The rush of businesses to move their operations to the cloud is creating a slipstream that's pulling security services into the nimbus.
"People have become more comfortable now with the cloud so they're feeling more comfortable leveraging certain cloud services for security," said Brian Contos, CISO for Blue Coat, a web filter appliance company.
That comfort will be driving a rapid growth in the market for cloud-based security services in the next few years. The market, according to Gartner, will jump by a billion dollars in the next two years from $2.1 billion in 2013 to $3.1 billion in 2015.
Market research firm Infonetics Research also has a rosy forecast for cloud-based security services. It predicts revenues for them will climb by a compound annual growth rate of 10.8 percent, from 2012 to 2015, when it will reach $9.2 billion.
"There's increasing pressure on organizations to have services in the cloud, and the only way really to manage some of the risk in the cloud is with cloud security services," said Davi Ottenheimer, senior director of trust for EMC.
As companies move services from their data centers into the cloud, not only do they want their security services there, too, but they want those security services to emulate other cloud offerings. "They're demanding next-generation, higher-class security services," said Mark Nunnikhoven, principal engineer of cloud and emerging technologies, at Trend Micro.
"They want a security service that matches the attributes of the cloud — something that's smart and flexible," he added.
The general migration of operations to the cloud isn't the only trend driving security services to the nimbus, however. "The rise of mobility and the distribution of users has driven a lot of the requirement for security in the cloud," said Infonetics Principal Analyst Jeff Wilson.
Increased use of multiple devices by employees to do their jobs has broadened security challenges for many organizations. Those devices are used by workers with services outside their employer's network – services like Gmail, Webex, Dropbox and Evernote – that can expose that network to risk. "Trying to figure out a way to buy a product to protect you from all that stuff becomes mind-boggling," Wilson said.
"It makes hijacking traffic and routing it through a secure cloud a reasonable thing to think about doing," he added.
When organizations could limit the gateways to their networks and bottle up data within those networks, local solutions made more sense. That's not the case now.
Jay Chaudhry, founder and CEO of Zscaler, a cloud-based information security company, recalls a recent conversation he had with a CSO. "I asked him, 'How many employees do you have?" Chaudhry noted. "He said, '10,000.' I said, 'How many gateways to the Internet do you have?' I expected an answer like three or four or five. He said, '10,000.'"
The CSO explained that every employee had a laptop. It goes where the employee goes, and it often connects directly to the Internet. "Then he said, 'Sorry. I mispoke,'" Chaudhry continued. "'Every employee has a smartphone and most of them have a tablet, too. So I have at least 20,000 gateways,'"
"If you start looking at that, then the notion of buying a few boxes and putting them in a network starts looking irrelevant," he added.
Without a doubt, device diversity is contributing to the erosion of the effectiveness of perimeter defenses and boosting the appeal of the cloud as a security tool. "Device diversity is driving the need for a solution beyond protecting this castle we've build to protect our data over the years," said Dan Hubbard, CTO of OpenDNS, a cloud-based security services provider.
"That castle and moat model blows up when all your users and data go through the castle's gates and start working outside the castle," he added.
Much of what employees had to go to work to access – SAP data bases and Microsoft Exchange – has been moved to the cloud. Now employees can access what they need from work from anywhere with any device. "Since users with their data and devices are traveling with them in the cloud, the cloud is the ultimate way to protect them," Hubbard said.
That's because the cloud can give system watchdogs a better view of what's happening in a sprawling environment than local solutions. Greater visibility into data traffic patterns can be achieved, for example. "The cloud is huge for that," Hubbard said.
In addition, attacks can be identified in real or near-real time. "If you have customers in silos with appliances and software distributed in locations around the world, they're not going to be talking to each other so you don't see the data in real time," Hubbard noted. "With a cloud solution, big data technologies can be applied to protect customers in a much faster and predictive way."
Moreover, cloud-based security services can allow an organization to tackle problems too big for them to wrestle with alone, such as Distributed Denial of Service Attacks. "It's unreasonable for the average company to buy the infrastructure to mitigate a 100 gig sustained DDoS attack," Infonetics' Wilson said.
Companies are also interested in cloud security services for many of the same reasons they're generally interested in cloud services. For example, they want to spend less money on iron, by turning capital expenditures into more predictable operational expenses. "Instead of spending $100,000 or $150,000 on a new web filtering platform, you can spend $1 a user per month," Wilson explained.
"It's much easier to predict your expenses," he continued, "and to avoid obsolescence."
Indeed, exiting the technology gerbil cage has always been a big attraction of the cloud. "A lot of companies don't want to have the burden of managing complex security solutions anymore," said Greg Onoprijenkom, president, co-founder and managing director of sales for e-ternity, a business continuity consulting firm.
"The technology is constantly changing, and it's expensive to keep up with it," he added.
With a cloud-based security solution, those burdens can be born by someone else. "It takes away the cost of ownership," Hubbard, of OpenDNS, said. "You don't have to patch any servers. You don't have to install things. You don't have to configure them. You don't have to update them. All that happens automatically."
Adding to those expenses are increased security requirements from regulators and others. "There is now a much more significant push around compliance for many organizations that three to five years ago wasn't there," said Erik Bataller, principal security consultant with Neohapsis, an enterprise security and risk consulting firm.
"Requirements are becoming much more rigorous so there are increased costs there," he added. "Most organizations have struggled to meet existing requirements let alone no trying to meet increased requirements."
Not only can it be onerous to maintain security systems, but finding the wetware to do so can also be challenging. "It's even more difficult in smaller companies where IT staffs have already been reduced," said Brian Laing, products vice president for Lastline, a cloud-based provider of threat intelligence. "They don't have the staff now to dedicate to security, let alone hire a higher-end security person."
Large companies are also known to cut security corners, too. Andrew Kellett, a principal analyst with Ovum, a business and technology research company, recalled his experience with a retail organization operating in 26 countries. "We didn't have dedicated security IT professionals," he said. "It was a general IT requirement."
Relieved of the need for security experts, a company using cloud-based security services can free up resources for needs more important to its core mission. "An organization that adopts a cloud service doesn't need to become an expert in that service," explained Justin Moore, founder and CEO of Axcient, a provider of cloud continuity services for small and medium businesses. "That means being able to deploy best-in-class capabilities with minimal effort and expense."
"If you're a business of 100 people," added Trend Micro's Nunnikhoven, "and you don't want to hire seven people dedicated just to security, it's far more valuable to you as an organization to go to a managed security provider to coordinate most of that so you need only two or three people responsible security."
Nunnikhoven warned, however, that, despite the enthusiastic claims of cloud providers, savings may be elusive."A lot of the time when people think of savings they're thinking they were paying $100 before, and they're paying $50 now," he said. "What you're likely to see is a better use of your resources. You may spend the same amount of money, but you get more bang for your buck."
Despite the velocity to move security services to the cloud, some businesses will remain skeptical of the practice. Observes Nirav Mehta, director of product management at RSA, the security division of EMC: "It's not that the business is less secure by using the cloud. It's that the business may not have visibility into how secure it is when it loses control of its security services."
Moreover, in recent times, the cloud's vulnerability to actors endowed with large resources has tarnished the security reputation of the nimbus. "The assumption that these cloud providers are to big to be insecure has proven to be false," EMC's Ottenheimer said.
Nowhere has that been more evident than in the recent revelations of snooping on large cloud services providers by the National Security Agency. Nevertheless, there are those that believe that not even the NSA can slow the momentum behind the migration of security services to the cloud.
"The cloud is such a compelling option these days that there's not much that's going to slow that down," e-terntiy's Onoprijenkom said. "There's lots of examples of breaches in the Amazon cloud, and people are still flocking to Amazon daily."
"What that says is no matter who you are or how much money you spend, there are still vulnerabilities and you still have to be aware of threats," he added. "It's naive to think that nobody's IT environment will ever get penetrated. You have to deal with it and make sure people are as protected as possible."