Are the costs of cloud security to good to be true?

What is it they say…you get what you pay for, right? In most cases, that is a spot on assessment but in terms of the cloud-based security, the numbers tend to add up towards the benefit of the user. But let’s get the whole idea of numbers down straight. It’s all relative. What is pricy for one organization is downright affordable to another, so in terms of costs let’s look squarely at the moving target of return on investment. What makes cloud security compelling is how the costs break down in terms of hard and soft cost savings.

First let’s compare apples to apples. I am not talking about just applying a single sign on solution or identity management, or even SIEM, but rather analyzing cloud security holistically. Each of these components are a growing necessity for any company who deals with proprietary data, responsibly protects customer information and transactions,  and each needs to work in concert to maintain the highest degree of security integrity. But this sound expensive. And in many cases it is; especially for all those companies that are not multi-trillion dollar international corporations who have dedicated staffs who build everything in house. But if you are that successful medical supply company, or a semi-conductor manufacturer or simply a national retailer of note (and/or you’re a $20 million dollar homeowner information software company), the cloud provides attractive, affordable benefits that give you the same degree of security as the biggest dogs.

There are some cost savings that are immediately apparent. With the cloud there is no hardware or software to install. If your cloud vendor insists on buying either one, then they are not a true cloud provider. The main benefit of the cloud is a “no muss, no fuss” policy of maintenance. Control…that belongs to you. If you wish to be a hands-on administrator, cloud is a conduit to complete security functionality. If you wish to delegate portions because of bandwidth, personnel or budget constraints, security-as-a-service might be an obliging alternative. However, these cost savings are usually the same with any cloud computing solution.

So as we dig deeper, one must consider direct costs, soft costs, scope of services, and migration issues. I realize that cloud security is not just some application (even one as important as CRM or payroll), it can be an intimate part of the enterprise infrastructure. Therefore the ROI must look at a variety of less than obvious considerations. Take SIEM for example. Your organization may incorporate some version of anomaly protection. For most companies, it is a part time venture—monitored only when someone’s in the office. So there might be issues that get nested in the weeds for 12-16 hours a day. It is conceivable, things get missed—and some are more harmful than others. It’s like going out in the snow in just a windbreaker. You’re generally covered, but there is still the likelihood, you’ll come home with the flu. With the cloud, and more specifically security-as-a service, you pay for best-of-breed enterprise tools, a higher degree of functionality and 7/24/365 monitoring. And you pay usually a fraction of the cost.

Then there is the issue of compliance. How much time and effort is spent ensuring the audits for PCI, SOX or HIPAA are in order? And not just the time, but sewing together every data silo, endpoint and transaction within the enterprise to ensure proper adherence to the requirements. Just the compliance aspect can run in the thousands of man hours and hundreds of thousands of dollars. Again, a true cloud security deployment can cut that by 75%. Most of the necessary documentation, events and transactions are scrutinized, correlated, secured and logged (and when dictated by law, destroyed) to keep your company not only compliant (and your customer’s personal data and your proprietary intelligence safe), but properly audited without adding more personnel, man hours or losing effectiveness through job fragmentation .

Then there are soft costs. Consider the benefits of precision budgeting and the reduction of operating costs, the HR savings (no benefits, no vacations, no training or ramp up time, churn) and the ability to prioritize based on your core competencies. I can spend a whole blog on these items alone (and down the line I will), but note the promise of cloud-based security is improved risk management at affordable, scalable costs.

Now let’s assume, you agree with the cost savings and the expanded capabilities cloud-based security affords an organization like yours, many still see the migration to the cloud as a painful, costly and time consuming stumbling block. Now if you are a monolith the size of HP and are looking to move every asset to a cloud, then it is possible the migration can be difficult. However, by leveraging existing and legacy programs, using a mixture of public, private and hybrid cloud configurations and laying out a coherent strategy, the issue of migration becomes moot. However, I don’t advocate throwing the baby out with the bathwater. Many companies have a significant and long term investment made in several on-premise and legacy infrastructure applications that still have not reached an inverted level of depreciation. Cloud-based security does not ask that you abandon everything to the cloud. It simply is another tool that leverages your existing investments and creates a new level of capability that allows you to manage the security of the enterprise more efficiently, cost-effectively and directed with greater strength and reach.

Many IT departments are often asked to more with less. At least in the realm of security, the cloud offers a means to do just that. However, just like any investment, you need to make sure that it matches your overall strategy and that you find a partner with integrity, expertise and a proven track record of protecting assets in and from a virtualized environment.
Kevin Nikkhoo
Comparing Cloud Apples to Cloud Apples

Tags: , , , , , , , , , , , , ,