There is little doubt that the cloud has made an impact upon IT security. Just how positive that impact actually is depends on who you talk to and when you last spoke.
Indeed, just a few years ago the overwhelming majority of IT executives would have said it was a negative one, with data being insecure in the cloud. They would have used this as a reason not to migrate. At the same time, however, IT security professionals would have tempered that view somewhat by pointing out that the cloud has never been inherently insecure and that cloud-based data can be secure enough.
Fast-forward several years and the insecurity argument has, as customer confidence and a better understanding of cloud security issues have improved, by and large been moved towards treating the cloud as just another environment where best practice can be applied to keep on top of data security.
Cloud computing has become trustworthy and the unstoppable rise of Security-as-a-Service is proof positive of that. Indeed, cloud-based security services provide one of the most positive impacts I can think of. Be that in terms of email security, identity management, tokenisation and encryption, web application firewalls (WAFs) or security information and event management (SIEM) SaaS is changing how we view the security services landscape. It's also making a big change to the business bottom line, if a new study from Forrester Consulting is to be believed.
The Total Economic Impact (TEI) study was commissioned by Alert Logic, a company operating firmly within the Security-as-a-Service space, so a certain amount of Mandy Rice-Davies Applies (MRDA) might be expected. In other words, well they would say that. Indeed, Forrester based its findings on interviews with Alert Logic customers to produce a composite customer profile. However, those customers did have diverse IT infrastructures and a range of different security and compliance requirements in order to provide a broad generic economic framework that could identify costs and benefits etc.
Forrester maintained editorial control over the study and its findings, and Alert Logic was not involved in the client interviews beyond providing their names and contact details. Even allowing for the inward looking aspects of this report, there were still some very interesting figures to come out of it which can be excised and used when building a financial case for SaaS implementation no matter who is doing the provisioning.
OK, so that composite customer profile I mentioned ended up being representative of one having a couple of datacentres and 10 globally distributed locations. The TEI study determined that, over a three-year period, the use of SaaS would avoid labour costs associated with threat research, security monitoring, log management and web application firewall management in the region of £428,000. Add to that the estimated cost of infrastructure capital and maintenance when looking at a traditional 'in-sourced' security equivalent and Forrester reckon there's another £372,000 to be deducted. Oh, and the improved threat/attack response was calculated to equate to avoidance of end user downtime cost of around £124,000. So that composite customer is saving around £925,000 (as a risk-adjusted figure) on security over that three years, or a tad over £300,000 per year.
It might not be traditional way to think of cloud security, but it's certainly provides food for thought to those larger enterprises looking to leverage the financial savings that the cloud can offer. Security-as-a-Service can mean that your organisation doesn't have to employ or hire analysts for log monitoring and management, for threat research and investigation or find the capital expenditure and ongoing upkeep costs of in-house infrastructure. All of these are outsourced to the cloud solutions provider, and all are wrapped up in budgetable fixed fee.
The cloud as a distribution channel for security services, as a provider of security for our desktop data and network resources, is certainly proving to be a way forward and not just for the larger enterprise as demonstrated in this study; SaaS can be scaled down to fit the needs of the smallest organisation whilst still saving money in my experience as security vendors take advantage of the market aerodynamics being provided by the cloud right. So, be it basic anti-malware protection that is delivered via the cloud through to full-on SaaS solutions, the bottom line is the same: the cloud is both changing the way security services are delivered, and changing expectations of how much they should cost.
