You can get many different services in the cloud these days, and cyber security is among them. These days, cloud service providers will take care of everything from email scanning through to watching where your employees surf (and stopping them from going there, if necessary).

Most of them claim to do a better job than the average small business can using their on-premises gear. On the other hand, cyber security is a mission-critical issue for all companies. Should they entrust something so important to a third party, when the jury’s still out for many on the safety of cloud services?

The market for cloud security services is certainly on the rise. Infonetics Research, part of IHS, said in April 2015 that it market was already large, reaching $7.2bn in 2014. That’s up l.5 per cent from $6.3bn in the prior year. Just under half of the managed security services were cloud-based, with 54 per cent still using remotely-managed customer premises equipment. The research firm expects cloud services to tip the balance in 2018. “We are seeing virtually every type of security becoming either cloud-based, or local code managed by cloud operations centers,” confirmed Jim Reavis, CEO of the Cloud Security Alliance. “So antivirus, spam, intrusion detection, firewalls, and forensics can all be managed by cloud providers.”

Two classes of cloud security service

We can break cloud security services into two main kinds: traditional, and hybrid. Traditional security services are those that service providers can give you without having to fondle your data or applications. Online web protection, log analysis, and malware scanning are good examples. They might need you to point your routers to a different DNS address or alter your MX records, but that’s mostly it.

Hybrid cloud security services need you to get a little more intimate with your provider, because it’ll be dealing with on-premises data. Unless you’re a greenfield site with no IT department at all, you’re likely to retain some on-premises data. The more clever you want to get with cloud-based security services, the more you’ll have to tinker with it. One example is identity and access management.

This can be taken online, enabling it to be delivered as a network service across all of your apps, rather than bolted to the front of on-premises legacy software. But the odds are that you’ve got some on-premises apps that you don’t want to send skywards, so that cloud IAM might need to integrate with Active Directory on your site, creating another layer of complexity.

“There’s the stuff that’s easy to bolt on from the outside, but then you have the more fully featured services, where the data is out there and there are more granular services around it,” said Kevin Dowd, chairman of CNS Group, a cybersecurity consultancy. “There’s definitely a barrier to fully consuming that type of service.”

In addition, the cloud is also creating entirely new categories of security service. One example is the Cloud Access Security Broker (CASB), which sits between a customer’s systems and the cloud service provider. Often in the cloud themselves, they enforce security policies for cloud services, including encryption and single sign-on authentication. Cloud-based data loss prevention can also overlap with this category. Companies with hybrid cloud and on-premises security needs should think about latency, too. Cloud security services supporting local processes can’t really afford to slow down or go down.

Is your security provider secure?

There are some challenges for SMBs depending on the kind of security service they want to port to the cloud. If your cloud security provider is scanning and storing your documents and email, then that becomes a big issue. Data sovereignty applies here just as much as elsewhere.

Many cloud-based security services will be more interested in metadata, though, which while still sensitive, isn’t of as much concern as real business content, he points out. Vetting your cloud-based security service provider is therefore just as important as it is for your IaaS or SaaS provider. Using something like the CSA’s Cloud Controls Matrix is a good place to start.

As with any outsourcing process, it’s useful to clean house internally before handing it over to a third party, say experts. Dowd reckons that most companies he sees have little idea what data they’re storing or where it is. Auditing that, and then closing any loopholes, is an important early step. Then, conduct a gap analysis to see what security steps you need help with, added Reavis. “SMBs need to look at what types of security capabilities they have in house without calling in cloud security service providers, and realize that cloud is almost always a security upgrade,” he said.

DevSecWhat?

There’s another level of cloud security service which goes beyond bolt-on and hybrid, and that’s native cloud. Eventually, if you get good enough at using cloud technology, you’ll see it fuse with your internal IT processes to become a platform that just pervades everything, whether on-premises or off, up and down the stack. You’ll be using cloud APIs to stand up infrastructure for your workloads.

“We are moving from the concept of managing servers to managing services, which are much more transient,” said Reavis. “Some are calling this new paradigm DevSecOps, which I would describe as using agile, cloud-based technologies to address security issues.”

Where DevOps focuses on automating operations and development, DevSecOps automates security, too, moving it from something that’s slow and conservative to something that’s seamlessly linked to development and deployment. There’s a nascent maturity model for this stuff, then, which sees bolt-in services at the bottom, hybrid cloud security in the middle, and cloud-native stuff at the top.

The more that cloud principles such as API access to infrastructure make their way into your organisation, the easier it’s going to be to do more advanced things with cloud security. The most mature layer of that model is a highly sophisticated version of cloud-based security. But before cantering headlong into that future, most SMBs will need to trot along for a bit with the basics first. ®