Risk
10/21/2010
02:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Cloud Security Market To Reach $1.5 Billion In Next Five Years

Enterprises pressure cloud providers to weave security into their services, new Forrester report says

Security has been the main barrier to widespread adoption of cloud services, but analysts at Forrester Research say it will become a major driver for these services by 2015, when they project the cloud security market to reach $1.5 billion.

Jonathan Penn, a Forrester analyst, says cloud computing has forced vendors to come up with new products and thus formed a whole new security market sector--and security vendors and cloud providers had better get ready.

Change is on the way "for security vendors in what you will sell and how you will reach your enterprise customers through these providers rather than direct or through traditional channels; and for cloud providers in what the revenue opportunities are for selling security solutions as part of your services in addition to adopting them for defensive purposes," Penn blogged today. "Anyone not bracing for this change--and embracing it--faces significant business risk."

While some vendors are already offering cloud security solutions, there's still a long way to go, he says. "And developing solutions for cloud environments requires a lot more than scaling up and supporting multitenancy. But heightened pressure by cloud customers and prospects is fueling the rapid evolution of solutions. How rapid and radical an evolution? By 2015, security will shift from being the No. 1 inhibitor of cloud to one of the top enablers and drivers of cloud services adoption," he said in his post.

In a recent survey of IT pros by PhoneFactor, 73 percent said security was the primary obstacle to their adopting cloud computing, followed by compliance (54 percent) and portability and ownership of data (48 percent). Most said they were worried about stopping unauthorized access to their company data in the cloud, and 42 percent said security worries have stopped their organizations from going to the cloud.

Even so, Forrester's Penn says in a new "Security And The Cloud" report, released today, that public cloud services are an about $9.6 billion market today, so security concerns aren't technically holding back the market or technology.

"We see organizations placing a lot more scrutiny on cloud providers as to their controls and security processes; and they are more likely to defer adoption because of security inadequacies than to go ahead despite them," Penn says. "This shift is coming more from an increased awareness about the issues than from an increase in actual breaches."

Cloud providers are getting pressured by enterprises to provide more inherent security in their offerings, the report says. "End user organizations are beginning to seek security as an inherent feature of cloud services, where it is more effective, more easily managed, and less expensive," according to the Forrester report.

Partnering between security vendors and cloud providers is already happening, with deals such as Amazon Web Services and Symantec's Symantec Endpoint Protection for Windows machines on Amazon's Elastic Compute Cloud, as well as relationships between Verizon Business and McAfee.

NaviSite, Rackspace, Savvis, and Terremark are among cloud providers that are building security into their infrastructure and offering that as part of their services, for example, the reports says.

Penn says vendors should not leave it up to customers to bolt on security. They also should offer some level of visibility into the cloud, he says. "Customers need to have the level of insight into cloud environments that they have today within their data centers. The only reason this hasn’t been a total showstopper for cloud yet is because auditors are so behind the curve on cloud that they haven't demanded this," he says. "But because of the lack of visibility into cloud environments, there's a lot of hand-waving with IT audits. The fact that cloud environments are a 'black box' to adopters and their auditors creates a huge hole in the IT audit process and a big risk to businesses, their partners, and their investors."

Penn says security standards are needed for the cloud as well. "Right now, compliance certifications are the best tools we have to measure the security of cloud provider environments, but that's not a best fit," he says. "While it's great that Verizon just got PCI compliance for its cloud, what do I do if I want to protect corporate secrets rather than credit card numbers? We need the right kinds of standards."

Long-term security won't be the main selling point for a cloud service, anyway, according to the report. Cloud providers' "value proposition will remain centered on the business-oriented benefits of IT agility and the tactical value derived from resource efficiency and reducing day-to-day operational burdens. For the next several years, however, tech industry strategists will have an opportunity to differentiate by improving the security and auditability of cloud environments through the development of new security solutions suited to the unique challenges of cloud services--and by forming new partnerships to bring those solutions to market," the report says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web