Phil Bertolini, deputy county executive and CIO for Oakland County, Mich., says this may be the year that more states and localities use the cloud for security services. “As long as the software is reliable, there’s no reason to manage a routine task internally like security scanning,” says Bertolini.
Oakland County developed Government-to-Government Cloud Solutions, a county initiative that provides payment processing and website services to state and local government. Earlier this year, G2G began with major security makers to deliver cloud-based security services to its customers.
“We’re looking at offering security as a service through the website, and I figure that it’s something the county could take advantage of as well,” Bertolini says. “While this may start off with small and midsize government agencies, I think larger agencies will also see the value proposition of security in the cloud.”
Phil Hochmuth, an IDC analyst, says public sector agencies realize savings from running a cloud security service across hundreds or thousands of machines.
93% The percentage of organizations surveyed that are at least discussing cloud services
SOURCE: “Avoiding the Hidden Costs of the Cloud: Global Results” (Symantec, 2013)
“There’s no physical patching or maintaining, and all the security gets managed centrally,” Hochmuth says. “In many ways, there’s more of an assurance that the staff are actually using the security features. Especially as organizations move to the bring-your-own-device model, these types of cloud-based security products make an unmanageable situation manageable.”
A Cautious Approach
Michael Hamilton, chief information security officer for the city of Seattle, acknowledges the potential economic and efficiency benefits of security in the cloud. However, he describes offerings from security manufacturers such as updating virus definitions in the cloud or hosting a blacklist of websites as “half measures” that don’t attack the full challenge.
Before Hamilton signs on for security in the cloud, he says the major providers such as Amazon, Google and Microsoft must provide more security assurances. “The kind of features the security manufacturers offer are fine, but I really need an assurance from the primary cloud provider that the security I’m getting in the cloud is similar to the security I deliver to my organization in-house,” says Hamilton. “I’m not saying that the cloud provider has to give this to me; what I’m saying is that they are in the best position to host a security service.”
IDC Analyst Phil Hochmuth identifies four trends that are driving security software as a service (SaaS) deployments.
- Mobility and the consumerization of IT: As more people bring devices to the workplace, IT departments tend to lose control. By giving IT pros the ability to centrally manage security, SaaS offerings will help them protect mobile data more effectively.
- The growing importance of identity and access management: The more organizations depend on mobility and remote access, the more IT departments will find identity and access management services critical for maintaining data security and control.
- The emergence of hybrid security models: While most large organizations manage most of their security in-house, IT shops will increasingly turn to cloud-based services such as Trend Micro’s Web Reputation Services, which maintains a list of infected websites in the cloud and blocks users from accessing them.
- Cost-saving pressures: Organizations seek to offset the overhead of managing basic security services such as antivirus and antimalware by sending them to the cloud. SaaS technologies will continue to offer lower deployment and operational costs than on-premises solutions.