Security in the Cloud: Follow the Netflix* model

For years, the security industry has been complacent, using complex concepts to keep security discussions isolated from mainstream IT infrastructure conversation. We all know that this time is over. The industry consolidation, initiated by EMC’s acquisition of RSA in 2006 and now well on its way with the recent acquisition of McAfee by Intel and Arcsight by HP, is demonstrating that the security and IT infrastructure conversation are one in the same.

We, the security people, must follow this transition and lay out a vision that non-security experts can understand without having to take a PhD course in prime number computation.

Let me give it a try by using the video rental industry as an example on why security in the cloud will be different and more effective.

Video rental industry:

1 – You start with a simple need: Most families want to watch movies in their living room, a movie of their choosing, at a time of their choosing.

2 – A new market emerges: Video rental stores with chains such as Blockbuster in the US. Do you remember the late fees?

3 – Then comes a new business model. Instead of paying per movie and driving to the store, you pay a monthly subscription fee and movies are delivered directly to your home. Netflix* jumps in and makes the new delivery model work with legacy technology by sending DVDs through postal mail.

4 – Increase in network bandwidth makes video on demand possible on many kinds of end-user devices from cell phone to video game consoles. Netflix expands its footprint by embedding its technology into any video viewing device that makes it into your home: Game consoles, streaming players and smart phones.

5 – Blockbuster has filed for Chapter 11 bankruptcy. Netflix is uniquely positioned to help consumers transition from the old world of video viewing with DVDs to video on-demand. The customer wins with better movie choices delivered faster.

The Security Industry

The parallel with the evolution the security industry is going through is striking:

1 – You start with a simple need from CIOs and CSOs: They want to secure their information.

2 – A new market emerges: IT security with early players focusing on perimeter security: Building firewalls around information and bolting on security controls on top of insecure infrastructure.

3 – Here comes the cloud, a different way of delivering, operating and consuming IT. IT is delivered as a service. Enterprises use virtualization to build private clouds operated by internal IT teams. The IT infrastructure is invisible and security is becoming much more information-centric. New security solutions emerge that focus on gaining visibility over the new cloud infrastructure and on controlling information.

4 – Increase in bandwidth makes it possible to expand private cloud into hybrid clouds, using a service provider’s IT infrastructure to develop new applications or to run server or desktop workloads. Security is changing as controls are directly embedded in the new cloud infrastructure, making it security aware.

5 – What will happen to the security industry? It must adapt and manage the transition from physical to virtual to cloud infrastructures. First, by dealing with traditional security controls in physical IT infrastructure; then, by embedding its control in the virtual and cloud infrastructure to build a trusted cloud; and finally by providing a consolidated view of risk and compliance across all types of IT infrastructure from physical to cloud. The customer wins: IT infrastructures have become security-aware, making security more effective and easier to manage.

So, does this explanation work for you? I welcome all comments below!

* Netflix is a registered trademark of Netflix, Inc.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize