Risk
10/21/2010
02:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cloud Security Market To Reach $1.5 Billion In Next Five Years

Enterprises pressure cloud providers to weave security into their services, new Forrester report says

Security has been the main barrier to widespread adoption of cloud services, but analysts at Forrester Research say it will become a major driver for these services by 2015, when they project the cloud security market to reach $1.5 billion.

Jonathan Penn, a Forrester analyst, says cloud computing has forced vendors to come up with new products and thus formed a whole new security market sector--and security vendors and cloud providers had better get ready.

Change is on the way "for security vendors in what you will sell and how you will reach your enterprise customers through these providers rather than direct or through traditional channels; and for cloud providers in what the revenue opportunities are for selling security solutions as part of your services in addition to adopting them for defensive purposes," Penn blogged today. "Anyone not bracing for this change--and embracing it--faces significant business risk."

While some vendors are already offering cloud security solutions, there's still a long way to go, he says. "And developing solutions for cloud environments requires a lot more than scaling up and supporting multitenancy. But heightened pressure by cloud customers and prospects is fueling the rapid evolution of solutions. How rapid and radical an evolution? By 2015, security will shift from being the No. 1 inhibitor of cloud to one of the top enablers and drivers of cloud services adoption," he said in his post.

In a recent survey of IT pros by PhoneFactor, 73 percent said security was the primary obstacle to their adopting cloud computing, followed by compliance (54 percent) and portability and ownership of data (48 percent). Most said they were worried about stopping unauthorized access to their company data in the cloud, and 42 percent said security worries have stopped their organizations from going to the cloud.

Even so, Forrester's Penn says in a new "Security And The Cloud" report, released today, that public cloud services are an about $9.6 billion market today, so security concerns aren't technically holding back the market or technology.

"We see organizations placing a lot more scrutiny on cloud providers as to their controls and security processes; and they are more likely to defer adoption because of security inadequacies than to go ahead despite them," Penn says. "This shift is coming more from an increased awareness about the issues than from an increase in actual breaches."

Cloud providers are getting pressured by enterprises to provide more inherent security in their offerings, the report says. "End user organizations are beginning to seek security as an inherent feature of cloud services, where it is more effective, more easily managed, and less expensive," according to the Forrester report.

Partnering between security vendors and cloud providers is already happening, with deals such as Amazon Web Services and Symantec's Symantec Endpoint Protection for Windows machines on Amazon's Elastic Compute Cloud, as well as relationships between Verizon Business and McAfee.

NaviSite, Rackspace, Savvis, and Terremark are among cloud providers that are building security into their infrastructure and offering that as part of their services, for example, the reports says.

Penn says vendors should not leave it up to customers to bolt on security. They also should offer some level of visibility into the cloud, he says. "Customers need to have the level of insight into cloud environments that they have today within their data centers. The only reason this hasn’t been a total showstopper for cloud yet is because auditors are so behind the curve on cloud that they haven't demanded this," he says. "But because of the lack of visibility into cloud environments, there's a lot of hand-waving with IT audits. The fact that cloud environments are a 'black box' to adopters and their auditors creates a huge hole in the IT audit process and a big risk to businesses, their partners, and their investors."

Penn says security standards are needed for the cloud as well. "Right now, compliance certifications are the best tools we have to measure the security of cloud provider environments, but that's not a best fit," he says. "While it's great that Verizon just got PCI compliance for its cloud, what do I do if I want to protect corporate secrets rather than credit card numbers? We need the right kinds of standards."

Long-term security won't be the main selling point for a cloud service, anyway, according to the report. Cloud providers' "value proposition will remain centered on the business-oriented benefits of IT agility and the tactical value derived from resource efficiency and reducing day-to-day operational burdens. For the next several years, however, tech industry strategists will have an opportunity to differentiate by improving the security and auditability of cloud environments through the development of new security solutions suited to the unique challenges of cloud services--and by forming new partnerships to bring those solutions to market," the report says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.