Is security in the cloud just hot air?
It is easy to be sucked in by the hype. Take cloud computing; everyone is talking about it as something revolutionary – but haven’t we been here before? The idea of managed security applications and services are not new and while predictions of 40 percent growth in the Security as a Service (SaaS) market by the likes of IDC are attracting the attention of the large security product vendors, companies such as Signify have been providing hosted security services for many years.
So why the renewed interest? Certainly, while security spending is holding up driven by increased threats and the growing burden of compliance, the current financial crisis is making organisations question how budgets can be reduced without compromising security. IT directors are finding it increasingly difficult to get security spending plans signed off that require significant upfront investment.
Suddenly the idea of a pay-as-you go service with minimum installation and deployment costs, fixed monthly usage fees and a service that can be easily scaled up or down depending on demand, sounds an attractive proposition. Hosted or managed services provide an alternative for both the end user and the savvy reseller without an initial cost barrier to sale. And for resellers, the regular, ongoing revenue stream and the chance to stay close to the customer are compelling benefits in themselves. For end users, a properly managed service also eliminates the need to employ specialist and costly in-house skills and frees up staff to focus on core business challenges.
However, despite these benefits, some resellers have been nervous about managed services; as it means putting their trust and reputation in the hands of the service provider. If something goes wrong – the buck may well stop with them. And despite the fact that many end user organisations have embraced the emerging SaaS model, outsourcing security in particular can still present a mental barrier and concerns in the boardroom.
These barriers and fears are being overcome by a growing number of specialist MSSPs – Managed Security Service Providers that deliver the complex bits of the security jigsaw that require specialist knowledge, infrastructure and support. MSSPs have to provide the highest levels of security, reliability and control to deliver the essential trust and confidence for both resellers and end users. It is now possible to put together a complete security solution using a combination of well-proven managed services from different providers. For example, you can take web and email filtering and email archiving from Webroot or Messagelabs; intrusion detection and vulnerability testing from Qualys and laptop disk encryption from AlertSec.
At Signify, we provide a secure 24/7 two-factor authentication fully hosted and managed service that removes the cost and complexity of deploying and managing strong remote access authentication for organisations of all sizes. Every user is verified and secured using a flexible range of token and tokenless authentication options.
Token or Tokenless?
Dedicated and simple hardware tokens such as the popular RSA SecurID Tokens generate a one-time passcode (OTP), typically every 60 seconds and can be used in combination with a secret PIN for secure authentication. Alternatively the OTP can be provided through software tokens for BlackBerries or Windows mobiles, giving users the same level of protection but with the convenience of being delivered through the mobile device. These are both ideal for frequent users who need anytime, anywhere access to corporate applications and resources
But there has also been considerable interest in OTPs that can be delivered on-demand to a user’s registered mobile phone, PDA or email account by SMS or email. This approach means that the user does not have another device to carry around, but requires an additional request stage. This approach is therefore best suited to occasional users, contractors, part-time staff and those checking email from home.
The reality is that it’s a case of ‘horses for courses’ and the ability to mix both token based and tokenless two-factor authentication hosted services means that resellers can tailor the authentication solution to meet specific customer needs, budgets and working patterns. As the service provider, Signify runs the service infrastructure and also providing all of the automated, 24x7 policy-based procedures, logistics and support that are essential to keep remote users happy and the customer satisfied and secure.
Service Integration
Today, a new services channel model is emerging; one that accepts the integrator is central to delivering managed services to the mass mid-market. The shift is from traditional system integrators that deliver solutions built from hardware and software products, to service integrators that are able to integrate a complete suite of in-house and third party services and offer end users a complete, fully managed service-based solution.
As a result, many systems integrators such as 2e2, Serco and DataConnect are increasingly becoming service integrators that can concentrate on meeting customer needs while relying on the MSSP to build and deliver reliable and secure, non-stop 24x7 services.
There will of course always be customers who want to do it for themselves; but for those that see the true benefits of outsourcing specific security functions to specialist providers, there is a real opportunity for resellers to deliver managed solutions.
With no immediate end to the lack of credit facing many businesses, managed services, SaaS or Cloud Computing Services – whatever name you want to give them – provide the ideal solution for companies that realise they simply cannot afford to compromise on security.
