As enterprise users seek to offload more and more IT-related functionality to cloud service providers, one area of great activity is security. New cloud service providers have emerged to address a range of security needs — and several of them say they’re seeing growth in the area of 40% to 50% per year or more, despite the economic downturn.
Securing Internet users
Employees are increasingly relying on the Internet for job-related functions. But allowing employees to access the Internet opens an organization up to a range of vulnerabilities.
Some enterprises use proxy servers and other on-site equipment to guard against these threats. But that approach requires a significant hardware and software investment, as well as ongoing IT support. Increasingly enterprises are finding they can save money and enhance security by using a cloud-based approach. Two providers that have arisen to address this need are iSheriff and Zscaler.
“We achieve clean Internet access,” said Manoj Apte, vice president of product management for Zscaler. “We tell them, ‘Point your browser to us and you’re secure.’”
Zscaler offers service worldwide based on infrastructure that includes a network of more than 40 distributed boxes called “enforcement nodes” connected to centralized redundant data repositories. All of a client’s employee Internet usage is routed through the closest Zscaler node, where software developed internally by Zscaler applies security checks such as virus protection and URL filtering. The latter prevents employees from connecting to inappropriate sites such as adult content sites. Zscaler also collects data from the distributed boxes and brings it back to the centralized repository, eliminating the need for a client’s IT personnel to keep track of logs located at individual client locations — a particularly useful benefit for organizations that have many locations scattered across a large geographic area.
Using Zscaler also eliminates the need for IT personnel to manage and maintain software to guard against security vulnerabilities, Apte said. “Our team is always on top of security threats, and they automatically update the specifications within an hour of when a vulnerability is announced.”
Authorized personnel at end user organizations can access an administrative interface to Zscaler to customize policies for the organization. For example, different companies might have different policies about data leakage — the sending of credit card or other information to the Internet.
Zscaler developed its own software so that it would scale to support hundreds of thousands of users. “We had to create it from scratch because there was nothing out there,” Apte said. “Proxy servers made for the enterprise do about 1000 connections per second. We have to do 250,000 connections per second.”
Zscaler sells its cloud-based service directly to end user organizations. In addition the offering is available on a white label basis to other service providers.
Another cloud provider, iSheriff, provides cloud-based security for e-mail communications as well as Web usage.
Like Zscaler, iSheriff developed its own software. “A lot of cloud solutions are three or four products slapped together; our product is home-grown,” said Oscar Marquez, CEO of the company.
iSheriff’s software runs in a distributed fashion across multiple network operations centers (NOCs) worldwide, including dedicated and virtual NOCs, which are shared with other service providers.
One important benefit of using iSheriff rather than handling e-mail and Web security in house is that iSheriff works with multiple security vendors, enabling it to address security vulnerabilities more promptly. “One vendor may find a vulnerability on Thursday and they have 24 hours until they have to announce that they found it,” Marquez said.
Another advantage of using iSheriff is that the cloud provider removes unwanted material such as spam, streaming video and malware before it gets to the customer premises, Marquez said. Often this results in a substantial reduction in the amount of traffic flowing into the company, thereby reducing bandwidth requirements and, more importantly, improving the performance of online applications the client may be providing to its customers.
iSheriff didn’t set out to be a cloud provider. Initially the company planned to focus on selling its software to telcos and other cloud-based providers, and that is still one sales channel for the company. But it opted to become a cloud-based provider itself in response to market demand and as a way of maximizing its return on investment.
Identity management
Viruses and malware aren’t the only concerns organizations face as the Internet becomes increasingly important to their business. As more and more employees use multiple Internet-based applications such as salesforce.com, another important concern is to manage employee access. If an employee leaves an organization, the organization wants to ensure that the employee can no longer access company applications. And if an employee needs access to multiple Web-based apps, it’s more convenient for the employee to be able to log in just once and gain access to all of those applications, rather than having to log on to each one separately.
Symplified is a cloud-based provider that was created with the goal of addressing these concerns. “We have a unified solution across internal and external Web pages, with one point of administration,” said Eric Olden, its CEO.
Symplified’s offering is based on a managed appliance that can be located on the customer premises or within Amazon’s cloud. Even if it is located on the premises, Symplified handles management of the device. Olden likens it to a cable company set-top box, where all configurations and updates are pushed out from the service provider.
An important benefit of using Symplified, Olden said, is that “we give customers the ability to enforce the same audit capabilities for external applications as for internal ones.” These audit capabilities are based on logs that Symplified keeps on behalf of the customer, keeping track of who uses an application and how long the person uses it.
In addition to enterprise organizations, Symplified also sells its service to other cloud providers, which use it to give their customers a single sign-on to multiple cloud-based applications.
Online retail security
Organizations that accept credit cards online have their own unique security requirements, and those organizations are a key target market for Alert Logic. The cloud security provider offers cloud-based security services such as intrusion management, vulnerability assessment and log management, many of which are mandated by payment card industry (PCI) guidelines.
As Misha Govshteyn, chief technology officer for Alert Logic, explained, “PCI is an industry standard put in place by the credit card companies to reduce fraud.” PCI requirements, he said, “mandate that you have intrusion protection capability in place, specify how you handle and test software, and cover physical control in the data center.” Online retailers are also required to collect and retain activity logs. About 60% to 70% of Alert Logic’s business is driven by PCI compliance, Govshteyn said.
“The PCI standard is a fairly big deal,” he said. “It drives a lot of spending. A lot of companies that historically underspent on security are being forced to take it more seriously.”
Alert Logic’s approach is to provide an appliance at no charge to its customers, which is pre-configured before it is sent out. “They just have to rack it up,” Govshteyn said. “It’s a fairly dumb device. It’s just for data collection. Most of our service happens within the cloud.”
The on-premises appliance collects and encrypts data and sends it to Alert Logic’s data center. The provider operates two data centers it built from the ground up that are 100% redundant. The company also provides a self-service dashboard that clients can use, for example, to request reports.
Alert Logic is another cloud provider that developed its own software. Initially the company expected to sell to telecom companies, but as Govshteyn explained, “Web hosting companies have moved in much faster,” and Alert Logic makes many of its sales through them. The company does have several communications service provider partners, however, and although most have not been formally announced, Govshteyn said one of them is VPN and connectivity provider Megapath.
Source: http://connectedplanetonline.com/topics/cloud-computing/cloud-secruity-thrives-062510/index.html
