MSSPs Can Be Key to Managing Security in Complex Cloud Environments

Jon Bove

In this era of the cloud, IDC forecasts that by 2020, more than 90%  of enterprises will be using multiple cloud-based services and platforms. Whatever the size of your customers, their adoption of cloud-based services offers many benefits

It’s not just users who benefit from cloud services. Service providers benefit as well. Done right, software-as-a-service (SaaS) has all the multitenancy functionality that makes managing and maintaining a customer base a snap. Just as importantly, it makes you — as a channel partner — more competitive in this cloud-first world. Cloud services are typically low-touch and low-cost — eliminating trips to customer locations and even remote troubleshooting, providing cost savings that can be passed on to the customer.

Security Challenges

As with any solution, the cloud expands the potential attack surface. But because of its dynamic elasticity and scalability, and the fact that each cloud environment runs differently, cloud — and especially multicloud — deployment introduces a new level of complexity into securing an organization. Part of the issue is that a multicloud strategy is rarely ever planned. It’s usually something that happens organically, to address an emergent need. And worse, the IT team usually only comes in after the fact to retrofit a security strategy.

It all starts innocently enough with an employee using an Office 365 document, someone else subscribing to Dropbox, another employee uploading a document onto Google Drive to share and someone else creating a website using the public cloud.

All of a sudden, your customers are consuming services from four different cloud providers. And that’s just the tip of the iceberg. Because of the ease of creating a cloud network — basically, anyone with a credit card can set one up — lines of business may even have their own cloud infrastructures in place to develop or run applications or to offload compute requirements. Often, this is the result of an implicit approval to leverage the cloud to meet digital transformation requirements. Industries that rely heavily on technology, such as manufacturing, high-tech and telecom, are being led by executive management to become 100% cloud, including infrastructure and applications.

From a security standpoint, your customer can quickly lose control of the information flow. Each one of these new activities adds to the risk. While on a case-by-case basis each cloud service selection makes sense, when they’re looked at in the aggregate, it hits home that this is a patchwork of cloud services with unknown or disconnected security or data management policies in place.

And, exposure to risk increases with each cloud app an employee logs onto. If a breach of one of those apps occurs, the security team now faces the risk of information not being controlled by corporate IT becoming publicly available. It’s the nature of distributed information to lessen visibility, leading inevitably to a situation where the security risk level is unknown or, worse, nonexistent.

Who’s Responsible?

The cloud runs on a shared responsibility model with the guiding principle being that if you touch it, it’s your responsibility. If you change the configuration option on the cloud, you’re now responsible for what happens as a result of that change. If you’ve uploaded data to the cloud, it’s your responsibility to make sure that it’s secure.

To make everything clear and keep customers informed and happy, cloud providers often offer a great amount of documentation about what they provide — resiliency and security — and what they don’t provide. This means that organizations are responsible, as difficult as it may be, to read exactly where the demarcation is between the cloud provider’s responsibility and their own responsibility to keep services up and running.

Help Is on the Way

Fortunately, MSPs can offer security-as-a-service to mitigate these challenges. This is often a welcome alternative to achieve …