It’s obvious watching this week’s Amazon event that security was a pretty hot topic. It is probably one of the most significant obstacles in Amazon’s push for the enterprise cloud market. Both Amazon and its ecosystem of partners, vendors, and developers have been working hard to tell a new security story – one where the best in proactive systems, layered security strategies, and a bevy of what’s next cloudified security products work together to provide the best security posture possible for Amazon and its cloud customers. One of those products is Alert Logic. I’ve had the opportunity to discuss the state of security products in the cloud with Alert Logic’s VP of Emerging Products Misha Govshteyn on a number of occasions and he along with others have confirmed the various cloud industry challenges that I wrote about some time ago. One point that he made should not be taken lightly however, and that is the notion of cloud security is complex and currently a shared responsibility due to the architecture. In order to change that some thinking is going to have to be changed from the ground up. Therein lies the key.
The impetus for Amazon’s cloud to succeed in the enterprise lies in continued innovation of cloud security products. Alert Logic is a notable standout because of their cloud-based and open nature, but for the most part, many security products are just extensions, dashboards, and points of presence of archaic brands and security models. That clearly has to change, but that’s just one piece of the puzzle. The other thing that needs to happen is that the enterprise needs to make this move too. CTOs and such have to be willing to evaluate new breeds of security as they emerge. Is it right for them? Can they meet compliance there? Where can the envelope be pushed? Are the benefits worth the risk? Is it worth the fight if I’m looking to retain compliance?
The Compliance and Regulations Issue – Revisited
Compliance auditors work under a strict set of rules, the matter is whether certain compliance rules can be appeased. Or perhaps the rules can be amended or rewritten themselves. It could happen eventually, but don’t look for that to happen anytime soon. Let’s look at one example – I’m fairly close to one of the few on the PCI standards council. Things just don’t move quickly there, it takes time to create, validate standards, ratify them, etc. They just recently in Feb 2013 released cloud PCI guidelines. What that means is changing the notion of compliance from a regulatory standards approach will probably not happen quickly enough for Amazon to leverage anytime soon. No- the customers will have to push the envelope there and that’s all there is to it.
About Private-as-a-Cloud Services, Storage
Some of the things thrown around as answers appear to be interesting workarounds. Take the emerging isolated, customer-controlled storage solutions that are designed to attach to Amazon- pretty neat stuff, and it answers some of those questions for some situations for sure. There are also isolated Amazon EC2 instances that aren’t multi-tenant, well that sounds pretty neat, but both of these really sound a lot like dedicated hosting services. So it’s difficult to see what Amazon’s proposition is to the enterprise when it appears the best solution right now for the enterprise cloud is quite not Amazon-like. Dedicated hosting is a popular alternative in the business actually – very cost-effective, highly-customizable, high-capacity and high-performance. Other solutions are include hybrid scenarios, not really the path Amazon seems to be set on. For an example of that, just look at Zynga, who largely pulled back from Amazon’s cloud last year to do their own hybrid cloud deployment, with an EC2 presence. The move was partially driven by costs, and in doing so they were able to maintain cloud abilities, now having the option to “rent” the spike, accommodating fluctuating capacity needs, and have also reined in control and management over their environment.
Amazon’s Road Ahead
So the question is when it comes to security, how is Amazon going to overcome these notions and challenges at large. To be thorough, Amazon has emphatically stated that security is their highest priority, and by all accounts they have done a tremendous job in securing their environment. For now we will see them to continue foster their partnerships, find ways to get customers into the ecosystem, continue selling their value propositions and continue to step up to enterprise requirements. The ecosystem can contribute by continuing to innovate and develop new ways of thinking about security, make sure it’s easy to use, and encouraging those technology partners to drive these changes. If Amazon gets a foothold pushing dev and test deployments in the enterprise, the stage is set for opportunities where organic, opportunistic growth of enterprise cloud has a chance to occur.