Security and Compliance vs. Cost: How It Works in the Cloud
Cloud has gotten us used to the cost model of increased usage corresponds to increased cost, and vice versa. Even with private clouds, where cost is more predictable, the correlation occurs, though perhaps not as drastic.
The problem is, that by and large in a cloud context, security does not follow the same cost model. To implement certain layers of security, a lot of work has to be done up front: your mindset has to be geared towards making your application and infrastructure have to be security driven.
And these are costs that are fixed — or at least they are at most providers. The biggest shift that’s happening today is that savvy cloud providers are realizing that security at its current cost is increasingly a major hurdle for potential new business. All businesses need security, but your average SMB can’t necessarily afford it (whether at all or to a certain degree). Paying $1000/month for servers and $5000/month for security on top of that presents a difficult, if not altogether disagreeable cost condition for companies looking at the cloud.
The big shift occurring is really that the security cost model is beginning to conform to the cloud cost model. Logicworks, among other cloud providers, now has an offering for security and compliance that matches on a per server basis, not as a fixed cost.
This is not to suggest that the security technology has become commoditized in the same way that cloud technology has developed, so the cost savings aren’t being passed along from that perspective. Rather, cloud companies are taking a gamble, effectively eating the cost, with the belief that the customer will be successful.
This becomes very beneficial for cloud consumers, and it can be beneficial for the cloud providers as well. For the consumer, they are able to access infrastructure AND security tools at a lower costs. For the cloud providers, the up-front costs are accepted for a year on (let’s say) 50% of the security model, but once their client grows, they are able to recoup the costs. However, if a business fails after a year, the cloud provider is out for more than just the loss of a client.
Where security is concerned, however, usability is key. Security must be a consideration baked into the application even before a business comes to a cloud provider. One of the biggest mistakes companies make is that so many that require security and compliance simply do not take those necessities into consideration. This is based both in lack of knowledge and simply ignoring the necessity. Any time a business is dealing with personally identifiable information (PII) it needs some sort of compliance.
A company might not necessarily fall into a regulatory body, but they owe it to their customers to have some kind of security focus to protect that data. Many interactive media and social gaming companies, for examples, may not be transacting credit cards, and therefore don’t require any PCI compliance protocols. However, they do hold data on their users personal information – emails, addresses, web behaviors, etc. – that should necessitate a focus on security and compliance because it could be used in identity theft, different types of fraud and social engineering.
So how do you balance all the different needs where security, compliance and usability are concerned. For many companies, the amount of knowledge available can be overwhelming and opaque. But a cloud provider can help, all a business needs to do is ask.
There’s a perception in going to any type of provider, cloud or car dealership or etc., that if you don’t know and you ask, they are only going to sell you something. However, cloud computing companies aren’t car dealerships. They have a vested interest in being a real partner to your business. They succeed when you succeed, so they don’t benefit by selling you services you don’t need.
Cloud providers also take on a tremendous amount of liability for every new client they have who has security and compliance concerns. Amazon, Google and Microsoft might not have the same level of sensitivity (just look at their notorious SLAs), but managed service providers take on liability for client who need compliance – they need to tell companies that need it to get it, and correspondingly, those businesses need to respond to ensure that they are secure and compliant. Businesses who don’t put themselves, their customers and their partners at risk. And since cloud providers (in a managed service capacity) are partners, they have a vested interest in ensuring that their clients are well protected.
By Jake Gardner