Addressing Cloud Risk

Sept. 6, 2016
Two “mega-risks” that must be tackled when adding the services to your offering

There are two megatrends that are disruptively impacting many industries — including security — and they both amplify the risks that integrators and cloud offering providers have relating to cloud-based services. They impact the design, manufacture and delivery of any cloud-based or cloud-assisted electronic physical security systems technologies. They are:

  • Continually accelerating widespread technology advancement; and
  • An epochal never-happened-before shift in control of the seller-customer marketplace.

Technology advancement is a given, and we all know this, but we are not good at grasping the ever-accelerating aspect of it. We also tend to think of the ongoing marketplace shift as “commerce moving online”— but there is much more to it than just a change to internet-based business transactions. In other words, we are underestimating the impacts of the two trends that are having the greatest impacts on security industry companies and customers.

These megatrends are bringing significant risks to security industry companies — especially integrators. Thus, without understanding the risks and challenges of these trends, it is easy it to make deal-killing and company-crippling mistakes without ever realizing it. The flip side is that with sufficient understanding of the challenges, it is just as easy to make deal-ensuring and company-advancing moves.

The term “mega-risk” applies to many risks resulting from these highly disruptive megatrends. It has often been said that with risk comes opportunity; however, grasping such opportunity requires an understanding of the risk and a strategy to take advantage of the opportunity. Trying to take business advantage of the opportunities that cloud computing provides without understanding the full risk picture is easily a recipe for disaster.

Marketplace Shift

An epochal marketplace shift is causing the 10,000-year-old “Age of the Seller” to be replaced by the “The Age of the Customer®” — according to Jim Blasingame, author of the book The Age of the Customer (www.ageofthecustomer.com).

One of the most important things to know about the epochal marketplace shift is that it is an amplifier of many seller-side risk factors. Information in social media and online communities can have much greater reach and influence than a company’s own marketing messages do. That is phenomenally good when the online information is in a company’s favor; and phenomenally bad when the company is making mistakes and doesn’t know it. The worst-case situation is when the world (i.e. the company’s prospects and customers) finds out before the company does.

 “For millennia, the marketplace dance between seller and customer was as beautifully simple as it was exquisitely effective, having at its nucleus three primary relationship elements: the product, controlled by the seller; information about the product, also controlled by the seller; and the buying decision, controlled by the customer,” Blasingame explains. “Then something happened that accomplished what no other event or innovation had been able to do for 10 millennia — the birth of a new Age.”

In the new Age of the Customer, Blasingame notes a new paradigm: Products and services are still controlled by the seller; the buying decision is still controlled by the customer; however, access to information — including customer experience — is now controlled by the customer.

Blasingame estimates that the roughly 30-year transition from the Age of the Seller to The Age of the Customer — marked as beginning in 1993 with the arrival of the World Wide Web — will be complete by the year 2025. This means that in less than 10 years, businesses will either have converted their business plans to account for doing business in the age of more customer control, or they will continue to operate using outdated thinking until the diminishing supply of old-style customers is depleted, and they are left with no business prospects.

Get Blasingame’s book to understand fully why security industry business model disruptions are not solely caused by disruptive technologies (as is commonly discussed), but are also due to the larger and more powerful force that is creating a permanent shift in the way customers are willing and able to do business. Figure 1 depicts the awesome magnitude of this change.

Mega-Risk No. 1: Sellers Can’t Hide Mistakes

Seller mistakes and deficiencies are amplified by 21st century customer online communities. This is a growing security industry risk that is more significant than most sellers realize. As Blasingame explains, the growing trend is for prospects and customers to go first to independent online sources of information about a seller and the seller’s products, and then use that information to evaluate the seller’s own information. A customer can self-qualify as a prospect for a seller’s offering, without any direct contact with the seller, and then can disqualify the seller also without any direct contact with the seller, and then move on to the seller’s competition.

The negative effects of making mistakes in seller verbal and written information are amplified as described above. This is happening in all industries, including the security industry. When it comes to cloud computing and cloud services, there is a large universe of cloud-savvy IT and business personnel who are very knowledgeable about cloud computing, cloud services and cloud-based offerings. It only takes one individual who is more technically savvy than the seller’s own marketing, sales or technical personnel are, to identify and shine a spotlight on a seller’s disqualifying mistakes. The same is true for any negative experience that a customer has with a seller.

This is a particularly important consideration for security industry companies who are offering, or planning to offer, cloud services. End users have communities where security related cloud services are being discussed and evaluated. Security integrators also have such communities, including IPVM.com.

There have always been risks relating to vendor mistakes and deficiencies, but Mega-Risk No. 1 amplified them to such a degree that Mega-Risk No. 2 is a serious consideration.

Mega-Risk No. 2: Inadequate Understanding of Advancing Technologies

For example, let’s look at how an inadequate understanding of cloud computing security — and the cloud itself — affects the security industry’s cloud computing arena. Security is one of Microsoft’s key selling points for its Azure brand of cloud services. Microsoft provides plenty of information about the security features of Azure, including an overview titled, “10 Things to know about Azure Security” (http://bit.ly/azure-security-10-things). When you read this overview, it is plain to see that Microsoft provides security for its own Infrastructure-as-a-Service and Platform-as-a-Service offerings, not for the cloud-service provider’s hosted application. The overview’s initial paragraph says, “Under the hood, the Microsoft Azure infrastructure implements a number of technologies and processes to safeguard the environment. This page covers how Microsoft's Global Foundation Services runs the infrastructure and the security measures they implement.”

Another article, “Secure an app in Azure App Service” (http://bit.ly/azure-app-security), states, “While Azure is responsible for securing the infrastructure and platform that your application runs on, it is your responsibility to secure your application itself. In other words, you need to develop, deploy, and manage your application code and content in a secure way. Without this, your application code or content can still be vulnerable to threats.” It is the software provider’s job to design application security into cloud Software-as-a-Service offerings — it is not the job of Azure or any other cloud infrastructure provider. This is the source of Mega-Risk No. 2: Inadequate understanding of cloud computing security.

Recently, several security industry providers of cloud-based offerings have proudly told me that they had moved their offering to Microsoft Azure, because of Azure’s high security. When I asked them to provide me with an application security architecture diagram for their Software-as-a-Service offering, they had no idea what I was talking about. The common response: “It is the Microsoft Azure cloud architecture.”

This could not have been a more incorrect response. The cloud infrastructure platform’s architecture (such as Azure or similar services) is definitely not the same thing as the security architecture for a hosted Software-as-a-Service application. Software application security is completely the SaaS vendor’s responsibility, not that of the cloud platform provider.

Investors, business owners, product managers and resellers all need to have a very clear understanding of this. I know of several security industry companies with SaaS offerings whose owners and investors will not allow them to spend money on documenting their security — or fixing it if need be — until a specific sales or profitability target is reached. If the company cannot provide documentation on the security of its SaaS offering, how can a customer’s technology evaluator approve the use of that offering?

A lack of security documentation puts a lid on sales, especially as prospective customers disqualify the vendor and spread the word. Any owner or investor should be able to prove to a cloud-knowledgeable evaluator that the security of its cloud-based application is sound and based on good practices. As mentioned in the previous article in this series, the Cloud Security Alliance (CSA) is defining and raising awareness of best practices for a secure cloud computing environment. The same companies I recently talked to, who had misunderstandings about the scope of Azure security, also had no knowledge of the Cloud Security Alliance — and neither did their software developers.

Look for follow-up articles in the coming months, with various perspectives on cloud-computing-related opportunities for integrators, including more mega-risks in the next article.

Other Articles in this Series

This is the fourth article in Ray Bernard’s series dealing with cloud-based systems

Here are links to the other articles:

Avoid Key Cloud Services Mistakes
(SD&I March 2016)
www.SecurityInfoWatch.com/12177153

Cloud Computing: Clarity or Confusion?
(SD&I June 2016)
www.SecurityInfoWatch.com/12211857

Evaluating a Cloud-Based Service
(SD&I July 2016)
www.SecurityInfoWatch.com/12223384

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council and an active member of the ASIS International member councils for Physical Security and IT Security.

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

Follow him on LinkedIn: www.linkedin.com/in/raybernard

Follow him on Twitter: @RayBernardRBCS.