Kelly Kavanagh is a principal analyst in Gartner Inc.'s information security and privacy program, focusing on professional and managed services for network and Internet security. He spoke with writer Colleen Frye about cloud-based managed security services.
ChannelPro-SMB: Where are we on the adoption curve of cloud-based managed security services?
Kavanagh: Different controls have different abilities to be delivered through the cloud, and different adoption by users depending on requirements, price, and alternatives. URL protection plus content/malware filtering for Web browsing, delivered via a service - we're seeing good adoption and expect more. [Also] vulnerability assessment. That sometimes requires a device but it's completely managed via cloud and a service provider. There's a lot of traction in the SMB space, especially around PCI compliance.
What we also see growing is more application testing, not just scanning applications for vulnerabilities, although that's part, but also looking at coding, determining whether there are security vulnerabilities in the source code. So a dynamic and static application testing service is amenable to cloud delivery.
A classic common element that would mitigate adoption rate is availability of service. Kelly Kavanagh, Principal Analyst, Gartner Inc.
ChannelPro-SMB: Is there a downside to cloud-based security controls?
Kavanagh: All I just mentioned, for different reasons, you can find resistance to in terms of adoption. A classic common element that would mitigate adoption rate is availability of service. If you've got a network-based service that provides an important security function, then you've got to ensure it's available at a rate that's acceptable for supporting the underlying business process. Network-connected services have downtime associated with them. Another thing, you have to meet responsiveness requirements both on the network side and on the service provider side.
Another factor, many customers have got some controls implemented with the technology on their premises. If you've got something in place for the enterprise network it may duplicate management and policy enforcement capability, or you need controls that have a unified view across the enterprise and cloud security so you don't have duplication.
The last element, cloud-based security, can break your monitoring machine. If you've got an ID management cloud-based control and enterprise ID management deployed, a monitor scheme to find out what users are having access to would have to incorporate both of those technologies. That's more cost, or in some cases you can't do it yet.
ChannelPro-SMB: Can cloud-based security controls help SMBs improve their security posture, which is often lacking?
Kavanagh: [Yes], especially where security controls can be incorporated into a service the SMB is buying anyway. If you're buying cloud-based backup or network access, if you can get security controls associated with that service and wouldn't otherwise have it, that is a way to improve your security posture. Lower system management is involved, the service provider is taking care of it, you're not incurring those labor costs and expertise, and you're getting a security control that you might not [have] otherwise.
The other reason, the service provider can update those controls, and they're available immediately to all users. There is no upgrade process, you don't have to pull in a release and go through testing. It's typically deployed in a way to be very current and low impact to customers, assuming it doesn't break something.
ChannelPro-SMB: Is managed security services a good opportunity for the channel?
Kavanagh: One phenomenon with SMBs is they do have an affinity to buy from who they already buy from. If you've got a business process or IT or a network management service delivery operation and your customers are SMBs, adding security capabilities and services to that offering often means you've got that potential buyer and relationship already.
Also, a cautionary note for those services that are threat facing: There is real value to be added by security expertise, whether it's configuration of technology or aligning protection against the most current threats. That expertise is not widely distributed in the marketplace. [Customers] do need to be cautious about saying folks who host [their] website are to handle [their] security as well. Do due diligence. Customers need to make sure they're getting security expertise, not just somebody who's got a security practice because they hung a shingle.