Cloud Computing Webcast: Myths of the Cloud. Learn about cloud computing in this free webcast from New Horizons.
Are cloud security risks overblown? After months and months of hand wringing, a number of experts are warming up to the cloud as a way to boost security.
Richard Spires, CIO of the U.S. Department of Homeland Security, believes that cloud risks are overstated, while colleague Vivek Kundra, the U.S. federal government CIO, has made cloud adoption a priority for federal agencies.
The skeptic in me notes that the Feds don’t have the best security track record, and the DHS’s prioritizing of security theater over true security is troubling. However, caveats aside, a consensus is slowly emerging that the cloud can be every bit as – if not more – secure as a traditional on-premise environment.
Part of this shift is simply that the fear of the “new” is eroding. As organizations spend time learning about and experimenting with cloud solutions, they slowly become more comfortable with them. A new CompTIA study found that 72 percent of organizations that have dabbled in the cloud now feel more positive about cloud computing overall than they did one year ago.
Another reason organizations are less afraid of the cloud these days is the growing number of cloud-specific security solutions available in the market. With so many security companies rebranding themselves as “cloud” security companies, and with so many new cloud security startups out there, selecting the right solution for your organization can be tricky.
Based on interviews with organizations that have recently adopted various cloud security tools, here are five questions to ask as you evaluate cloud security solutions:
1. Will it help you achieve existing business goals?
When service provider Integral Networks began investigating new cloud security solutions, one of its goals was to achieve a 100 percent virtual environment. As Integral Networks set out to eliminate expensive, unnecessary hardware by moving to an entirely virtualized environment, the company quickly realized that it needed to update its security.
The company eventually settled on Vyatta’s Network OS, which it used to secure the Desktop as a Service (DaaS) and Infrastructure as a Service (IaaS) cloud offerings.
After electing to replace its existing Cisco physical environment, Integral Networks standardized on Vyatta virtual machines, which provided all of the security and connectivity required while simultaneously consolidating its data center footprint.
“We were happy with the security we’d been getting from our SonicWall firewall, but we couldn’t deploy it as a virtual machine,” said Bryan Badger, president of Integral Networks.
Since it can be deployed as a VM, the Vyatta Network OS enables Integral Networks to offer managed firewall and VPN services in both VMware and XenServer environments. Using Vyatta VMs, Integral Networks can offer granular control and complete isolation of customer resources, as well as secure remote access for managing cloud-hosted data externally.
2. Will it make life easier for your security/IT staff?
As new cloud security products displace existing on-premise solutions, will they require your security/IT staff to undergo extensive training, learn new management consoles or introduce new items to their daily to-do list? One of the cloud’s benefits, when done right, is that it simplifies many manual infrastructure administration tasks. Ideally, cloud security should streamline security workflows.
HCR ManorCare, an Ohio-based provider of short- and long-term medical and rehabilitation care, was struggling with the high administrative burden of managing its URL filtering list, while also needing to secure its mobile employees when they accessed the web through both laptops and mobile devices.
With 60,000 employees across 500+ locations, this was no small task. Added to the mix was the desire to find a solution that would lower TCO. An existing managed service provider partner, CentraComm, suggested that HCR ManorCare evaluate Zscaler’s web security solution.
“This was a very high profile project. It affected every user in our company as well as our guest Internet services that our patients and their family members use while in our facilities,” said Thomas Vines, Director of Information Security, HCR ManorCare. “It was such a no-brainer decision . . . that its adoption was embraced and fast-tracked.”
Through deploying Zscaler’s cloud-based solution, HCR ManorCare was able to secure its mobile users and road warriors, while also relieving its IT staff of the trouble of maintaining the previous URL filtering list – a major time saver.
One unexpected headache did crop up, though. With their previous web-filtering tools, users could often “refresh” their way to restricted sites. Now that some users can’t access restricted sites, many call the helpdesk.
“Most of these turn out to be non-productive, non-work related websites with a high degree of streaming content or some other downstream traffic,” Vines said.
Obviously, this problem will quickly take care of itself as users wise up and save watching YouTube videos of cats riding skateboards for after work.
3. Will it help you with your compliance efforts?
One of the main complaints of CISOs and CSOs these days is that they are no longer security professionals, but compliance ones. Complying with regulations such as SOX, GLBA, PCI DSS, HIPPA and an alphabet soup of others is more than a full-time job.
Fortunately, the cloud could help change that. Denver-based ViaWest, a provider of colocation and managed services to mid-sized and enterprise-level businesses, needed a security solution that would streamline compliance efforts for its customers in order to compete in the crowded colo and MSP market.
The company searched for a cloud security tool that would help customers safely store sensitive information, such as credit card data, while streamlining the compliance efforts around those sensitive tasks.
ViaWest adopted StillSecure’s Cloud Security Services Platform, in part due to a specific service: PCI Complete.
“StillSecure’s products are designed to account for the changes many businesses are either struggling with now or will be soon,” said Steve Prather, VP of Strategic Development for ViaWest. “Specifically, how will they achieve PCI compliance in cloud environment? And will they be able to deploy VMs in a way that doesn’t undercut compliance?”
PCI Complete is a managed solution that helps merchants comply with Payment Card Industry Data Security Standard (PCI DSS) provisions. As a PCI DSS-certified data center operator, ViaWest can provide infrastructure services and hosting services that customers know are secure and meet privacy requirements. PCI Complete streamlines compliance through single-button access to PCI-specific reports that prove to auditors and management the IT environment is secure and compliant.
StillSecure intends to roll out other compliance services soon, with a HIPPA compliance service debuting later this year.
4. Does it consolidate security or integrate with other solutions?
Security inevitably trends towards consolidation until some disruptive technology comes along to fragment it yet again. It’s an ongoing, frustrating cycle – but a consistent one.
For IT, consolidated security is a good thing, making daily workflows much easier to manage. In these early days of cloud security, keeping an eye on the big picture is essential. Will your web application firewall, cloud IPS and DLP solution work together? If not, are their management consoles familiar enough that IT doesn’t have to spend an inordinate amount of time switching gears to manage each independently?
One reason that Integral Networks chose Vyatta is that their security/networking OS suite effectively replaces Cisco infrastructures. The Vyatta management consoles are similar enough to Cisco solutions that IT doesn’t have to relearn an entirely new system from scratch.
“Some of our government and education customers have very specific requirements in their RFPs that demand Cisco infrastructure,” Badger of Integral Networks said. “We were able to show feature by feature how Vyatta met or exceeded Cisco functionality. With other solutions, we probably would have lost out on many of those bids.”
Many of ViaWest’s customers are smaller and mid-sized enterprises. In that part of the market, many companies have limited budgets and cobble together various security point products that have little integration.
“An integrated product like StillSecure gives customers a look at the big picture,” Prather said. “There is better threat correlation, better metrics and improved ease of use through a single management interface. Non-integrated solutions don’t give you a complete view of the security landscape, and they lack event correlation. With an integrated product, when three different security components – such as an IPS, firewall and vulnerability scanner – triangulate on an issue, you know it’s a significant problem.”
5. Does it deliver cloud-like ROI?
Businesses flocking to the cloud hope to save money and are disappointed if they don’t. They have similar hopes, of course, when adopting cloud security solutions.
Integral Networks, HCR ManorCare and ViaWest all reported strong ROI numbers.
Integral Networks saved more than $120,000 by switching to Vyatta and away from SonicWall and Cisco. HCR ManorCare said that it instantly lowered its security TCO by nearly $150,000 by switching to Zscaler’s security service, while also experiencing a 40 percent increase in the effectiveness of blocking malicious sites.
ViaWest’s customers save anywhere from $3,000 to $10,000 each year on their compliance efforts, since compliance is streamlined and auditors often are able to forego site visits. Added to that, compliance no longer disrupts workflows the way it did in the past. Multiply those savings across an entire customer base, and total ROI adds up impressively.
Each of the end users I talked to also mentioned a range of “soft” benefits, which don’t translate as easily into ROI numbers. Flexibility, agility, and the ability to outsource critical security functions to experts and away from general IT staff are benefits that don’t show up in an ROI report, but they’re every bit as important.