Cloud-based security as a service offerings have seen a steady increase in popularity, due to the benefits that the deployment model provides. Security as a service enables rapid provisioning, cost savings and enhanced security through real-time updates and the community effect.
With the explosive adoption of public cloud computing it's time we apply the techniques used to provide security FROM the cloud, to provide security FOR the cloud.
In public cloud environments like Amazon Web Services (AWS), the Elastic Compute Cloud (EC2) instances only provide firewall as a service. It's up to the customer to harden the operating system and the applications running within the virtual machine instance. Ongoing patching helps reduce the attack surface, however patching alone doesn't maintain a secure environment. The only currently viable option to augment the security posture is host-based controls deployed and managed by the customer. Host-based agents can provide Anti-Malware, IDS/IPS, WAF, DLP, Integrity Monitoring and other capabilities, but it's up to the end-user to purchase, deploy, configure and monitor these countermeasures.
This presents an opportunity for service providers to offer security as a service, designed to protect the instances their users spin up. With the introduction of premium pay-per-use security services, customers could choose the countermeasures they require on a feature by feature basis. Adding malware scanning of your virtual machines could be a single check box away.
While this may seem like a natural evolution, security as a service for infrastructure as a service (IaaS) has been slow coming. Part of this may be specific to the architecture required. In order to maintain the platform independence, elasticity of the environment, and deal with virtualization-specific issues like rollback, the security services should be offered transparently outside of the virtual machine (PaaS and SaaS offerings don't have this constraint since the service provider manages the operating system).
Externalized security has already proven itself in security as a service offerings FROM the cloud, for example email gateways to filter spam and malware. Providing externalized security FOR virtual machines in cloud providers isn't common, but it's possible today with virtual gateways or virtual appliances that leverage hypervisor security APIs to inspect the CPU, memory, network or storage of the virtual machines. In terms of virtualization platforms, VMware leads the way on providing security APIs with VMsafe however, service providers built on other virtualization technologies have emerging options as well.
For security as a service to be viable, usability has to be priority one. AWS alone has an estimated 50,000 new instances being added EACH DAY. To meet the demand, pricing, self-service expectations, and security expertise of the user base the security solutions need to be easily managed. The current Firewall ACLs configuration in today's public cloud IaaS offerings is a perfect example of the simplicity needed. While some security services require very little in the way of configuration (like Anti-Malware), some have traditionally required complex configuration. To be successful, the security services need to be streamlined and automated as much as possible. This may mean using hypervisor security APIs to inspect the VM's contents and build the configuration based on the workload running within.
These requirements present a unique challenge to security software vendors who need to provide rapidly provisioned, multi-tenant solutions with metered usage. Vendors also have to deal with a lack of standards for integration with the service providers, a challenge that may be mitigated over time with efforts to create common security APIs. For service providers, security as a service presents an additional source of revenue and value to their services. Initially it will likely be offered as a differentiator by smaller service providers however, the market opportunity is large enough that the dominant providers will inevitably join in.
Using the pay-per-use, dynamically provisioned, external model of security that is popular in FROM the cloud services, FOR cloud computing makes perfect sense. End-users will have access to the security services they need without the complicated and costly do-it-yourself option, and end up with security just as dynamic as the cloud services they utilize.