From small-to-medium-sized businesses (SMBs) to the biggest multinationals, use of cloud computing infrastructure and services is growing exponentially. Spending on end-user information security and risk management will reach 188 billion US dollars by 2023, according to leading technology researchers Gartner.
This vote of confidence in the cloud could partly come from greater confidence in Security as a Service (SECaaS.) In our interview, Curtis Franklin, Senior Editor at widely read cybersecurity news site Dark Reading, says SECaaS is a consideration in many cloud migrations, but not the primary factor.
Not all businesses are ready to migrate everything to a cloud environment – or in other words, to migrate to Enterprise as a Service (EaaS) – but their cloud assets still need enterprise-grade, cloud-based security.
Firewall plus access less identity
IT departments have widely accepted security solutions like web application firewalls (WAF,) security information and event management (SIEM) and encryption. Franklin says user identity is there: “Cloud access security brokers (CASB) are an option: On-premises or cloud-based software that sits between cloud service users and cloud applications. It monitors all activity and enforces security policies. Some would have called it the next-generation firewall. It’s a firewall and access management in one application, but not so much identity.”
In the cloud, there’s a lot of analytics data, or Security Operations Center as a Service (SOCaaS,) that can be added to user credential management, managing encryption keys and identities.
What companies should look for
Look at the expertise your cloud service brings to the table. Is it just a service, or a service with people? The security of application program interfaces (APIs) that connect data and applications in the cloud is also critical.
Franklin warns against introducing vulnerabilities to take advantage of a new cloud-based experience. “Every time you have one application connecting to another, you have a place where a vulnerability can exist. In the cloud, there are many of those.”
A lower Total Cost of Ownership (or TCO – direct and indirect costs of an application or system) isn’t a given unless the enterprise manager has carefully crunched the numbers.
Franklin cites cases where companies on volume-based cloud service pricing schedules didn’t know their actual volume, or the cloud got unexpectedly popular with staff, so they ended up with high costs.
“Many now understand you’re not always reducing your costs, but shifting it. You’re exchanging Capital Expense for Operational Expense. For a lot of customers, that’s fine or better, because it’s taxed differently and hits a different part of the annual report. You’re taking the money you’d spend anyway and getting more value for it.”
Sometimes when you’re buying SOCaaS, you’re buying expertise in the form of people you can’t otherwise find. You’re trusting the cloud provider to find and rent those minds to you, rather than trying to find them yourself.
Built-in reporting and customer support are critical. If an attacker knows more about your infrastructure and environment than you do, it’s an opportunity for an exploit.
Franklin suggests using these services to stay on top of what’s really happening in your environment, as opposed to what you think is happening.
What about cloud service agreements?
Review cloud service agreements (CSAs) to ensure you’ll get the value you need from the service. There must be enough flexibility to set things up so you can realize that value. Know what you want out of the relationship: Harmonious functionality between the cloud service provider and your existing applications. Everything flows from that.
Reporting can help you understand what you’re getting from the service. Franklin says, “Are you paying for notification? Are you paying for integration with other systems that will automatically act on signals received? Will it play a role in procedural controls or is it going to be active in process control? You need to know, because if it’s process control, there’s automation. If it’s procedure control, you’re getting notifications people will have to review. It’s critical to know upfront, as part of your CSA, which it is and where those notifications are going.”
How will SECaaS solutions evolve?
Franklin believes SECaaS solutions will evolve in two ways. On the one hand, there will be SECaaS solutions that augment the intelligence of IT staff, letting analysts and engineers be more productive. On the other hand, some will replace human analysts and engineers. The human replacement may be of more interest to small-to-medium sized business, and automation of more interest to larger enterprises. He says businesses should know which path they’re taking when they talk to a service provider. “Are they going to make your current staff more effective, letting you avoid hiring or taking over staff roles?”
There’ll be much more solution development in authentication and access management because it’s a complex piece of the security puzzle. Franklin sees much of that going to the cloud service provider that’s handling multi-factor authentication. Whether it’s a secondary factor that comes through an app, an SMS or something else, the cloud will handle it. He says more companies want the cloud provider to handle all access management, because it’s complicated. They want to be able to do it for their employees on both corporate and personal devices. SECaaS bundled into the cloud service provider services, or bought by the business from a vendor, is an excellent way to do it.