Here is a funny one: why so many security professionals (and leaders) still hate the cloud?
OK, OK, I get it, many of you want to respond to this with a WHAT YEAR IS THIS? meme right away, but let me finish…
To set the context for this, I am not talking about business use of cloud, but cloud use by security tools. In essence, this is about SECURITY FROM THE CLOUD, not security for the cloud.
Now, admittedly, the times have changed. SaaS SIEM is finally here and recent advances all look likely to make this model more popular. In some segments, like say vulnerability management, all relevant vendors have switched to cloud backends or, at least, will deliver new features to their cloud-delivered tools only. SaaS delivery became a default for SWG and SEG. Appliance-based CASB (yes, that really existed, this is not a joke!) has long died. Cloud backends and other forms of cloud-delivered management came to EPP, firewalls, etc (“By 2025, cloud-delivered integrated EDR and EPP solutions will grow from 20% of new deals to 95%.” is from this paper)
In fact, our inquiry streams have seen plenty of “cloud first” [for security] and even an occasional “cloud only”, a new form of a cloud-lover. Clients with no datacenter presence and hence with no chance (or desire) for on-premise security tools are here to stay – and grow.
However, cloud-haters still abound. Who are they? Why are they hating? What will happen to them?
Some examples I’ve encountered are:
- Geopolitical: there is some hating that is not focused on the cloud itself, but on a cloud hosted in (data residence) or run by (data sovereignty) a vendor from a particular country. Some don’t want US-run cloud EDR. A few perhaps will mistrust a Russian-made cloud-managed EPP. Some may doubt a Chinese cloud backended SIEM.
- Legal/compliance: sometimes real, but often imagined, claims that some compliance mandate prevents security cloud use have been on the decline, but I hear that GDPR gave them a new lease on life (cloud UEBA anybody? Nope, not if the vendor cannot vouch for personal data in scope for this mandate)
- Third-party trust: there is definitely hating focused on “others” or “aliens” (i.e. not us) running security capabilities and, especially, 3rd party personnel touching or even having a theoretical ability to touch my security data. My suspicious is that this is on the decline, but can be seen sometimes [how these people can trust their OS vendor or an outsourcer, I have no idea…]
- NIH’ers: some dislike cloud-delivered security simply because they think they can do it better, following the “not invented here” logic. Frankly, few can – but a few actually can. Are you one of the latter few?
- Comfort/past: some hate it simply because they have hated it before, and know no different. Appliance past is comforting to some network security pros, it really is. After all, lugging those 4U boxes around made you fit…
- Edge cases: there is more legitimate dislike of cloud delivery if your IT is somehow peculiar (often disconnected, on low bandwidth links, located in space, under water, inside a secret volcano lair, etc) and cloud simply isn’t there for you.
- Bad security at some SaaS security vendors: the details here are self-censored 🙂
- Irrational fears: this is my last bucket where I pile all the rest of the cloud hating, that is hard to categorize.
Any others you see?
Finally, what can break the backbone of most cloud-hating? In my opinion, there is one thing: SaaS/cloud – based tool effectiveness.
But not just increased effectiveness, but increased dramatically! Here is a hypothetical example: will you use a non-SaaS SIEM if a SaaS one is so smart that it detects threats 3X better and 5X faster (arbitrarily defined), while being 2X cheaper and 100X easier to manage? Can you justify a local EDR install, if an EDR with a cloud brain will detect 10X more threats without any effort on your behalf?
Thus, I think most if not all of the above arguments will crumble, if the cloud-delivered security capabilities will prove not just easier to manage (they are that today), but dramatically more effective. Note that IMHO for this to work, they have to be dramatically better and not just better or cheaper…