Thales Blog

SECaaS Not Just A Security Sideshow

November 13, 2013

In my previous post, I discussed how Microsoft has migrated its enterprise-based Rights Management service (AD RMS) to a cloud-based version running on Azure (Azure RMS), how they’ve used HSMs in the Azure cloud and how they’ve enabled customers to adopt a ‘bring your own key’ strategy. In this post I want to step back a little and look at the bigger picture.

You’ve probably heard of software-as-a-service (SaaS) and Azure RMS would certainly fall into that category, it’s an alternative to running in-house RMS (the definition of a SaaS offering is one that replaces an in-house software application). But if you look more closely Azure RMS is actually a great example of a specialist subcategory of SaaS offerings known as security-as-a-service or SECaaS. But hang on, isn’t that an oxymoron – the cloud being used to deliver a security service –isn’t the Achilles heel of the cloud meant to be security?

Well, it turns out the SECaaS market is doing quite nicely. In fact according to Gartner, security-as-a-service is already a $2.5bn market and is expected to grow to reach $4.2bn by 2016. What’s more, the top reasons that companies give for moving from in-house security software or hardware to SECaaS security services is to increase, you’ve guessed it, security – how can this be? Well, there’s a good argument that some cloud providers know more about deploying security technologies than many enterprises, particularly smaller businesses with scarce in house security expertise - but there must be more to it than that. Today, the most widely used SECaaS services are either email gateways or web gateways – together they make up nearly three quarters of the market, and that gives us a clue to the success of the market, it might be all about accessibility.

Security works best when it’s applied without gaps or exception – no weak links. And yet, in today’s enterprises many workers are remote, supply chains are fragmented and globalized and we expect whenever/wherever connectivity to corporate resources. It’s hard to secure such a dispersed set of users and assets from inside the traditional perimeter, trapped on a corporate network, and that inevitably leads to inconsistent and ill enforced security policies. Given all of this, it’s worth considering whether some security services are best delivered from the cloud where they can secure all users, all apps, all devices wherever they might be. After all, if security just works, users don’t try to bypass it, and that has a net benefit on security posture as a whole.

So where is this heading? Gartner predicts the fastest growth in security as a service will come in the areas of identity management and security event and information monitoring (SIEM) and that actually makes perfect sense, for the same reason of accessibility. Identity management is a particularly good fit for cloud deployment when apps we want to access are already in the cloud and largely invisible to in-house ID systems and conversely BYOD schemes bring external identities into the corporate environment that ID systems have to deal with. Somehow we have to find a way to manage identities that transcend traditional enterprise boundaries. It’s potentially such a good fit that it has been forecast that by 2016 30% of corporate identity management will be performed in the cloud.

Of course security as a service offerings are not limited to identity, a variety of data protection capabilities can also be delivered from the cloud. Encryption, tokenization, digital signing and secure collaboration and rights management services are all excellent candidates, which brings me back to Microsoft and Azure RMS. Now, these types of services obviously need to be secure. Security as a service offerings will become a target of attack and stakes are very high. The multi-tenancy of the cloud does bring its own challenges, requiring strong segregation not only between the tenants but also between the cloud service provider and its customers. Providers of these services could destroy their credibility with every potential break. Their entire business model depends on them taking appropriate steps to secure their service, in most cases needing to go beyond the best practices for traditional enterprise deployment and finding ways to articulate their security posture to their customers, as a service differentiator.

From a service provider’s perspective, techniques such as data encryption, strong authentication and measures to ensure the integrity of customer data all rely on the use of cryptography to secure the service. Approved encryption algorithms, certified product implementations and robust key management will make the difference between security as a services platform that can stand the test of time and those that can’t. The arrival of new key management standards such as KMIP (key management interoperability protocol) will enable far sighted service providers to go further still, enabling their customers to manage their own keys, keeping ultimate control over their data in the cloud. Not only does this reduce the liability of the cloud provider but also insulates the consumer against issues such as data residency, lawful interception and other forms of eDiscovery that might otherwise serve as barriers to cloud adoption for applications or data with any level of sensitivity.

When it comes to security, one size never fits all but the concept of security services delivered from the cloud isn’t as far fetched as many might assume. When deployed correctly the security benefits coupled with the usual economic and operational attractions of cloud services might provide a compelling option.

The onus now is on the cloud providers to prove that they can be trusted to protect our most valuable assets – if they can, we may be on the cusp of a security revolution. Security as a service has the potential to be a catalyst for stronger information assurance and not just a security sideshow.

Richard Moulds