Cloud security: A quick guide

What is cloud security?

Every IT provider whose customers’ businesses touch the cloud should know something about cloud security and be able to advise on it.

The good news is that generally it’s not about throwing the baby out with the bathwater but deploying familiar security solutions – such as antivirus, traffic monitoring and reporting, perimeter protection, spam filtering, real-time alerts, with analytics – in a cloud-based environment.

Security concerns remain the biggest barrier to further cloud adoption – even within organisations that have already been “in the cloud” for some time. So anything that can help protect customers’ data or information in the cloud must be included or at least considered under a “cloud security” umbrella.

Who is it aimed at?

We could make this section really short and just say “everyone”. Every organisation that is using cloud, that is – and if that's not quite every organisation, it is certainly most of them.

Verticals such as financial services, legal, and healthcare, as well as the public sector, may be particularly fruitful markets for the canny cloud security provider given the large volumes of data they hold and their special requirements around client confidentiality.

Highly mobile organisations may also benefit from additional attention. Their security environments may aim to protect the network without addressing holes potentially created by the many mobile devices now used.

Simply blocking access at more vulnerable organisations will no longer suffice, as users themselves are insisting on adopting this diversity of devices, despite the best efforts of company security policies.

How does it affect the market?

Resources may be exposed to risk that haven’t been in the past.

The approach taken to cloud security can also profoundly affect your customers’ ability to comply with legislative burdens, or combat the general worries that their customers might have about privacy, hacking, and general information and data security.

Risk management is critical; there is an increasing recognition that it isn’t possible to protect organisations completely, so deployments should incorporate an understanding that something could one day penetrate even the best defences.

The key is to have an adequate threat response in place that includes the ability for rapid identification and mitigation of any potential damage. This is a shift from the packaged approach to security – particularly internet security – taken by the channel generally just a few years ago.

Security has become a hot market again; Gartner expects global sales to rise 7.9 percent to $71.1bn in 2015, with an ever-larger slice of that being cloud-based.

Cloud security presents a huge opportunity for the channel and vendors should push forward to introduce programmes that address the demand for such solutions. A great example of one company snatching the opportunity is vArmour, which recently announced the launch of its distributed security system, offering extensible, scalable, independent and actionable controls for businesses.

Atos, Big Technology and EVT have all signed up the channel programme. Sean Catlin, chief technology officer at Atos explains: "The biggest barrier to cloud adoption is security. With vArmour, Atos offers a software based distributed security system that enables our customers/partners to secure private and public cloud consumption, delivering better security, trust and compliance than they have in their traditional data centers today. Within Atos, this is what we call a digital accelerator, enabling IT transformation."

Dean Hickman-Smith, SVP of Field Operations for vArmour adds: "We are at an intersection where enterprises must securely transform their data centers to stay competitive. The movement to distributed systems presents a unique opportunity for our strategic channel partners to transform and accelerate their businesses as well."

"With vArmour, partners can get customers up and running in minutes, instantly visualizing and controlling their most critical applications and data," he says.

Points of interest

Steve Zoberg, VP of operations at Citrix partner Synergy explained the at Citrix Synergy conference that cloud security should be addressed by all vendors including VMWare, Microsoft and Amazon. "It's not really a Citrix specific problem - I think it's an orchestration problem," he said. "The architecture is designed to give you agility and it does that, but it comes at a price."

The comments were made following the launch of Citrix Workspace Cloud, which allows IT managers to create their own cloud-based workspaces. With this control, it's hoped those working in the IT department will be able to ensure their own workspaces are secured sufficiently. However, Zoberg argues that this means partners should communicate the message around security at the very first opportunity.

"We're all over cloud platform, but we have to think about how we're going to architect this because I don't agree with the best practice. We need to be thinking about how we can silo certain segments so if and when [a breach] happens, businesses can still operate," Zoberg told Channelnomics.

However, other thought leaders on the subject believe that to guarantee access across all areas, a layered approach is necessary. Channel companies must look to head off potential cloud security issues from multiple angles.

Information and data must be segmented and prioritised much more comprehensively than in the past. Sensitive information must be treated differently to less-sensitive information, and cross-referenced against the need to retrieve or use the information.

Do many people need access? If so, who – and when? Authentication procedures must be tailored accordingly, and storage as well. Even physical security may need to be considered as part of an effective overall package; CCTV, physical entrances, and so on are increasingly being connected to the network or even the public internet.

All devices and platforms used by the customer organisation, as well as any potential shadow devices and applications, must be considered against the overall cloud security strategy.

An effective solution might encompass access management, data protection, visibility assurance, and operations optimisation. Each aspect can and should be tailored to specific customer requirements, with an eye to adaptability as circumstances and the overall threat environment continue to mutate.

All stakeholders and dispersed locations should be considered in relation to information and data security needs, and all external and internal parties that have access as well – however they achieve that access.

Some companies, such as Sophos, are acquiring specialists in certain areas to expand their product offerings to new areas, via the channel. The company announced the acquisition of Reflexion Networks to widen its reach to email security, building on its existing integrated cloud-based management console.

Reflexion's cloud based email security, archiving, email encryption and business continuity services will all be added to Sophos Cloud, making it a fully-integrated product for its partners to sell to customers.

Kendra Krause, vice president of Global Channels, Sales for Sophos comments: “The solutions developed by Reflexion Networks bring opportunity for Sophos partners to offer new services in the attractive growth market of cloud-based email security, and Reflexion partners have the opportunity to expand their security offerings with the broad Sophos security portfolio.”

David Hughes, CEO of Reflexion Networks adds: “At Reflexion Networks we’ve always been passionate about serving the vast global market of small and midsize businesses with easy to use services delivered through MSPs."

Channel Pro opinion

Security smarts may increasingly prove key to channel business growth, as mistrust in the market following the Snowden NSA leaks continues to fan flames of customer uncertainty when it comes to cloud computing.

Allaying these fears and presenting suitable solutions may seem like a particularly tricky juggling act, but breaking the bigger picture down into bite-size chunks and communicating how the pieces fit together will help reduce customer uncertainty and reluctance to act.

Customers will expect IT providers to be able to communicate what is needed and give pointers on where to find assistance if the latter cannot deliver it.

They’ll first need expert guidance in working out how and what they need to – or should – control in terms of information and data in the cloud. When these requirements have been nutted out, a solution can be developed with an eye to the SLAs.

The right products or services may therefore need to be cherry-picked for each customer from various vendors – and there are distribution partners geared up to assist with this. Vendors, however, will have to play well together and focus more on customer requirements than competing with each other.

It may be a good idea to consider an approach to provision in relation to the Government's recently-released Cloud Security Principles.

Long term revenue should be there, whether in cloud security sales or flowing through a deeper “trusted partner” relationship. This is still about playing a longer, recurring-revenue game in a brave new channel world and – as analysts never tire of reminding us – the channel must change or die.