Jon Bove

In this era of the cloud, IDC forecasts that by 2020, more than 90%  of enterprises will be using multiple cloud-based services and platforms. Whatever the size of your customers, their adoption of cloud-based services offers many benefits

It’s not just users who benefit from cloud services. Service providers benefit as well. Done right, software-as-a-service (SaaS) has all the multitenancy functionality that makes managing and maintaining a customer base a snap. Just as importantly, it makes you — as a channel partner — more competitive in this cloud-first world. Cloud services are typically low-touch and low-cost — eliminating trips to customer locations and even remote troubleshooting, providing cost savings that can be passed on to the customer.

Security Challenges

As with any solution, the cloud expands the potential attack surface. But because of its dynamic elasticity and scalability, and the fact that each cloud environment runs differently, cloud — and especially multicloud — deployment introduces a new level of complexity into securing an organization. Part of the issue is that a multicloud strategy is rarely ever planned. It’s usually something that happens organically, to address an emergent need. And worse, the IT team usually only comes in after the fact to retrofit a security strategy.

It all starts innocently enough with an employee using an Office 365 document, someone else subscribing to Dropbox, another employee uploading a document onto Google Drive to share and someone else creating a website using the public cloud.

All of a sudden, your customers are consuming services from four different cloud providers. And that’s just the tip of the iceberg. Because of the ease of creating a cloud network — basically, anyone with a credit card can set one up — lines of business may even have their own cloud infrastructures in place to develop or run applications or to offload compute requirements. Often, this is the result of an implicit approval to leverage the cloud to meet digital transformation requirements. Industries that rely heavily on technology, such as manufacturing, high-tech and telecom, are being led by executive management to become 100% cloud, including infrastructure and applications.

From a security standpoint, your customer can quickly lose control of the information flow. Each one of these new activities adds to the risk. While on a case-by-case basis each cloud service selection makes sense, when they’re looked at in the aggregate, it hits home that this is a patchwork of cloud services with unknown or disconnected security or data management policies in place.

And, exposure to risk increases with each cloud app an employee logs onto. If a breach of one of those apps occurs, the security team now faces the risk of information not being controlled by corporate IT becoming publicly available. It’s the nature of distributed information to lessen visibility, leading inevitably to a situation where the security risk level is unknown or, worse, nonexistent.

Who’s Responsible?

The cloud runs on a shared responsibility model with the guiding principle being that if you touch it, it’s your responsibility. If you change the configuration option on the cloud, you’re now responsible for what happens as a result of that change. If you’ve uploaded data to the cloud, it’s your responsibility to make sure that it’s secure.

To make everything clear and keep customers informed and happy, cloud providers often offer a great amount of documentation about what they provide — resiliency and security — and what they don’t provide. This means that organizations are responsible, as difficult as it may be, to read exactly where the demarcation is between the cloud provider’s responsibility and their own responsibility to keep services up and running.

Help Is on the Way

Fortunately, MSPs can offer security-as-a-service to mitigate these challenges. This is often a welcome alternative to achieve …

… a desired end result for customers deploying disparate systems from disparate vendors before they become problematic and time-consuming to manage and maintain, or to integrate with other security solutions and systems deployed elsewhere.

Compounding the problem, given the increasing sophistication of cybercriminals, today’s attacks are often automated. In the worst case, your customers don’t even know they’re being attacked. Or maybe they know they’re being attacked but don’t know where the attack is coming from or which lever to pull to make it stop.

An automated attack also typically works faster than humans are able to respond. Because of this, your customers need an equivalent comprehensive and automated security solution designed to protect all threat vectors, across their entire network and infrastructure, that includes threat correlation and automated response and remediation.

To achieve this, cloud security must be integrated, with other cloud-based frameworks and with security solutions deployed elsewhere. This provides the visibility and consistent security that are so critical, especially as data, applications and workflows move across and between platforms. It must also be dynamic and flexible, able to automatically adjust as cloud networks shift and expand. As a result, when an effective security solution is configured correctly, the first your customers will likely know of a security incident is in a log report or a notification that highlights an attack and how it has already been dealt with. If you choose to offer managed security services, you likely already have such a high-visibility system up and running, freeing your customers from having to piece such a system together on their own.

Opportunity Ahead

With its lower costs, greater scalability, and other advantages, the cloud is a business necessity in the digital world. However, security challenges abound and must be addressed quickly. Because attacks are often automated, humans can’t keep up. Organizations need to deploy automation to fight automation, and the best way to do that is often by working with a managed security service provider. These providers have the dedicated focus and expert staff needed to address the complex cloud security landscape. It’s a rapidly growing opportunity, with no signs of slowing down. Are you ready?

Jon Bove is the vice president of Americas channels at Fortinet. He and his team are responsible for strategizing, promoting and driving the channel sales strategy for partners in the U.S. as the company seeks to help them build successful — and profitable — security practices. A 17-year veteran of the technology industry, Bove has held progressively responsible sales, sales leadership and channel leadership positions. Follow @Fortinet on Twitter or Bove on LinkedIn.