Cloud Services Differentiated by Security

The battle of ownership of the IaaS market space is gaining pace, mainly price differentiated. Security differentiated services are now emerging which has to be good – but will the subscriber notice the difference?

Recently Microsoft rolled out infrastructure-as-a-service (IaaS) offerings on Windows Azure, positioning itself to compete with IaaS provider Amazon Web Services. This was rapidly followed by Google making an announcement opening up its IaaS offering to customers. The market battle ground is around price and performance.

Over the last year or so players like SkyScape have entered the IaaS market offering services differentiated on security.
(I am NOT saying Microsoft and Google are insecure – simply observing they are not choosing to differentiate the service on the basis of security whereas other are).

As an application developer looking to offer cloud software-as-a-service (SaaS), this starts to give real choice as to how important the security of the underlying infrastructure is to the SaaS offering. This has to be good?

Will the SaaS subscriber notice (or care)?

This may seem a strange question, but think about the SaaS services you use: Dropbox, Salesforce, Twitter, Facebook, LinkedIn… What infrastructure do they run on: their own or a 3rd party IaaS? This is not normally disclosed – but I argue this matters and matters a lot. You can’t build security on a bed of sand, you need deep and strong foundations. Just like choosing a secure operating system for an application running on an appliance and implementing suitable hardening, you need a secure and suitably configured IaaS to run a SaaS.

My worry is that at the current time there is not transparency of the IaaS platforms used to run SaaS, so subscribers cannot easily make a risk judgement about the strength of the foundations.

Am I right to worry about this, or barking up the wrong tree? Is it just a marketing issue?  Comments please…


One thought on “Cloud Services Differentiated by Security

  1. I think you’re spot on.
    For non-critical services such as Twitter, Linkedin etc, I don’t worry – however if I was using any SaaS that was critical to my business, I’d already be worrying about lack of transparency and inability to audit (as “you can audit a system at the lowest level to which you have access to it, and no lower”).
    Your statement gets very interesting, of course, when you consider organisations which are doing pragmatic and sensible things with Cloud even at an IaaS level, by spreading their workloads across multiple providers for resilience. This is all well and good, if those providers are truly independent – however, if they have shared dependencies which can manifest as common single points of failure (such as if more than one has its storage backed by Amazon S3, say), then the customer’s perceived resilience is an illusion if S3 access goes down. This has echoes in issues with physical supply chains – it wasn’t that many years ago that RAM prices went through an unexpected bubble, when one of the very few factories making memory had a fire – people thought there were rather more such factories, than there actually turned out to be.
    What’s needed, is a standard means for providers to expose the details of their supply chains to their customers, so that the customer can select providers based on sufficient lack of common points of failure. Discussions are afoot .


Comments are closed.