Cloud providers recognize the need for security, but their response tends to leave large security gaps that must be filled by channel partners or end customers. When these gaps go unnoticed, they can often result in dangerous security vulnerabilities that attackers can easily leverage.
In the case of Amazon Web Services, for example, the provider takes on the security component for the lower portion of the stack, going up to the hypervisor. The customer, or the channel partner, is then responsible for everything above the hypervisor.
"They call it a shared security model," said Chris Mullins, marketing director at Alert Logic, which has been an Amazon partner for slightly more than a year. "This is how it works with most providers, with the exception of some large integrators that may do the full security solution. But the higher they go up the stack, the more dollars they charge you. Amazon tends to be pretty clear about what they do, but sometimes they may not be as explicit about the customers' responsibilities. The customers need to know their own requirements, which may be about their own policies, or may be required by standards bodies such as HIPAA or PCI."
[Related: 9 Key Concerns That Block Cloud Sales]
Mullins went on to explain that this situation offers a solid opportunity for channel partners to build a practice around security in the cloud. He added that many of the traditional security vendors have been remiss in building adequate cloud security solutions, and it is up to the partner to help sort through those offers, including the ones that may not be coming from major brands.
"I think a lot of the traditional security vendors have lost their way a little bit when it comes to the cloud," he said. "They may have virtual appliances or other products that are built on the foundations of their data center products, but they usually don't have the scaling capabilities or the APIs that really leverage the Amazon environment in the way it's intended to be used. The products that are built with the cloud specifically in mind tend to work better. But some of the companies that are doing this are not exactly household names, so corporate buyers tend to be reluctant to buy them, even though they're objectively better. So channels need to be well versed on the performance drivers and the corresponding control components."
Mullins recommends that channel partners invest time in evaluating the different offers that come from a variety of different sources, particularly those that are purpose built for the cloud.
"Security is a huge part of the cloud discussion," agreed Pat Grillo, president of Atrion Communications Resources of Branchburg, N.J. "We're having a lot of success helping people secure their services. We're pretty much covering everything from one end to the other. We're doing the edge, we' re doing the core, we' re doing the cloud, regardless of what the cloud providers bring to the equation in terms of security."
NEXT: Same Threats, Different VenueBut a certain dichotomy exists in a situation where different parts of the security value proposition come from different parties, yet security is something that is best treated in an integrated fashion.
"I think vendors are addressing it, but the truth is that security needs to be an inherent and integrated part of everything we do," said Gregg Pruett, general manager of Idaho-based CompuNet. "I think for now it probably does make sense to have the cloud provider handle security from the hypervisor on down. We will see how well Amazon does with this aspect. But the cloud is the perfect place for a security practice because it touches everything."
According to JD Sherry, global director of technology and solutions at Trend Micro, channel partners should build upon the security skills they learned through traditional resale.
"You can't jettison the best practices developed during the days of running your own data centers," he said. "These best practices need to be applied to the cloud, and security collaboration between the partners and the cloud providers brings a major opportunity for success."
"Cross-site scripting and SQL injections and zero-days will continue to happen, and they're going to be scary," he continued. "It's up to the partners and the customers to mitigate risk. Our adversaries are talented, and they leverage unpatched vulnerabilities. Security needs to be a fundamental attribute."
PUBLISHED MAY 3, 2013