Why Security Hasn’t Moved Into The Cloud (Yet)

Most business technology deployments these days will face the inevitable question: “Why aren’t you doing this in the cloud?” Enterprise-grade security, however, largely remains the exception to the rule. Why isn’t cloud technology playing a bigger role in our security plans?

Cloud security picture from Shutterstock

Gartner analyst Mark Nicolett argues that while we’re seeing the same patterns of convergence in security technology as in many other areas, there are several constraints which mean we won’t see the rapid adoption of cloud-based software for security — even in workplace environments where many apps have been shifted to a cloud solution.

Speaking at the Gartner Security & Risk Management Summit in Sydney today, Nicolett said the primary barrier was that the changing nature of security threats meant that dedicated appliances for specific functions still remained the norm.

“The disruptive force that we’re all dealing with is targeted attacks and the ability to detect them and block them,” he said. “Traditional network security is in-line, real time and we can’t do anything to disrupt the traffic or increase latency. So far that’s worked out OK, but with targeted malware and with targeted attacks we’re finding that those old methods no longer are sufficient. Unfortunately the techniques that need to be employed take a long time. Advanced threat detection needs separate appliances because it’s an entirely different technique.”

“The biggest reason is the packet inspection load. The more functions we enable in a single appliance, the more compute power that is required and deployments of any size require dedicated platforms to maintain scalability and to maintain throughout. We don’t see those restrictions being broken through for the next five years.”

Even when off-site security analysis in the cloud is possible, there can be technical and organisational barriers. “The sandboxing operation doesn’t always deal with pure executables — there may be email content and documents involved, and many organisations won’t be willing to move that up to the cloud,” Nicolett said. “Organisations may also want to use reference images that are known to be deployed, rather than something more cookie-cutter that’s found in the cloud.”

“Another massive inhibitor is organisational boundaries,” Nicolett noted. “Often system are deployed by different operations teams, and detection technology tends to shadow those deployments.”
There are some technologies showing evidence of convergence, such as next-generation firewalls, but takeup is relatively slight; Gartner calculates that at best 8 per cent of the firewall market is in next-generation technologies right now. Secure web gateways are also moving into the cloud, with cloud-based deployments rising from 13 per cent of the current to 25 per cent in 2015, though after that growth is likely to flatten.

Perhaps the biggest area of growth has been in protecting against distributed denial of service (DDOS) attacks. “We started with on-premises DDOS protection appliances, but around 2010 we started to see attacks that overwhelmed local resources,” Nicolett said. “So there’s been a pronounced movement of DDOS protection to cloud based services. With experience, many companies have concluded that it’s more expensive than it has to be, and a good capability and cost compromise would be a hybrid solution.”