Cloud computing allows companies to deliver services in new ways using technologies and techniques that would otherwise be unaffordable. According to Gartner Inc., based in Stamford, Conn., cloud-based services in messaging security controls are projected to account for 60% of revenue in 2013. As more cloud-based services emerge, we also see a significant increase in competition with new and existing vendors. Our interview with Gartner analyst John Pescatore details the key aspects you should know before you add cloud-based services to your offerings. John has 31 years experience in computer, network and information security and has most recently co-authored Hype Cycle for Infrastructure Protection, 2008.
Q: How would you define cloud computing?
Pescatore: Gartner defines cloud computing as a one-to-many infrastructure service where the location of the computing element, the processing, the storage, the bandwidth and so on, is hidden from the consumer. Essentially, it's a pay-as-you-go model that allows you to increase or decrease capacity as your needs change. Cloud computing is very similar to what has been called grid computing -- you can utilize the resources of many computers in a network to approach one single problem.
Q: What are the primary differences between cloud computing and Software as a Service (SaaS)?
Pescatore: SaaS is when you consume and pay for an application on a monthly basis. Cloud computing represents the "infrastructure" that SaaS is built upon. Salesforce.com is an example of SaaS where as Flickr.com (an online photo management and sharing application) is an example of Storage as a Service. Flickr operates by using Amazon's storage cloud and buying storage and capacity from Amazon as the demand arises. Google's services (Google apps or Google mail) are examples of Software as a Service that are also implemented through cloud computing. Rather than using MS Office -- software you can buy on a CD-Rom and own rights to -- you can consume word processing or email as a service through Google apps. Both businesses use cloud computing to implement their services and therefore do not really have their own data centers.
Q: Why do you think security cloud-based services are increasing at such a fast rate?
Pescatore: The first major reason is that several types of security can be more efficiently implemented through the cloud. With cloud computing, emails can be filtered faster and viruses can be intercepted before they are sent out to thousands of customers. The second reason is that there are some security aspects a company is able to do in the cloud that it does not have the ability to do own its own. For example, in the event of a denial-of-service attack, Acme Company could buy a protection product however the attacker could still use the company's Internet bandwidth by sending malicious packets. If the company contracts with AT&T, Sprint or British Telecom for example, it can implement denial-of-service protection in the cloud and filter the attacks before they are able to consume bandwidth.
Q: How can enterprises save money with security technologies and techniques by using cloud computing?
Pescatore: Today, using cloud-based security services is not necessarily cheaper than doing it yourself. If you looked at the software licensing costs and so on, you might pay the same amount as if you did email security in a cloud. You could save data center space and personnel time, however it's really more about reducing the total cost of ownership than strictly reducing the line item that says "email filtering." You could put hundreds of dollars of security software on every laptop and spend lots of time trying to manage these laptops or you could pay half that per user per year by using cloud computing. The information would flow through a cloud-based security service and threats could be filtered before they reach the machine. That's what we look for in the future -- that cloud-based security services will enable less expensive ways of dealing with future threats.
Q: How does cloud computing make an organization more vulnerable to attacks?
Pescatore: One of the major issues is loss of control of where your data is stored. Cloud-based information can be stored in any data center around the world that supplies capacity. The second issue is that you don't necessarily get service level agreements that guarantee perpetual access to your information. This means that if the data center were to crash, you don't know if you will have access to your information. When you use cloud-based computing you don't know if the security of all the servers out there equals yours, you don't know if one of the global data centers you're using has been compromised or if a sniffer has been installed. With security cloud based services, you have to give up a certain level of control.
Q: How much will an organization have to alter their current security infrastructure to accommodate security cloud-based services?
Pescatore: If a business is already doing some level of outsourcing, then it has already lost some level of control. Cloud-based computing requires more security rigor in the form of contractual language. Your call center provider could contract another company to host the servers, and that company could contract another company and so on. This is an example of how cloud-based computing could force you to deal with multiple subcontractors. Cloud computing requires more complexity, additional subcontractors and greater attention to contract details.