As someone who interacts with Cloud Service Providers of varying sizes in geographies around the world, I have been giving thought to where we are, and ultimately what organizations will expect from the CSPs in terms of security over the coming months.
Ask any end user regardless of whether they are a multi-national with a Chief Security Officer or a SMB with IT personnel wearing multiple hats, and security is always at the top of the list.
So why aren’t more CSPs looking to provide security beyond the basics? Over this and subsequent postings, we will explore what customers should expect, even demand from their Cloud Service Providers.
When I look at the landscape of service providers around the world, many are missing an opportunity to differentiate themselves from the masses. Not only are these CSPs missing an opportunity, but ultimately they will put themselves at a competitive disadvantage by not more aggressively providing security has part of their underlying offering.
Size matters… or does it?
Let’s consider that CSPs come in varying shapes and sizes, and one size does not fit all when it comes to security. Today Amazon promotes a shared security model, because they don’t want the contractual obligations of being responsible for end user security, yet AWS has spent significant time and effort working to get certifications in last 18 months. Just check out http://aws.amazon.com/compliance/ - they now boast certifications ranging from HIPAA, PCI DSS Level 1, to specific government user programs.
When I look at Bitdefender’s own customers leveraging our hosted security offering on AWS, there are some definite trends that have emerged over the past year. First, there is a disproportionate number of SaaS providers leveraging our offering. Second, when I talk to these SaaS providers, almost all of them have said to me they want to use security to differentiate their offerings from competitors.
What are their options today? Really there are two. SaaS providers need to do the research and build their own security stack, which might include AV/anti-malware, log management, intrusion detection, etc. The second may be to look at a CSP that has more of a focus on security.
Recently I read a quote from one of our new CSP customers, and thought it was worth sharing. The quote goes something like this -
"Settling for poor security or 'checkbox compliance' is unnecessary and unacceptable.”
Their model is simple, they want to help businesses understand that they should no longer tolerate poor security from their hosting and cloud partners. Their view is a holistic approach where the industry needs to think beyond insufficient checkbox compliance as an end-all solution. Compliance with security standards like PCI does not mean a company's data and applications are properly protected and secure.
Enterprises only need to look at whatever this week’s latest, much publicized security breaches are to see having a compliance checkbox does not equate proper protection, standards of practice or “real” compliance.
Consequently, customers will expect and demand better services that go beyond the checkbox mentality. The CSPs that figure it out first, will have a huge start on their competition.
You’re invited to comment and share your thoughts about ‘better security’ when it comes to competitive advantage.