When corruption and chaos began to tear Gotham apart, the city turned to one of its own for protection. As Batman got stronger, so too did the enemy, and the fight raged on until near destruction point. IT has found itself in a similar position -- as hackers and attackers wreak havoc on the industry, businesses have been looking for a watchful protector to secure their assets. Is security-as-a-service the IT industry's Dark Knight?
Okay, so comparing the IT industry to the Batman series may seem a little odd, but consider the aspects. In Christopher Nolan's 2005 adaptation of the Batman comics, Batman Begins, Jim Gordon says that Bruce Wayne's benevolent Batman alter-ego has really started something among the criminals in Gotham. Gordon explains that the more sophisticated the weapons get and the more intimidating the defence becomes, the villains always go one better. This can be likened to the IT industry, which has seen heavy fire in recent years as hackers and cyber-criminals continue to find new and ever more devastating ways to infiltrate businesses electronically. Attempts to quash these attacks and curb the risks have been costly and time consuming, and it appears as though they haven't always been successful.
Look back to Saudi Aramco, one of the largest companies in the world, and victim of a cyber-attack so fierce that it stands as the ultimate reference in today's security handbook. In Nolan's 2008 sequel, The Dark Knight, Harvey Dent explains to the people of Gotham that the night is darkest just before the dawn, and that the dawn is coming. Is that dawn for the IT industry an externally managed security model?
Many areas of IT are leaning toward offerings as a service, freeing up space, cost, time, and manpower. Security-as-a-service (SaaS) is certainly no different. However, unlike other hosted services, security poses many risks.
Hani Nofal, Director of Intelligent Network Solutions, GBM, claims that the region is seeing a more sophisticated threat on industries.
"The evolution of the security landscape in the Middle East over the past 12 to 18 months will have a significant impact on how consumers will accept SaaS. The security challenges have evolved in the region due to the technological advancement, which has increased the complexity of cyber-attacks," he says.
"Protecting organisations requires a diverse set of security expertise. Recruiting and retaining experts in operational roles is not easy due to skill shortages and the perception that the assignments may not be challenging enough. SaaS-based services help to overcome these challenges through the use of automation and cloud, with additional benefits of lower costs, flexible deployments and innovation," says Lucius Lobo CISSP, Vice President Security Services, Tech Mahindra.
Eat in or take away?
Nicolai Solling, Director of Technology Services, help AG, claims that cost isn't really the aspect of SaaS that organisations should be focusing on.
"One of the major misconceptions is that managed services, specifically security-related managed services, is just about cost-savings. In fact, it may not be cheaper than in-house operating environments. However, the benefit of SaaS is that the services can often be operated better than in-house offerings," he says.
"Another thing, which I hope SaaS will deliver on, is taking the cross-organisational attack information and applying this intelligence across the environments they are operating. Once an event in one organisation creates protection for another organisation, then SaaS becomes truly valuable."
Jatin Sahni, Vice President, Large Enterprise and Business Solutions Marketing, du, believes that traditional in-house security has also created its own barriers, which managed security services (MSS) now must overcome -- another benefit of switching to a managed model.
"The traditional in-house security has many barriers to overcome. It requires lengthy time to procure, deploy and integrate the security to the business processes. The in-house security cannot keep up with the emerging threat landscape and advanced persistent threats," he says.
"The SaaS provider has state-of-the-art technologies, a skilful team, threat intelligence, agile processes, KPI/SLA driver deliverables and, more importantly, fast response capabilities to security incidents. These capabilities can be easily provided to enterprise with seamless integration of enterprise business processes with a fraction of the cost of total security investment of enterprise."
Concerns in outsourcing
Outsourcing all of an organisation's security leaves it under someone else's control, and its fate is ultimately in someone else's hands, says Osama Al-Zoubi, KSA Country Lead, Senior SE Manager, Cisco, who questions some of the concerns facing SaaS.
"Take, for example, a service provider with 1,000 customers. If they are hacked then everyone is compromised -- that's 1,000 customers hacked. So these providers become a far more attractive attacking point," he says.
Natalya Kaspersky, CEO, InfoWatch, points toward more recent security stories to stress the importance of SaaS providers' safety guarantees.
"The main risk is confidential data leakage, and the cost of such leaks is usually very high. To prevent these incidents, companies must encrypt their information. And now as we hear about the scandals with American secret services spying on users' emails, companies should be even more careful about storing their information in the cloud," she says.
"There is also a legal issue regarding the responsibility for the information security in the cloud. Neither SaaS providers, nor their customers, want to take the responsibility. This problem can be solved by attracting insurance companies into the process. As for regulations, they are different from country to country. In some countries, they are strong, but in some they are not."
Rohit Kumar, co-Founder, Paladion, finalises the concerns with SaaS providers. "With due credit to all its benefits, SaaS, if not evaluated properly, could have a serious shortcoming; single point of failure (SPOF)," he says.
"This is the responsibility of the vendor providing the SaaS. Unfortunately, not all managed security services (MSS) are created equal. There are instances where even basic software/hardware vendors label themselves as MSS providers hoping to leverage the buzz around the term."
Adapting to the future
Aside from the concerns with SaaS, it does appear as though vendors are making the leap toward products as a service, made available through the cloud, and security isn't going to be the exception.
Taking traditional hardware products and delivering them as a pay-by-use service is no doubt the future market model for vendors, but how does this change the way in which these vendors and their partners approach the market?
"There is a need for transformation of the business model of vendors, to meet the market demand," says Jatin Sahni, du.
"Cloud adoptation is slow in this region, however there is a trend that enterprises and SMEs are moving towards trusted cloud providers who have robust and mature security services and governance processes in place. Vendors or service providers who leverage the security as a differentiator to their core offerings will capture the trust in the market."
Miguel Braojos, VP Sales, SEMEA, SafeNet, believes that taking standard traditional hardware products, which include security encryption, is a tough task for vendors, and lays out areas in which he claims they can improve, moving forward.
"As organisations seek to bring traditional hardware encryption approaches into cloud and virtualised environments, these technologies present security teams with a range of challenges. Most significantly, these solutions take too long to deploy. In virtualised environments, resources and workloads can be frequently and quickly initiated, migrated, and terminated. Traditional hardware-based approaches to encryption simply take too long to implement -- making them impractical to employ in these dynamic environments," he explains.
"Exacerbating matters is the fact that encryption in many organisations has been deployed and managed in a disparate, isolated fashion. In traditional data centre environments, this isolated management of encryption breeds inconsistency, security gaps, and inefficiency -- those issues only grow more pronounced in cloud and virtualised environments. These are all areas where traditional vendors need to improve."
Dr Tamer Aboualy, CTO, IBM Security Services, points to a more regionally focused element of evolution that vendors must respond to: "In the context of security services, traditional vendors need to focus on understanding the evolving changes in global customer demands, but not forget the criticality of understanding regional requirements. Ongoing investment and innovation is also mandatory. This can come in the form of building within, purchasing, or partnering."
It appears as if providing a solid security service is a more challenging task than first thought. However, end users seem insistent that software services are no doubt the future model, and security will follow that trend.
Much like in Nolan's trilogy concluding movie, The Dark Knight Rises, Gotham City eventually realises that Batman is a symbol of hope, and not one of disruption and chaos. The IT industry seems to be siding with software providing vendors, too, and security-as-a-service may just be its Dark Knight.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.