The battle of ownership of the IaaS market space is gaining pace, mainly price differentiated. Security differentiated services are now emerging which has to be good – but will the subscriber notice the difference?
Recently Microsoft rolled out infrastructure-as-a-service (IaaS) offerings on Windows Azure, positioning itself to compete with IaaS provider Amazon Web Services. This was rapidly followed by Google making an announcement opening up its IaaS offering to customers. The market battle ground is around price and performance.
Over the last year or so players like SkyScape have entered the IaaS market offering services differentiated on security.
(I am NOT saying Microsoft and Google are insecure – simply observing they are not choosing to differentiate the service on the basis of security whereas other are).
As an application developer looking to offer cloud software-as-a-service (SaaS), this starts to give real choice as to how important the security of the underlying infrastructure is to the SaaS offering. This has to be good?
Will the SaaS subscriber notice (or care)?
This may seem a strange question, but think about the SaaS services you use: Dropbox, Salesforce, Twitter, Facebook, LinkedIn… What infrastructure do they run on: their own or a 3rd party IaaS? This is not normally disclosed – but I argue this matters and matters a lot. You can’t build security on a bed of sand, you need deep and strong foundations. Just like choosing a secure operating system for an application running on an appliance and implementing suitable hardening, you need a secure and suitably configured IaaS to run a SaaS.
My worry is that at the current time there is not transparency of the IaaS platforms used to run SaaS, so subscribers cannot easily make a risk judgement about the strength of the foundations.
Am I right to worry about this, or barking up the wrong tree? Is it just a marketing issue? Comments please…