How To Stand Out in the Cloud: Build Security and Compliance
Compared with traditional software and infrastructure investment, cloud investments are increasing quickly. Whether you’re looking at models such as SaaS, IaaS or PaaS, growth rates are projected to be much higher than those of traditional IT products and services. Two years ago, for example, Nimsoft surveyed some 800 service providers, and no one expressed interest in SaaS. Recently, a similar poll revealed that more than a third are consuming and deploying "as-a-service" models.
Many leading service providers and VARs are already offering a variety of cloud solutions, and most are planning to expand their offerings. For smaller MSPs and traditional resellers who have yet to make the leap, many opportunities exist—but there are also a lot of risks. Channel decision makers must carefully consider alternative cloud models, target markets and services.
One risk is betting on the wrong cloud model. For example, if you’re thinking about building and delivering Infrastructure-as-a-Service (IaaS), you might want to think again. Established players have turned IaaS into a commodity, to the point where Amazon Web Services is offering EC2 for free. Clearly, that makes it hard to compete and maintain healthy margins.
Another risk is rushing into the market. If you slap a “cloud” label on a solution or service, you jeopardize your credibility out of the gate. Buyers are very leery of “cloud washing,” and—while a cloud label may get you in the door—you’ll be very quickly pushed out the same door if you’re not delivering a legitimate cloud solution.
One key to cloud success, then, is to craft legitimate cloud solutions that are differentiated from commodity IaaS offerings. Such solutions will save you from competing on price and ensure your credibility in the market from the outset. Here is the first of three potential strategies for building credible and differentiated cloud solutions:
Security has consistently been a major barrier to cloud adoption. By delivering a cloud offering that helps clients address their security needs, vendors can gain differentiation and a strong market position. Many common IT security principles, such as applying defense in depth, managing logs, maintaining patches and implementing sound change management policies and procedures, also apply in the cloud.
But the cloud also presents many unique security challenges. That is particularly true of multi-tenant cloud environments, where the data of different organizations and teams can comingle on shared computing resources. Consider one example: To pursue a case, an investigative agency is granted a subpoena to search a corporation’s files, including those held in their cloud provider’s environment. By granting this agency access to their multi-tenant servers, the cloud provider may ultimately be handing over the files of a number of clients, which could have security, privacy, compliance, and contractual implications. Those are the kinds of scenarios that keep security professionals leery of moving to the cloud.
Another factor to consider is compliance, the range of mandates in place, and their different demands. The scope and complexity of addressing common compliance mandates in the cloud can vary substantially. On one end, addressing a mandate like Sarbanes-Oxley is fairly straightforward. Achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) is more challenging. The Health Insurance Portability and Accountability Act (HIPAA) is at the far end of the spectrum. Compared to PCI DSS, which governs the use and security of specific data sets, a wide range of assets—from x-rays to forms—are regulated in a health care environment. This makes the task much more complex. When it comes to HIPAA and the cloud, many organizations are opting to set up dedicated, virtual private clouds or private clouds to address the requirements.
As organizations set about implementing compliance and security infrastructures, they should be realistic, and not take on too much too quickly. It’s good to focus on a specific mandate, establish success, and build from there. It’s also important to leverage industry standards to ensure that security and compliance services are sustainable. PCI DSS is very prescriptive, and many of its policies represent best practices, regardless of whether an organization is regulated by the standard. However, most service providers would be well served by using the ISO/IEC 27000 standard, which provides an even better operational baseline to address many compliance objectives over time. As they’re building out these security and compliance services, vendors will also need to be aware of the Statement on Standards for Attestation Engagements (SSAE) No. 16, a standard for reporting and validating the processes in place. SSAE 16 supersedes the earlier standard, Statement on Auditing Standards (SAS) No. 70.
Stay tuned for strategy #2 on Friday.