As cloud computing adoption climbs, hosting providers are inking deals with security vendors to provide security-as-a-service options to customers. But will enterprise IT managers buy into these often novel forms of security woven into a cloud computing environment?
There's definitely some resistance as IT and security managers struggle to sort out risk factors and compliance issues.
"A good number of organizations are now using what they consider to be cloud services," says Bill Trussell, managing director of security research at TheInfoPro, which just published its semi-annual survey of information security professionals at large and midsize firms in North America. But when TheInfoPro asked respondents about whether they'd use cloud-based security services in cloud computing environments, less than 15% cited that as being very likely.
"When asked whether organizations would extend functions such as user access and provisioning, or two-factor authentication, to cloud providers, it wasn't too popular," Trussell says. Enterprise security professionals are still nervous about something largely unfamiliar that doesn't sit on their premises and isn't under their direct control — or even under the direct control of the cloud-computing provider they use, since the security service is controlled by a third-party vendor with security expertise.
Still, these new security-as-a-service arrangements are coming to cloud computing, and fast.
PivotLink, for instance, which offers cloud-based pay-as-you-go business-intelligence services, including an analysis service for data related to Salesforce.com, is in partnership with Novell to beta-test Novell's cloud security service, which includes various identity-management capabilities based on software hosted at GoGrid.
"We get our authentication from the Novell service, which plugs into the customer's service," says Bob Kemper, senior vice president of development at PivotLink. "Today we use the identity management and their authorization to manage the security level. Novell integrates with the required enterprise systems for access to information."
PivotLink's customers, many of whom are retail sales managers at companies that include REI, don't have to be using Novell software on their premises to make use of the Novell cloud security service.
"If they're using any LDAP or Active Directory infrastructure, it will work," Kemper says. The cloud-based service makes use of SAML-based authorization. The arrangement in the beta test with Novell allows a customer to automatically de-provision a store manager who is leaving and add a new manager automatically authorized in the same role to use the PivotLink service.
"Our customers say we need this level of control and management and audit in some fashion," Kemper says, adding that customers say they will feel more comfortable uploading sensitive data into the cloud.
PivotLink hopes to be able to announce general availability of the Novell-based cloud security services as part of its portfolio offering by the summer. And Kemper feels the best approach to introduce these kinds of security controls is through a service model with a partner such as Novell, which maintains its own cloud.
Dipto Chakravarty, general manager in Novell's cloud-security business unit, says Novell is in contact with many software-as-a-service (SaaS) and hosting providers to gauge their interest in teaming with Novell on cloud-based security services.
One consideration is that Novell has to function like a Switzerland of technology protocols, supporting SAML 1.1, SAML2, WS-Fed, InfoCard and OpenID, as well as Shibboleth on the enterprise side. The Novell Cloud Security Service is a "true multi-tenant hosted security solution," according to Chakravarty. "It can be hosted either at the SaaS's hosting provider or by one of Novell's partners."
The cloud security survival guideNovell is not the only one eager for a cloud-based security services role.
Other security firms, including StillSecure and Alert Logic, are providing intrusion detection/prevention (IDP/IDS) services for protecting virtual-machine-based servers on the customer's behalf at cloud service providers.
Mike Crews, director of IT at Automated Document Solutions (ADS), which provides records management for hospitals and healthcare organizations, says his firm uses Host.net as a cloud provider for some purposes. And when Host.net began partnering with StillSecure a few months ago to provide IDS/IPS service, ADS subscribed to get the benefits of this type of round-the-clock monitoring.
Crews said the service was an "excellent opportunity" to get the type of monitoring at Host.net that would otherwise be difficult for ADS to set up on its own. "They're the experts," Crews says. So far the security service with StillSecure, which has its own network operations center that monitors what goes on at the ADS virtual machines at Host.net, has worked well, Crews says. The cost, which StillSecure says is $250 a month to secure 10 virtual machines, is considered at ADS to be affordable.
Another cloud infrastructure provider, Houston-based iland, has offered an IDS/IPS monitoring service through security firm Alert Logic for well over a year at its data centers, according to Justin Giardina, iland's CTO.
In addition to the virtuaal LAN-segmented, firewall-protected configuration of VMware-based virtual machines that each company ordinarily receives as a cloud customer, there's also the option to have these VMs monitored by security firm Alert Logic from the security firm's own network operations center.
The Alert Logic monitoring makes use of host-based software that runs at the hypervisor level on behalf of the customer. The Alert Logic IDS/IPS service can be configured to automatically cordon off a segment by triggering an automated response in a Cisco ASA firewall, for example, if a problem is detected.
Not more than a quarter of iland's customers use this Alert Logic monitoring service, says Giardina. Although Alert Logic is responsible for the 24 x 7 monitoring of virtual machines, and has the direct relationship with the customer, iland also may get involved if an incident occurs.
"Not everyone understands the importance of patching," Giardina says, noting that compromises of servers have occurred through hackers and malware, and iland at times is notified by Alert Logic, too, to respond to incidents.
Although iland has no current plans to add additional third-party security services beyond that provided by Alert Logic, Giardina says iland is looking at the possibility of setting up its own antivirus scanning and protection service based on an upcoming version of Symantec's software expected to make use of the VMware-based VMsafe APIs to enable monitoring at the hypervisor level.