Armor Channel VP on AWS, Microsoft Azure and Shared Responsibility

You just helped a customer move an application to Azure or AWS. Think you – and they – are now on security easy street? Not so, says Dan Mannion, VP of partners and alliances for Armor.

“I’ve had a number of conversations about this with partners this past week,” Mannion told me. The shared-responsibility model published by both Microsoft and Amazon means that when you move an application to the cloud, the customer is still 100-percent accountable for securing the virtual machine, operating system, application and data, as well as the network ports through which customers and employees access that data.

Armor is in the business of creating a consistent security and compliance posture across public clouds and internal and colo infrastructure, and its Armor Anywhere was named a Hot Product at this year’s Black Hat conference. The company also made the 2016 Inc. list of the fastest-growing private U.S. companies.

I spoke with Mannion, who previously served as senior director of ISV strategy at Microsoft, about the company’s small but growing partner program, products and how the channel can keep customer data safe in the cloud. Here’s the interview, edited for length and clarity.

Channel Partners: Where is the security demarcation line in the cloud?

Mannion: There’s a perception in the industry that when I move to the cloud, Microsoft is taking care of the security, or Amazon is taking care of the security. That’s unfortunately not the case. What they are guaranteeing the security of is their data centers, the role-based access that they put in place, the clearing of the individuals. They’re ensuring that the people that actually run the cloud are not going to get access to your customer data, your sensitive information.{ad}

But when you actually move your app and your workload to the cloud, you’re not inside of that cloud. It’s kind of a misnomer — you’re actually on top of the cloud. You’re sitting on top of a virtual machine that is running on top of the cloud, and now that virtual machine, the app that you put there, the database you put there, and the network that accesses that, that’s all your responsibility to secure and to manage.

CP: How much awareness do you see among partners about where their responsibility extends to?

DM: Some partners know and understand that, and that’s one of the first thing that they talk to the customer about. If they’re going to be a responsible partner and talk to the customer about the cloud journey, they’re going to explain …

{vpipagebreak}

… to them, “Hey, there is this thing called a shared-responsibility model that requires us to help you get secure when you’re in the cloud. Here are the things that we suggest you do.”

There are other partners that I have talked to who, when we introduced this to them, they’ve already moved customers to the cloud and they say, “Wait, no, I thought AWS was just secure.”

So they’ve fallen into the same trap that a lot of customers have fallen into, which is, “When I go to the cloud, it’s more secure then where I am taking the customer from.” That is true to an extent, it’s true to the fact that the colo facility or the private data center that the customer may have been in is perhaps not as secure as a Tier 5 data center that AWS or Microsoft builds and manages. But they forget to mention, or they just don’t know to mention, this whole shared-responsibility model, which requires you to secure everything on your own.

So you do get a little more security when you move to the cloud, but now the other metaphor I like to use is, “You’re swimming where the sharks are. The sharks go where the fish are, and the fish are now in the cloud.”

CP: What role are AWS and Microsoft playing in saying, “Hey, you still have some responsibility.”

DM: Amazon has had to be much more public about this. Microsoft just released [its] white paper in April.

I led the worldwide public sector cloud business at Microsoft for three years, and I never proactively brought up a shared-responsibility model; I just sold the fact that your current environment is less secure than the environment that you’re moving to, which is true.{ad}

What is more challenging is when customers say, “Hey, at least I knew the environment I was in and I was able to control how I secured it. Now I’m moving to the cloud, I don’t have the same level of control that I felt like I had in my own data center. Now I have to figure out how to secure something in the cloud where I have less control, and it’s a different set of challenges that I have to go solve.”

So even when a partner helps them go in eyes-wide-open, now they have a different set of challenges, yet they don’t have the same access and control that they used to in an owned data center.

CP: Is patching more difficult in cloud than on premises?

DM: No, patching is patching, so hopefully they’re doing that pretty regularly in their own environment, and they continue that practice in the cloud. That’s not as much of the issue. The issue is, you don’t have the same …

{vpipagebreak}

… control and optics at the OS/server and network levels as when you’re in your own environment.

CP: Is shared responsibility the same across different platforms?

DM: Microsoft Azure and AWS are pretty much exactly the same. It basically states that from the virtual machine on up it is 100 percent the customer’s responsibility to secure and manage.

CP: Customers do perceive security benefits, though. Is a server in the cloud less likely to be hit by ransomware, for example?

DM: I don’t have any evidence that ransomware has hit workloads in the cloud. Here’s the thing though: If someone wants to hit you, and they’re coming into your environment, and they know that you’re accessing data in the cloud, all they have to do is follow that trail and say, “Oh, that server is not in a closet in their office, its over here in the cloud, now I access the server, I encrypt the server, I’ve got you hit with ransomware.”

It’s the same model, it’s just locating where the actual server exists. That server could exist in your own office, it could be in colo at Rackspace, or it could be in Microsoft. I still have to find that server to have ransomware work.

CP: Game changer if a cloud server is hit with ransomware?

DM: It would be something that Azure and AWS would not be advertising.

If you look where AWS and Azure have their growth, they’ve gained customers’ low-security workloads first. Over the last 10 years there’s been $12 billion of annual cloud growth from those two cloud platforms, but it is largely because customers are putting their toes in the water and saying, “OK, I am going to give you my front-facing website, which if the data gets out into the dark web, that’s not a bad thing because it’s all public-facing anyway. I’m going to give you my dev test environment which has garbage data and no intellectual-property risk for me. I’m going to give you my cold storage so instead of storing this on expensive hardware, I am going to store this up in the cloud, and I am just going to encrypt that stored information because I don’t have to access it; I’m just doing it for compliance reasons.”

So the world has started to adopt the cloud using low-security information, which makes it less of a target for hackers by definition. Hackers want …

{vpipagebreak}

… your medium- and high-security information, they want your credit card data, they want your customer data, they want your financial data, they want your intellectual property.

Now in order for Azure and AWS to continue to grow – and this is why they have such an interest in Armor – they have to convince customers that they can move those medium- and high-security workloads to the cloud, and to do that, they have to be clear about the shared-responsibility model and how the customer has to secure themselves.

So either A) the customer goes out and buys a bunch of tools and figures out how to run a 24/7 security-center team securing stuff in Azure or AWS, or B) they hire Armor because that’s what we do for a living.

CP: Great segue to an overview of Armor’s partner program.

DM: We launched four new partner programs on July 1, and we did a big set of announcements at the Microsoft WW Partner conference in Toronto in the middle of July and sponsored some events and had some Microsoft speakers. It was very productive for us.

The four partner programs we launched are pretty standard in the industry. One is around a referrals partner program, so that’s mainly adopted by security consultants that don’t want to be in the business of managing and reselling security services; they just want to refer us business when they are in those conversations and are hearing about the challenges that customers are facing. They refer us the business, we run the sales cycle, we win the deal, they get paid.

Then there’s the standard reselling partner program, there’s a managed service provider partner program, and there’s a technology partnership partner program.

One of the things we found when I got here in January is that software companies, ISVs, that sell into regulated industries, really love Armor. In fact, seven in 10 of our largest customers are other ISVs, and they love Armor because we allow them to deliver a differentiated solution, a very secure and compliant platform solution to regulated industries like finance, health care, retail, nonprofit, state and local government, education.{ad}

Anytime you’re dealing with sensitive customer information – which a lot of these apps have to do in order to deliver value to their customers – they either have to build up the secure infrastructure themselves in a colo facility or they give that to Armor, and Armor is able to manage and run that. They can be about the business of developing better software solutions for their customers.

CP: Health-care companies are in crosshairs now.

DM: Absolutely. There is a website I started tracking which every two weeks comes out with …

{vpipagebreak}

… another one to two dozen hacks that have successfully occurred at hospitals, medical centers. It’s really bad, unfortunately.

CP: Do you see a partner opportunity in PCI compliance, especially for partners who work with midsize and small retailers lagging with PoS systems?

DM: When you look at PCI compliance, there are over 300 different controls. Of those, 96 are actual tech controls, and Armor Complete environment checks the boxes on pretty much all of those. Customers can become PCI compliant more cost-effectively and more quickly. They don’t have to certify all the people walking into the building. We also help customers in Azure or AWS get there much more cost effectively.

CP: What percent of sales are direct versus with a channel facilitator?

DM: In January, 10 percent of sales were coming through the channel, and that was partly because the company hadn’t invested the right amount of resources in it, but it’s also because the offering we had on the market wasn’t very channel-friendly.

Our new offering, Armor Anywhere, is a much more channel-friendly solution. There are thousands of partners that Amazon and Microsoft have convinced, and funded frankly, to help customers move to the cloud. At some point there’s a compliance and security conversation, and what the majority of these partners are not doing is monetizing that conversation because they don’t have a 24/7 security operations team, they don’t understand cybersecurity, they don’t have the people to essentially construct a solution for these customer, and so they often just don’t address it.

They often say, “Oh, don’t worry, the cloud is secure” – which we just talked about not being true – or they say, “Oh, here’s that shared-responsibility model; that’s gonna be your responsibility, you need to go figure that out.”{ad}

I’ve talked to a lot of partners who say, “This whole concept of security is a show-stopper, it is usually what prevents us from continuing to migrate customers to the cloud because they start to get cold fee. They are scared about their security posture in the cloud.”

Then we come along with a solution that allows you to unlock those medium- and high-security workloads and continue the business of transforming that customer to a cloud-based business and moving those workloads into the cloud securely.

Look, every CIO is having a cloud conversation. They are all trying to figure out how to get out of the data-center management business because it is not core. It is a cost they should not be incurring. Now, how do I take advantage of the fact that Microsoft and AWS have invested so much money in building a scalable and highly cost-efficient cloud platform?

One of the biggest hitches in the transformation is …

{vpipagebreak}

… security. Frankly, that’s what got me to leave Microsoft. I spent three years selling government, health and education institutions around the world on the cloud, and every day I had a data privacy and data security conversation. I started to really understand how important this concept is, and then when I found Armor and Armor said, “Hey, we’re solving that data privacy and data security issue in the cloud.”

I realized, man that is a massive market opportunity, these guys have figured it out, I want to be a part of that.

CP: What’s your goal for share of sales in the channel in 12 to 18 months?

DM: When I got here it was 10 percent. By the end of this year we’ll be generating 20 percent of revenue through the channel; a year from now I hope that’s 30-40 percent, and our ultimate goal is 60 percent within three years.

CP:  What challenges do you foresee?

DM: Partners can’t find the security people. That’s why every partner now has a choice. They either buy the tools and construct the security posture on behalf of the customer, which is really hard because they can’t find the people who know how to do that, or they come to a company like Armor that has productized all the right tools, and has the managed service behind it along with a 24/7 security operations center.

We have former FBI, NSA and CIA folks that actually manage the environment and mediate any threat actors that try to attack that environment. I love talking to an infrastructure partner who’s tried to do this. They’ve bought a logging system, they’ve bought a SIEM, they’ve tried to construct this on behalf of the customer and they’ve failed. Then they see what we have to offer and they sign up right away.

CP: What are you hearing from partners?

DM: What partners have told us is …

{vpipagebreak}

… that we have offerings that address all of the high- and medium-security needs of a customer. It doesn’t matter the industry, doesn’t matter what set of apps or data they’re managing. That we can secure stuff in Azure, AWS, our own cloud, Rackspace or their own data center means the partner just has one vendor to work with.

CP: Do you favor partners with a security focus?

DM: I want the partners that do have a security focus, and the partners that don’t have a security focus.{ad}

What I am finding from a go-to-market perspective is that the partners that do have a security focus are productive much more quickly than the partners who recognize this is a big opportunity and don’t have any security people on staff. It’s tough to have a security conversation with customers without security expertise.

What we are trying to build with those partners is an easy journey to take the customer down the path. Bring them to us, and we’ll help you get through the sales cycle, and then you just manage the structure as you always have.

Follow editor in chief @LornaGarey on Twitter.