will be streamed live from the cloud. It just won’t all be going through a virtualized security gateway.
Related articles
- Open Group security gurus dissect the cloud: Higher or lower risk? (zdnet.com)
- The Virtualization of Security and the Rise of Security as a Service (symantec.com)
- Security As A Service: Virtual Patching for Cloud Environments (canadacloud.biz)
- How to Become a Cloud Service Provider in About a Day: VMware (readwriteweb.com)
- Understanding Cloud Security Standards Part 3 (1raindrop.typepad.com)
