Managed Security Service Providers: Cloudy Future?
Managed security services providers face a declining market as more of the infrastructure they hope to manage ends up in the cloud. That’s the take of Gray Hall, chief executive officer of Alert Logic, which provides SaaS-based threat management and log management offerings. In a recent post on the Secure Cloud Review blog, Hall writes that the pure-play MSSP model “will fade in significance.” Is he correct?
Hall’s reasoning: The growth of infrastructure as a service (IaaS) and platform as a service (PaaS) is outpacing the overall IT sector. And that means a growing chunk of IT infrastructure is heading for cloud providers’ data centers. Companies dependent on monitoring a customer’s on-premise gear will confront a diminishing set of opportunities.
“Mid-market businesses want to consume IT as a service from IaaS providers who aggregate all elements of the IT infrastructure stack – including security,” Hall writes. “The historical value proposition of the MSSP is now embedded in the broader IaaS solution.”
Of course, Hall and Alert Logic, as purveyors SaaS solutions, have an interest in things moving cloudward. But it’s hard to argue that the MSSP can carry on, business as usual, as use of the cloud expands.
“I think what traditional MSSPs are missing is that a very large fraction of IT infrastructure is being deployed in the cloud,” Hall said in a follow-up interview.
Numerous vendors are adjusting their strategies accordingly: Novell, for instance, earlier this week officially launched the Novell Cloud Security Service (NCSS), which wraps identity and security management around SaaS applications.
MSSPs are adjusting to the cloud as well. Dan DeRosa, vice president of product management at SecureWorks Inc., an Atlanta-based MSSP, said the company’s business model is changing in light of customer requirements. SecureWorks already delivers such offerings as vulnerability scanning, Web application scanning, and Security Information Management as on-demand services.
Allen Vance, senior product manager at SecureWorks, said more on-demand services are on the way in the data security and application security fields.
SecureWorks views cloud providers as a channel for its security services; partnering announcements are forthcoming.
In the meantime, the majority of SecureWorks’ business remains on-premise versus in the cloud. DeRosa puts the on-premise slice at 75 to 80 percent of the company’s revenue. And even as network boundaries become more ambiguous, DeRosa said he believes there will always be insertion points where the company can apply its security services. Vance said virtual private clouds, for example, may provide a point where SecureWorks can employ its monitoring and management technologies.
For companies like SecureWorks, the cloud presents an adaptation challenge. As cloud computing advances, an MSSP’s delivery approach will necessarily change. On-demand MSSP solutions could fit within the umbrella of a cloud vendor’s service portfolio. Indeed, cloud vendors may well absorb and deliver a range of SaaS-based security solutions (and other types of point solutions, for that matter) in much the same way systems integrators served up an array of software packages in customer projects during the late 1980s and 1990s.
A cloud provider that takes over a broad swath of a customer’s infrastructure becomes a key technology decision maker — and a sales channel more security specialists may choose to cultivate.