Cloud providers recognize the need for security, but their response tends to leave large security gaps that must be filled by channel partners or end customers. When these gaps go unnoticed, they can often result in dangerous security vulnerabilities that attackers can easily leverage.
In the case of Amazon Web Services, for example, the provider takes on the security component for the lower portion of the stack, going up to the hypervisor. The customer, or the channel partner, is then responsible for everything above the hypervisor.
"They call it a shared security model," said Chris Mullins, marketing director at Alert Logic, which has been an Amazon partner for slightly more than a year. "This is how it works with most providers, with the exception of some large integrators that may do the full security solution. But the higher they go up the stack, the more dollars they charge you. Amazon tends to be pretty clear about what they do, but sometimes they may not be as explicit about the customers' responsibilities. The customers need to know their own requirements, which may be about their own policies, or may be required by standards bodies such as HIPAA or PCI."
[Related: 9 Key Concerns That Block Cloud Sales]
Mullins went on to explain that this situation offers a solid opportunity for channel partners to build a practice around security in the cloud. He added that many of the traditional security vendors have been remiss in building adequate cloud security solutions, and it is up to the partner to help sort through those offers, including the ones that may not be coming from major brands.
"I think a lot of the traditional security vendors have lost their way a little bit when it comes to the cloud," he said. "They may have virtual appliances or other products that are built on the foundations of their data center products, but they usually don't have the scaling capabilities or the APIs that really leverage the Amazon environment in the way it's intended to be used. The products that are built with the cloud specifically in mind tend to work better. But some of the companies that are doing this are not exactly household names, so corporate buyers tend to be reluctant to buy them, even though they're objectively better. So channels need to be well versed on the performance drivers and the corresponding control components."
Mullins recommends that channel partners invest time in evaluating the different offers that come from a variety of different sources, particularly those that are purpose built for the cloud.
"Security is a huge part of the cloud discussion," agreed Pat Grillo, president of Atrion Communications Resources of Branchburg, N.J. "We're having a lot of success helping people secure their services. We're pretty much covering everything from one end to the other. We're doing the edge, we' re doing the core, we' re doing the cloud, regardless of what the cloud providers bring to the equation in terms of security."
NEXT: Same Threats, Different Venue