In an era of almost everything — infrastructure, platform and software as service, security is unquestionably the biggest concern. We take a look at what CIOs must consider before buying cloud-based security solutions.
Tarun Kaura, Director Technology Sales, India, Symantec, feels it is foolish of any enterprise to ask if they are being attacked. “Of course, you are and it could be any time!” he says, and this aptly describes the information security across the world.
Security software company Trend Micro’s research findings reveal that 3.5 new threats occur every second. The report also finds that there are two successful attacks per week. In such a threat scenario, IT security becomes the most significant for companies.
As T G Dhandapani, CIO at TVS Motor, says, “Information security is a subject in IT that every CIO aspires to master, but very few have gone closer to it. In fact, most of the large enterprises have outsourced their security management due to lack of sufficient expertise and to focus on the core business. A managed security service provider could be offering security on premise or on the cloud (as a service).”
However, security-as-a-service is a delivery model of security solutions where traditional on-premise solutions have been remodelled to be delivered as a service. This could involve basic financial modeling which converts capex to opex or more advanced structuring in terms of the solution provider simply charging on pay per use. Security as a service is said to help customers with the advantage of not having to own any hardware or software, which in turn makes technology refresh very easy.
At the rate at which the threat landscape is changing, some segments of the industry perceive security as a service to be an option that saves them from ever evolving attacks. This is why many enterprises have finally opened up to the idea of investing in security as a service versus an on premise security solution, even if applied only to select areas like web gateway and email security.
For instance, Kartik Sahani, Regional Director-Indian & Saarc, RSA, says, “Most major banks started off with relying on managed services contracts, today over 20 banks, including the likes of HDFC are now using their security as a service solutions such as Adaptive Authentication Platform and FraudAction. Similarly, pharma industry is also coming up in terms of adopting hosted security due to various compliance frameworks.
The market
According to Sid Deshpande, Principal Analyst – Information Security and Datacenter Technology & Service Provider Research, Gartner, the cloud based security market at present is estimated to be around $2.6 bn. This market is expected to grow at a CAGR of 19.6 % over 2013-2017 to reach $4.1 bn.
Rishikesh Kamat, General Manager – Product Development & Marketing, Netmagic, explains, “There are about six to seven broad categories of security solutions that can be classified as cloud security. While data across all these categories is not readily available, we can look at some of the major cloud security solutions to get an idea. For example, secure web gateway and email protection as a category is expected to have a market size of around $25 million and projected to grow at a rate of 20% y-o-y. We expect the overall security market to grow, with cloud security accounting for a bigger pie than the traditional model.”
Deshpande points out, “As enterprises start adopting more and more cloud-based solutions, it is a natural extension for them to use security as service as well. As in case of online businesses, whose complete operations are dependent online, are more likely to adopt cloud-based security services. Overall cloud adoption is fast catching up in the country. In tune with the trend, Gartner predicts 10% of overall enterprise IT security product capability will be delivered in the cloud by 2015.”
“The benefits of cost saving from using ‘as a service’ approach to security in times when most CIOs have budget restrictions, have pushed the vendors with on premise offering to innovate with pricing. According to industry estimates, of every 100$ spent on IT only 5% are focused on security. Cloud based delivery model is transforming security licensing, even vendors that do not have a cloud based offering are now being forced to offer subscription based prices for on premise solutions,” Deshpande says.
Rapidly growing industry segments like retail, insurance, education, are more inclined towards hosted security model since it allows them greater flexibility and scale. Banking and traditional financial institutions though are still lagging in the adoption of security as a service; however, the overall adoption of security solutions in BFSI is large.
The SMB and enterprise divide
Since hosted security services offer opex and flexible payment models, they make a natural fit for SMBs. Besides, ease of use and affordability, SaaS model for security has helped smaller organisations embrace technologies that were typically viewed as enterprise class such as single sign-on for third-party services.
That said, security-as-a-service is equally promising for both SMBs and enterprises as they address different pain points for each of these. While SMBs suffer from low economies of scale, enterprises are plagued by an inefficient control over IT infrastructure, given their distributed nature of operations.
“A basic problem area common to both is the availability of the security skill-sets. It is time-consuming and cost intensive for enterprises to hire skilled security staff, and difficult to provide them the right career path to keep them motivated enough for a long time,” says Baburaj Varma, Manager – Support & Services at Trend Micro.
This is where managed security service providers provide value through their security operations center (SoC) services. For enterprises, while the need to move to a cloud security solution very much exists, they are constantly battling against several legacy and other issues like licensing, global policies, concerns on security of their data etc, which leads to a lot of inertia in moving into the cloud.
The challenge
Managing security in times of cloud, BYOD, mobility and advanced persistent threats (APTs ) in itself is becoming arduous. To top it up, deploying hosted security solution in the cloud, definitely raises more concerns.
“Since the security-as-a-service solution is not hosted on-premise, CXOs can feel a sense of loss of control over the solution. However, this is only a psychological challenge and not a real one. There are multiple means through which customers can keep control over the solution for example, through regular reporting, third party auditing etc,” Kamat says.
That said, a real challenge here is collateral damage. Since such solutions are multi-tenant platforms, any issue that has a large impact on one customer has the potential to cause damage to other hosted customers as well.
Another key challenge faced is integration with legacy systems. “Wherever on-premise solutions need to read from or write to security as a service solutions, the solution provided may or may not be able to provide an open platform for integration. An example of such integration is correlation of secure web gateway logs with that of an on-premise SIEM (security information and event management) solution,” corroborates Kamat of Netmagic.
Moreover, different stakeholders of IT security in an organisations have different focus. Sahani of RSA explains that while a CIO looks at IT security from the perspective of provisioning for infrastructure, a CISO (chief information security officer) has to ensure security of corporate data. The recent RBI guidelines to meet information security standards have brought a lot of onus on the CISOs for compliance.
In fact, in the era of digitisation and Internet of Things, the CIOs feel they are ill prepared to handle the challenges these changes will throw up to them. According to a global survey of CIOs by Gartner, 51% of CIOs are concerned that the digital torrent is coming faster than they can cope and 42% don’t feel that they have the talent needed to face this future. Industry experts feel managing security will be one such difficult to tame beast, and letting the controls of security let go will be another story all together.
How to pick a solution
Customers need to understand that security-as-a-service is more than just a standalone security solution. It is a platform which needs to be ably managed. Security-as-a-service can either be provided by the OEMs themselves or by managed security service providers ( MSSPs), who bundle the OEM solutions and package it as a service. In either cases, CIOs must examine the track record of the vendor in being able to attract and sustain a pool of skilled resources that can manage the solution.
In case of MSSPs offering the service, CIOs must ask for the OEM technology that is being used in the backend by the service provider. In all cases it helps to get a reference of existing customers to evaluate how the service provider is doing on delivery.
Kaura of Symantec, observes that discussions with the enterprises are also now more mature and have moved from what they want to know to about threat to how do they respond to them. “As it’s no more a question about whether or not being attacked, it is about how intelligent is my system to react in an event of attack,” he says.
“As the enterprises are still not confident of putting all security pieces on cloud, the vendor must be able to offer both pure cloud based services and hybrid kind of solutions,” says Ajay Dubey, Manager, South India, Websense.
“There could be times when the CIOs might want to have an on premise security offering for the head offices and hosted solutions for the branches,” he reasons.
While industry is beginning to see some optimism around SaaS form of security, two key deliverable SLAs of uptime and risks outages associated with cloud outages still haunt the CIOs, Dubey, says. “The CXOs must ensure the vendors’ back up and service strategy during such snags,” he adds.
Agrees Vijay Sethi, Vice President and CIO at Hero MotoCorp. He says, “The two wheeler manufacturer has been using security as a service for quite some time in areas around vulnerability assessment, email scanning for virus / worms, and anti malware, anti spyware, intrusion detection, website protection etc.” He opines that another challenge is uninterrupted connectivity.
“It is important that the security service provider ensures availability of adequate connectivity and bandwidth to support the transfer of real time data to the service provider cloud and ensuring that timely management of security is not hampered. While deciding on a vendor, proper requirement of connectivity needs to be tested for the services in question.”
“Security has to be non-intrusive. One has to ensure that there is no user inconvenience and delays. As part of SLAs, one needs to take care of that,” he adds.
Pharmaceutical manufacturing company Cipla Limited also uses some bits of security as service in a few critical operations areas. CISO Amit Pradhan says, “We have consciously decided to not include the very critical security services in the service model for security and assurance reasons. Areas like web security management, managing perimeter, managing AV and end-points are some areas where the organisation could see some clear benefits of using them as a service model.”
He stresses one of the big challenges while using security as a service is managing sign-off of ownership and liability agreements with the vendors.
Despite the big risk, Pradhan believes that the option of security as a service is worth giving a shot, especially for small and mid market. “The cost efficiencies may start from 5-10 % the first year and go up to 30% subsequently as the organisation matures and volume is sizable enough for better negotiations. This is a major cost saving in renewal and replacement cycles in this area,” he adds.
There are several other factors that are important for the enterprises before they finally flock to hosted security model. Amit Nath, Country Manager – India & SAARC, F-Secure Corporation, says that they have about 2000 customers using their hosted cloud solution, and nearly 200 of whom are SMEs with less than 500 users.
“Always consider, the current reputation and the road map of the vendor, getting stuck with a vendor with a blurred vision of future might have an adverse effect on the business. Most importantly, the vendor should be a true SaaS offering company, in the sense it should have an effective metering system. It should offer multiple, flexible payment models at times the pricing models can be misleading,” he says, adding that integration of on premise and cloud security should be done properly and and the hosted solution should complement the existing security solution.
In all, this market is set to grow with hosted security model getting deeper than just web security and email gateway, access and identity to explore newer aspects like remote remote vulnerability assessment and more critical areas. Desphande of Gartner sums up saying that a lot of innovation in this space coming from the start-ups, they foresee consolidation in this space.