The Inevitability of Security-as-a-Service

Transcription

1 The Inevitability of Security-as-a-Service The big news in IT over the last few years has been the movement to the cloud. However, the term cloud obscures the real change in the market, of which cloud is only one example: the move toward the consumption of IT as a service. Whether it is Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), IT is moving away from the traditional software/hardware licensing era into a brave new world of ondemand services. We are seeing Storage as a Service, Security as a Service, and even Everything as a Service. It seems that there is no area of IT where service-based delivery is not being considered. This is not just a fad; it is a transformational movement in IT. For the reasons discussed below, there is little doubt that consuming IT as a service will be the mainstream model in both the enterprise and consumer markets in the near future. Security, as part of the IT space, is subject to this inevitable move. The same factors driving the broader move toward delivery as a service for almost all of IT apply as well to security; in fact security is in many ways particularly well suited to delivery as a service. The overall move toward service delivery of IT does not just parallel the specific case of security, however; the movement of other areas of IT to the cloud and to the service model will both demand and require that security follow the same trajectory in order to fulfill its mission. In this paper we will explore the factors driving us towards IT as a service in in general and security as a service in particular. We will examine why virtual appliances are an evolutionary dead end along the path towards security as a service. Finally, we will examine what security as a service will look like as it fully matures into the dominant form of protecting our assets and providing regulatory compliance. Contents What is Security-as-a-Service?... 2 Factors Driving IT as a Service... 3 Virtualization... 3 Multi-Tenant and Multi- Instance deployment... 4 Elasticity... 4 Ubiquitous, mobile connectivity... 5 Big Data and Storage... 5 Specific Drivers in the Security-asa-Service Market... 6 Security Complexity... 6 Resource Contstraints... 7 Security-as-a-Service is Inevitable 8 Conclusion... 9 About Alert Logic Alert Logic, Inc Yorktown, 7 th Floor, Houston, TX alertlogic.com Alert Logic and the Alert Logic logo are trademarks, registered trademarks, or service marks of Alert Logic Inc. All other trademarks listed in this document are the property of their respective owners. Documents are the property of their respective owners Alert Logic, Inc. All rights reserved.

2 THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, ALERT LOGIC, INC. PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Alert Logic, Inc., except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Alert Logic, Inc. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Changes or improvements may be made to the software described in this document at any time Alert Logic, Inc., all rights reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Alert Logic is a trademark or registered trademark of Alert Logic, Inc. or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. 1 The Inevitability of Security-as-a-Service

3 What is Security-as-a-Service? What exactly is Security-as-a-Service? What are its elements? While the answer may vary from provider to provider there are some elements that will be standard across the board: Delivered as a service, not a traditional hardware/software bundle. This includes the licensing and cost models. Security-aaS should be an OpEx expense, not a CapEx. o Security is consumed in a utility model, with usage adjusting both up and down as needed. Security-as-a-Service providers must have the provisioning, billing, and service tools to support this model, whether offering services in on-premise or hosted environments, or in elastic cloud infrastructure A managed service and additional support should be able to be wrapped around the actual security infrastructure. The need for expertise is a main driver of security to this service model; management and support are key to providing that expertise to users. Go anywhere deployment options that mirror the movement of IT infrastructure to the cloud: o o By the cloud, for the cloud If you are using Security-aaS in a cloud environment it should be built into the fabric of the cloud stack. A good example is the Alert Logic IDS into the Amazon Cloud in partnership with Datapipe. At the same time, Security-as-a-Service must accommodate traditional on-premise or managed hosting environments, including increasingly-common hybrid environments that combine different types of infrastructure. The chart highlights some of the key elements of Security-as-a-Service. 2 The Inevitability of Security-as-a-Service

4 Factors Driving IT as a Service There is no single factor driving the move toward IT service delivery, although certain factors are critical enablers of the move. We will look at the key factors driving what is perhaps the biggest change in the IT space since the commercialization of the Internet, and how business demands and enabling technology have combined to make it possible. We will also consider how these factors specifically drive the adoption of security as a service. Virtualization Perhaps the biggest single factor that enables IT as a service is the rise of virtualization. Allowing hundreds and even thousands of virtual instances to run on one set of hardware saves literally millions and billions of dollars in equipment, space and energy. Tasks that would take racks of servers in the past can now be run in a virtual environment, often on only Why Virtual Appliances Are an Evolutionary Dead End part of one physical server. The advent of virtualization has led to a rush towards virtual appliances. The rationale is that eliminating the hardware will eliminate the overhead of managing physical servers. This is especially true in the security space. Most security appliances were no more than standard x86 boxes running Linux and the security applications. Moving these appliances onto virtual machines made much of this hardware obsolete. However, moving an appliance from a physical device to a virtual platform does not eliminate all of the overhead of the appliance. Provisioning, maintaining and managing virtual appliances can be as resource intensive as managing physical appliances. This becomes a problem in an elastic cloud environment. How would you provision 1,000 virtual security appliances that would only be used for 30 minutes each? On-demand service with shortterm requirements adds yet another layer to the virtual appliance management conundrum. Paradoxically, virtualization can increase management burden. If Security-as-a-Service is to realize its full potential it has to move beyond substituting a virtual appliance for a physical appliance. The security has to be built into the very fabric of the infrastructure, not bolted on virtually after the fact. Instant on provisioning, elasticity and utility consumption are elements of Security-as-a-Service. So while virtual appliances may have been a natural development, in a world of cloud and hybrid environments they are not the solution. While virtualization has existed for some time, it is only with modern hypervisors have we seen performance match enterprise needs. Companies like VMware have catapulted to the top of the technology pyramid by pioneering hypervisor-based virtualization. Virtualization results in huge savings in hardware, energy and other resources because of the efficient utilization of infrastructure that is enables. But it is also the basis for greater flexibility and elasticity, which are cornerstones of the cloud. However, virtualization does not negate the server management overhead. Security serves as a special case in the virtual appliance model. Virtualization allows businesses to run vastly more applications with dedicated databases, application servers, web servers and other components without making major infrastructure investments to support lightly-used applications. Almost counterintuitively, virtualization therefore requires more security devices to manage this security sprawl. These devices must be managed and often require dedicated management consoles and distinct 3 The Inevitability of Security-as-a-Service

5 databases. So while virtualization results in fewer physical appliances, it can result in even more security appliances and associated management overhead unless a holistic Security-as-a-Service approach is implemented. Multi-Tenant and Multi-Instance Deployment While multi-tenancy is sometimes viewed as a byproduct of virtualization, it is not that simple. Confusion arises between the concepts of multi-tenant and multi-instance infrastructure. As a design principle, multi-tenancy allows multiple customers to operate on a common hardware and software stack. In this model usually all aspects of computing are segmented by customer or user, including security. In a multi-instance model, multiple customers share common infrastructure, but unique instances of software, data, and communications channels are required. This is more than a semantic issue; in this model, some aspects of the computing stack including security are not built in. This becomes a key factor distinguishing Security-as-a-Service from virtual appliances, where unique instances are required for each virtual security appliance. The security needs for multi-tenancy include the ability to segregate data by customer and to have hierarchical and privileged based security. These requirements are for any multi-tenancy solution, but are doubly important when talking about security or any personally identifiable information (PII). Many solution providers consider any virtual environment a multiple-tenant instance rather than just multiple-instance. Scalability in a secure manner in a multi-tenant environment is critical. In fact scalability in any cloud environment is critical. This is sometimes referred to elasticity. For Security-as-a-Service to meet these elasticity requirements there must a well-designed architecture that will safely, quickly and efficiently scale to the needs of user base. Elasticity To many, elasticity is the true special sauce of cloud computing. According to NIST elasticity is: Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. Certainly scalability is one element of elasticity, but elasticity is more than scalability. The on demand aspect, no matter how big or how small and the ability to grow and contract on demand are the elements which give the elasticity and the cloud its appeal. This elasticity is no less a requirement for security. It is also why virtual security appliances and other forms of securing data and resources don t work in the cloud (See sidebar). Only Security-as-a-Service has this elasticity to complement cloud computing. 4 The Inevitability of Security-as-a-Service

6 Ubiquitous, mobile connectivity Virtualization and data center hosting have been available for the better part of a decade; however, they could not fulfill their potential without ubiquitous connectivity. While virtualization, multi-tenancy and modern data centers make as-a-service delivery possible, it is only ubiquitous, cheap connectivity that makes it practical and desirable. Without this connectivity, all of the data center innovation in the world would not enable service delivery. To be truly ubiquitous, connectivity must also be mobile. From 10gb Ethernet at the LAN to 4G cellular access, connectivity now extends to almost any environment, always on, always available, and affordable. This has driven the rise of mobile devices and the changes in behavior that result. The expectation of connectivity in homes, automobiles, and public spaces has driven the requirement that applications and data be available on demand and consumable from any location, and the passing of the torch from the PC to various mobile devices as the preferred computing tools. This has a significant impact on security requirements. As the computing environment scales down to the smallest, most mobile interfaces available, security must scale down with it. Whereas in the past security was oriented around protecting large, relatively static networks, security technology must now function in these smaller environments and installing multiple virtual security appliances on a mobile phone is not an option. The Security-as-a-Service model accounts for this new reality. Big Data and Storage Handling millions of users at a time and billions of data entries an hour has taxed our data infrastructure like never before. New technologies like NoSQL Databases, MemCache and distributed node computing have come to the forefront and attracted attention and venture capital. In the security field, scalability for applications like log management demanded a big data solution. Log collection and management generate such data needs that using traditional relational databases resulted in one expensive failure after the next. Another example is security information and event management (SIEM), where the amount of data generated by even one organization can overwhelm many database installations. In short, traditional security appliances are a poor fit for big data environments. Traditional security appliances cannot scale exponentially as these applications require, whereas Securityas-a-Service can. 5 The Inevitability of Security-as-a-Service

7 Specific Drivers in the Security-as-a-Service Market All of the above are factors empowering the service model of IT, and many of them preclude use of traditional security appliances as effective solutions. They not only make Security-as-a-Service possible, but demand it. But there are also some unique drivers that make Security-as-a-Service inevitable. Security Complexity Simply put, security is hard and getting harder. For all but the largest organizations, a dedicated security team is an expensive luxury. On the other hand, the expertise needed to adequately design, implement and maintain a successful information security strategy is so specialized that a general IT person is not qualified to perform the task. Further, the old moat and castle model of security has grown outdated. The cloud has hastened the deperimeterization of security. Every phone, tablet and device has its own perimeter but yet require deep access to data and apps in order to function. The loss of the perimeter though has not lessened the need or the mission for security. It has changed it and in many ways made it even more challenging. To meet that challenge, again security-as-a-service offers what seems like an inevitable solution. On top of this we have seen the threat vectors multiply in scope and complexity recently. New attacks like Advanced Persistent Threats (APT), spear phishing and web application exploits go far beyond some of the simpler, yet still successful attack vectors of just a few years ago. Another factor making security harder is the better organization of the black hat community. Today there is more collaboration and sharing of knowledge regarding exploits and attack vectors than before. Whether state-sponsored, hacktivists, or organized criminal gangs acting for pure profit, the opponent is better equipped, better trained and highly motivated. This makes the task of information security harder, while at the same time economic pressure makes increasing budgets and resources more difficult to obtain. Compliance Requirements While there is debate about how well compliance mandates address real security threats, it is clear that compliance is probably the single biggest driver of security budgets today. But even the minimal requirements of security compliance are not an easy task for many organizations. Knowing the finer points of the PCI-DSS or HIPAA goes beyond the expertise of the person in IT. Organizations are looking for experts on compliance at prices they can afford and in a way that allows them to check the box as easily as possible. In compliance as in other areas, the move towards IT as a service places new challenges on security. When applications that subject to compliance are themselves SaaS delivered, security should be SaaS aware. 6 The Inevitability of Security-as-a-Service

8 Delivering security and compliance in the same model as applications is the logical way for this to work. Therefore a security solution should be not only SaaS aware, but SaaS experienced. Resource Constraints Shrinking budgets and growing requirements are not new, and the pressure is unlikely to stop. Staying current with existing investments in IT in general and security in particular becomes more difficult. Without specific drivers such as compliance, buying new technologies becomes harder and harder to justify. Staff with security expertise are also harder to come by and more expensive. There is a shortage of qualified, experienced security personnel. At the same time that budgets are under tighter scrutiny, hiring and paying for qualified security experts becomes more expensive. In this environment, obtaining both security technology and expertise as a service is valuable. Expertise that is required but which previously has been unaffordable to many organizations becomes economically practical. 7 The Inevitability of Security-as-a-Service

9 Security-as-a-Service Is Inevitable When taken as a whole the case for Security-as-a-Service becomes not only practical but inevitable. At a time when operating a successful security strategy is more complex and requires more expertise and technology than ever before, the technologies powering IT as a service offer a readymade solution. The general trend of technology hastening the move towards IT as a service plays another role in the inevitability of Security-as-a-Service. With the move to the cloud enabled and accelerated by these same technologies, organizations find themselves moving more and more of their data, applications and IT infrastructure off premises. This move to the cloud demands a new way of implementing security. Traditional perimeter defenses are rendered moot. Lines around public and private data are blurred. Service provider security versus customer provided security issues intensify. Aligning security delivery with overall IT delivery is the only logical solution. Covering this security-as-a-service with a managed security wrapper is likewise the only logical step. The expertise needed to manage and monitor your security and compliance infrastructure is just not core to most businesses. There is a long-held maxim in the outsourcing world. Companies will outsource functionality that is noncritical and non-core. However, they will not outsource functions that are critical and core to their business. They will also outsource functions that are critical but not core to their business. In most organizations, security falls into this third category. Why would organizations where security is not core invest the kinds of resources required to be successful at security when there are companies who have already made that investment and that investment and expertise can be leveraged? No longer do organizations have to invest hundreds of thousands of dollars into software and hardware for security. No longer do organizations have to hire and pay costly, hard-tofind security experts. Monitoring and maintaining your security infrastructure and compliance with rules and regulations can be handed off to experts who have the knowhow to perform the task. There are companies that have already invested in designing and building an instant on security infrastructure that you can place in your environment quickly, economically and successfully. This infrastructure can be monitored and managed by companies that have invested in security research and security monitoring teams. That is part of the promise of Security-as-a-Service. An illustration of this is the fact that even the largest organizations only see threat and attack data from their own organization. A security specialist that provides security across hundreds or thousands of clients has the ability to gather and analyze data across this entire base. As a result their information and analysis is leveraged across this entire base. Virtually (no pun intended) every desktop AV firm does this now with cloud based security monitoring. This same model has equal benefits across many areas of security. The resources and investment in security that a dedicated managed Security-as-a-Service provider focuses on security is usually far more than any one organization is willing to or able to provide. 8 The Inevitability of Security-as-a-Service

10 Conclusion The factors described above have combined in the last several years to make the promise of Security-as-a- Service a reality. Beyond just making it possible to deliver Security-as-a-Service, the new demands driven by virtualization, mobile access, data requirements, and the cloud position Security-as-a-Service is the approach which will allow for the protection of assets and regulatory compliance for data and assets utilizing cloud technologies. True Security-as-a-Service promises to lessen the burden on under-resourced, under-prepared security/it teams at organizations both big and small. As assets continue to migrate to the cloud, Security-as-a-Service will be the logical way to secure them. Security-as-a-Service will also offer more efficient ways to protect and provide compliance to on-premise assets and hybrid models.. Security-as-a-Service is inevitable. 9 The Inevitability of Security-as-a-Service

11 About Alert Logic Alert Logic's patented solutions are the smartest choice for over-regulated businesses with underfunded IT departments to secure networks and ensure compliance. Its cloud-powered managed solutions combine intrusion protection, vulnerability assessment, log management and 24x7 threat surveillance, and are designed to maximize revenue and profit opportunities for service providers and hosting partners. Enterprises experience a solution that addresses network security and compliance requirements at a low price point, with little dependency on IT resources. Alert Logic is based in Houston, Texas and was founded in More information about Alert Logic can be found at 10 The Inevitability of Security-as-a-Service