Moving to the Cloud

We believe that companies will transition security services and web application threat protection to reside closer to application in the cloud. The trend toward moving security to the cloud is not a surprising prediction. But what’s surprising is how we’ll get there. The transition is a multiphase one. A first step is private cloud. Web applications will continue to reside in corporate demilitarized zones in the short term. As companies grow, demands on infrastructure grow, and further commoditization of cloud services continues, the public cloud, or at least a hybridized version of it, will prove too compelling to ignore.

Moving security services and support closer to where the applications reside makes sense on multiple fronts. For example, companies won’t need to have a demilitarized zone, which is a security problem because it provides a certain amount of access into the corporate network. After services and security are moved to the cloud, corporate security can be tightened to allow only outgoing access because there are no corporate-hosted services that require access through a corporate firewall. This move greatly enhances internal network security.

Another example is that criminal hackers, hacktivists, and advanced persistent threat groups might infiltrate or compromise a portion of a corporate network, but the highly secure business applications will be protected off-site and separately from other internal corporate assets. Responsibility for data theft will shift to the third-party providers who are responsible for protecting their customer’s data.

The transition from traditional, internally supported web applications and internal security to the cloud and to third-party providers is the direction many businesses have taken. But this does not shift all of the responsibility, compliance requirements, or damages to a third party in the case of a breach or a compromise. Although some downsizing of IT and security departments is a possible side effect of a cloud initiative, it will not altogether alleviate the need for in-house trained professionals. Businesses must retain trained security and IT professionals to monitor, inspect, and occasionally audit their third-party providers.

We foresee, over the next three to five years, that large companies will transition toward cloud-based security, managed security services, and support models—transferring the bulk of their compute, hosting, and security operations to third-party providers. Small to medium-sized businesses, being more agile and less entrenched in on-premises solutions, will make the transition much faster and with fewer barriers. Startup, cloud-native, and so-called “virtual” companies will launch in the cloud and likely never own or control their own infrastructures. All security, IT, and web application services will live entirely in the cloud from day one.

Third-Party Outsourcing

We also believe that this transition to the cloud will include a move to outsourced services, such as SOCs. Again, this move will also begin as a hybrid scenario in which companies will augment their in-house SOCs with outsourced ones to attain 24/7/365 monitoring, protection, reporting, and remediation of incidents. The complete transition to a fully outsourced solution might take several years to complete. A 100% reliance on outsourced services requires that company officers and technicians relinquish a certain amount of control of their computing environments to third parties. We recognize that this is not an easy transition.

The size of a company has a significant impact on the speed of this transition. The move to outsourced services will occur at different rates depending on how large a company is, how it’s been in business, and how much control over infrastructure, services, and people the company is willing to relinquish. Smaller and newer companies will make the move to outsourced services with fewer conflicts. New companies will use commoditized third-party resources to get started and remain agile.

Conclusion

Moving threat protection to third-party entities and to the cloud should result in better coverage, fewer incidents, and lower costs. The benefits to online shoppers, brick-and-mortar retail customers, financial institutions, and health care facilities are better fraud protection, reduced incidents of identity theft from online leaks, better privacy protection, and a smaller target surface for attackers when the corporate network is removed from the picture.

Web application attacks are on the rise. The attacks are more sophisticated and use more brute-force attack strategies than seen in previous years. Organizations must continually examine and reexamine strategies for protection, mitigation, and remediation. To stop web application attacks, organizations need to deploy a multilayer approach to security that includes WAFs, multifactor authentication, artificial intelligence, machine learning, secure programming, and big data analytics.