An Edge from the Edge: How self-service security capabilities can give Cloud providers an advantage

Hat-tip to Gunnar for this link to Hoff's post on "Cloud Providers and Security “Edge” Services – Where’s The Beef?"

So here’s the rub, if MSSP’s/ISP’s/ASP’s-cum-Cloud operators want to woo mature enterprise customers to use their services, they are leaving money on the table and not fulfilling customer needs by failing to roll out complimentary security capabilities which lessen the compliance and security burdens of their prospective customers.

While many provide commoditized solutions such as anti-spam and anti-virus capabilities, more complex (but profoundly important) security services such as DLP (data loss/leakage prevention,) WAF, Intrusion Detection and Prevention (IDP,) XML Security, Application Delivery Controllers, VPN’s, etc. should also be considered for roadmaps by these suppliers.

Think about it, if the chief concern in Cloud environments is security around multi-tenancy and isolation, giving customers more comfort besides “trust us” has to be a good thing. If I knew where and by whom my data is being accessed or used, I would feel more comfortable.

Yes, it’s difficult to do properly and in many cases means the Cloud provider has to make a substantial investment in delivery platforms and management/support integration to get there. This is why niche players who target specific verticals (especially those heavily regulated) will ultimately have the upper hand in some of these scenarios – it’s not socialist security where “good enough” is spread around evenly. Services like these need to be configurable (SELF-SERVICE!) by the consumer.

An example? How about Google: where’s DLP integrated into the messaging/apps platforms? Amazon AWS: where’s IDP integrated into the VMM for introspection?
http://www.rationalsurvivability.com/blog/?p=1407

To this list I would add access management. Many organizations have significant investment in products such as SiteMinder, and naturally wish to use these also to control access to their Cloud-based resources. I have written before about how the Amazon Virtual Private Cloud provides a network security focused solution for bringing Cloud-based resources "behind the firewall" to some degree, but as yet Amazon is not addressing the need to bring Cloud-based resources into a corporate identity and access management framework. When an organization provisions a user in their corporate IdM systems, it makes sense that they can control the usage of Cloud services there also, rather than trying to mirror the user at the Cloud side, with all of the hassle that entails.

A cloud service broker is the other option to augment security and compliance in front of the service itself. But Cloud service providers themselves will realize in time that their corporate customers would like the broker effectively baked at the edge.