Jonathan Penn, a Forrester analyst, says cloud computing has forced vendors to come up with new products and thus formed a whole new security market sector--and security vendors and cloud providers had better get ready.
Change is on the way "for security vendors in what you will sell and how you will reach your enterprise customers through these providers rather than direct or through traditional channels; and for cloud providers in what the revenue opportunities are for selling security solutions as part of your services in addition to adopting them for defensive purposes," Penn blogged today. "Anyone not bracing for this change--and embracing it--faces significant business risk."
While some vendors are already offering cloud security solutions, there's still a long way to go, he says. "And developing solutions for cloud environments requires a lot more than scaling up and supporting multitenancy. But heightened pressure by cloud customers and prospects is fueling the rapid evolution of solutions. How rapid and radical an evolution? By 2015, security will shift from being the No. 1 inhibitor of cloud to one of the top enablers and drivers of cloud services adoption," he said in his post.
In a recent survey of IT pros by PhoneFactor, 73 percent said security was the primary obstacle to their adopting cloud computing, followed by compliance (54 percent) and portability and ownership of data (48 percent). Most said they were worried about stopping unauthorized access to their company data in the cloud, and 42 percent said security worries have stopped their organizations from going to the cloud.
Even so, Forrester's Penn says in a new "Security And The Cloud" report, released today, that public cloud services are an about $9.6 billion market today, so security concerns aren't technically holding back the market or technology.
"We see organizations placing a lot more scrutiny on cloud providers as to their controls and security processes; and they are more likely to defer adoption because of security inadequacies than to go ahead despite them," Penn says. "This shift is coming more from an increased awareness about the issues than from an increase in actual breaches."
Cloud providers are getting pressured by enterprises to provide more inherent security in their offerings, the report says. "End user organizations are beginning to seek security as an inherent feature of cloud services, where it is more effective, more easily managed, and less expensive," according to the Forrester report.
Partnering between security vendors and cloud providers is already happening, with deals such as Amazon Web Services and Symantec's Symantec Endpoint Protection for Windows machines on Amazon's Elastic Compute Cloud, as well as relationships between Verizon Business and McAfee.
NaviSite, Rackspace, Savvis, and Terremark are among cloud providers that are building security into their infrastructure and offering that as part of their services, for example, the reports says.
Penn says vendors should not leave it up to customers to bolt on security. They also should offer some level of visibility into the cloud, he says. "Customers need to have the level of insight into cloud environments that they have today within their data centers. The only reason this hasn’t been a total showstopper for cloud yet is because auditors are so behind the curve on cloud that they haven't demanded this," he says. "But because of the lack of visibility into cloud environments, there's a lot of hand-waving with IT audits. The fact that cloud environments are a 'black box' to adopters and their auditors creates a huge hole in the IT audit process and a big risk to businesses, their partners, and their investors."
Penn says security standards are needed for the cloud as well. "Right now, compliance certifications are the best tools we have to measure the security of cloud provider environments, but that's not a best fit," he says. "While it's great that Verizon just got PCI compliance for its cloud, what do I do if I want to protect corporate secrets rather than credit card numbers? We need the right kinds of standards."
Long-term security won't be the main selling point for a cloud service, anyway, according to the report. Cloud providers' "value proposition will remain centered on the business-oriented benefits of IT agility and the tactical value derived from resource efficiency and reducing day-to-day operational burdens. For the next several years, however, tech industry strategists will have an opportunity to differentiate by improving the security and auditability of cloud environments through the development of new security solutions suited to the unique challenges of cloud services--and by forming new partnerships to bring those solutions to market," the report says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.