This article was originally published in Forbes
For years, deploying an IT solution meant first buying computers and storage devices, then connecting them inside a corporate data center and then installing software on them. All this has changed significantly in the past decade at many enterprises worldwide. Consuming different IT solutions “as a service” means that one doesn’t need to acquire the hardware and care for them; instead, one gets either a complete turn-key application or an infrastructure for running one “as a service” and can just use it.
While for some kinds of applications — for example, an email server or a CRM — consumption as a service has become the mainstream and has, by far, surpassed the usage of self-hosted equivalents, other areas, such as IT security, remain mostly self-hosted/managed, even at organizations that are adopting modern cloud-based IT solutions. My company provides infrastructure as a service to our corporate customers, and having real enterprise-grade security is a must.
Below are my largest concerns with adopting security as a service and explanations on how I personally resolved them. I welcome any feedback, comments and expression of other opinions, especially if they are different from mine.
IT security tools are mission-critical and cannot be run by external parties
Indeed, in many cases in the modern business world ruled by electronic communications, IT security tools are mission-critical. I completely agree with this part of the claim. Does this really mean that the best way to care for these tools is to do it by yourself? For generations, in modern society, we have learned to rely on external services for mission-critical things in our private lives, and here are some examples:
• Health care: When we are sick, we rely on accredited and certified health care providers to cure us. Usually, we have a wide variety of such providers to choose from, and this will usually guarantee a better result than trying home cures.
• Finances: We keep our money with financial services (banks, insurance companies) most of the time. Doing so gets us much better certainty and management of our wealth than keeping money hidden in our basements.
• Homes: The safest place any of us ever has — his or her home — in most cases was built by a professional construction services provider, rather than by any of us.
Naturally, we could think of many more examples, having the following common quality: When the problem we are trying to solve is critical and requires expertise to solve, modern society is built on relying on external service providers (rather than turning each society member into a universal genius/MacGyver capable of solving all problems by himself/herself). It is only about realizing that external parties can be more competent at solving a wide variety of IT security problems, doing so more efficiently and finding a universal way of relying on them. It’s not that different than trusting your doctor or your bank: something that all of us do.
We cannot risk exposing our sensitive data to external parties
In order to use certain IT security solutions (data loss prevention, web security, application firewall, etc.), we need to have our IT network connections (containing the information being delivered to or accessed by our users) pass through the service, and in case we are consuming it as a service, through the service provider’s infrastructure.
In various cases, this data can be sensitive to our business or to our customers, and we would want to guard it to the best of our ability. Does guarding the data mean keeping it to ourselves (and our own employees)? How many cases of malicious employee or internal data leaks are there versus cases of service providers being the sources of the data leaks?
Performing due diligence for data sub-processors that we use in our company has taught me that serious service providers are taking earnest steps to protect their customers’ data. Based on my previous experience of over a decade and a half with organizations, running “self-hosted” IT security and infrastructure operations, I seriously doubt that even a third of these measures are usually taken internally. It’s definitely made me think.
Our business is in a regulated vertical and doesn’t allow us to use external security providers
While I cannot speak for all possible verticals and all regulatory frameworks, any reasonable regulator understands the modern business reality. It isn’t feasible to build a resilient IT infrastructure all by one’s self and have a TCO comparable to an alternative that is using various service providers. All commonsense considerations dictate that organizations that focus on providing infrastructure (or application) services, and specializing in their fields, will always have a competitive advantage in the delivery of such a service in comparison to an organization with a different focus that tries to deliver such an infrastructure by itself.
Regulators understand that, and regulatory frameworks now define duties of sub-processors and sub-contractors that can be leveraged in order to deliver an effective competitive solution. Just choose the right sub-contractors, and you’ll remain compliant with the regulations.
In my humble opinion, the decision on which IT security tools to use has to be driven by choosing the best and most efficient solutions. Just as my physician — who isn’t necessarily smarter or more intelligent than I am, but is much more experienced at providing medical services (seeing patients every day) and has received education, training and certification in his field — many serious IT security providers are positioned to deliver a service that offers much better security, resilience, reliability and cost-effectiveness than if I did it myself. It is all about choosing the right physician to visit and the right IT security service provider. Luckily, the industry is developing, and we are getting more and more common tools and unbiased ways to assess the level of service delivered by different providers, allowing us to make calculated choices.
I stand firmly behind my choices as expressed here and welcome any comments or suggestions.