Will the Real Cloud Security Please Stand Up?
BETHESDA, Md.—I attended TechSec Solutions earlier this year, and I’ve just returned from ISC West, and it’s clear to me that many people still don’t understand the difference between real cloud solutions and products that merely connect to the Internet. It’s equally clear that many vendors are not helping matters, and are in fact actively confusing the market.
Let’s begin by reminding ourselves what the cloud is all about. At a bare minimum, “cloud” unequivocally implies “hosted.” The National Institute of Technology and Standards has published the most widely accepted and universally referenced definitions of cloud technology (NIST SP 800-145), and every one of them includes the concept of hosting.
In practical terms, this key definition excludes systems that merely support connections to the Internet for remote access. Think about it: If Internet connectivity was the main criterion, your PC with an AOL account in 1995 would have qualified as a “cloud system.” In our industry, IP-based security products connected to the Internet solve many important problems, but they are not cloud products in and of themselves. To say otherwise is highly confusing and is a disservice to customers.
A common offender in this regard is the new breed of IP security appliances—not the products, but the marketing. First, let me say that I fully believe there is an important niche for products with an appliance architecture. For end users who can’t yet wrap their heads around the cloud, it’s a comfortable alternative to the complexity and expense of legacy server designs. But making the leap from a local device that can be remotely accessed through holes in the customer’s firewall to “cloud-based system” is a pretty big fib indeed.
A second point of distinction: Simply moving a software application from a local server to a third-party data center does not make it a cloud application.
Here again, we look to NIST to clarify matters: Cloud systems are distinguished by multi-tenancy, metered usage, rapid provisioning and massive scalability. Think about it this way: If you have a server with an old application architecture, and you move it 1,000 miles to someone else’s data center, have you transformed it into a cloud application? No, you have not; in fact, you’re just playing hide-the-server. And hiding the server won’t magically support thousands of end-user organizations (scalable, multi-tenancy) or suddenly be any faster for new users to provision.
Common offenders at the recent ISC event were typically old-line software systems that needed a fresh coat of virtual paint to get gussied up for the show. In one of the more egregious examples I saw, one company claimed to be offering a security system “using cloud-based protocols.” Ummm … that’s just good old IP.
They can call it cloud, but this was just an old-fashioned case of remote access. Clearly, marketing departments are eager to shoehorn the word “cloud” into their publicity and literature. It’s no wonder people are confused.
So, where are the real cloud applications? By category, the biggest emerging crop is in video surveillance, variously known as hosted video or Video Software as a Service (VSaaS).
Many of these are true cloud applications because they are:
b) multi-tenant, supporting numerous customers in a single instance;
c) massively scalable;
d) sold per-camera-per-month as a metered service.
There were many examples of VSaaS at the show and this whole area of the industry is still developing in terms of pricing, features and market fit.
My hope is that as customers become better educated about the cloud, we will see less misapplication of the term. For those of us in the cloud business, it is our job to provide leadership, clear away confusion, and help them along.
Steve Van Till is president and CEO of Brivo Systems, a provider of software-as-a-service applications for security management based in Bethesda, Md.