Forrester predicts the cloud security market will grow to $1.5 billion in five years. Among the main areas of focus will be identity and access management, data security, and cloud governance.
A new report from Forrester Research projects that the cloud security market
will grow to $1.5 billion by 2015-a shift that will disrupt what Forrester
calls the "security solution ecosystem."
In a report entitled "Security and the Cloud," Forrester analyst
Jonathan Penn predicted that rather than reallocating portions of existing
security budgets to cloud computing, organizations will allocate money to
security within cloud projects-creating "a whole new category of revenue
for the security market.
"I'd still say that there's a lot more activity on SAAS [software as a
service]-enabling security solutions-security in the cloud-than solutions that
secure cloud," Penn told eWEEK.
"Concerns about cloud security have grown in the past year," he
added. "In 2009, the fear was abstract: a general concern as there is with
all new technologies when they're introduced ... Today, however, concerns are
both more specific and more weighty. We see organizations placing a lot more
scrutiny on cloud providers as to their controls and security processes; and
they are more likely to defer adoption because of security inadequacies than to
go ahead despite them."
In the report, Penn wrote that the areas most likely to provide
opportunities in the cloud for vendors are data security, identity and access
management, cloud governance, application security, and operational security.
solutions for the cloud
is not simple and requires far more than improving
scalability," Penn wrote in the paper. "Forrester sees many security
vendors still trying to resell hosted boxes to cloud providers without
understanding the nature of the integration into a provider's operational
environment that is required... Even if you're already selling a product
internally to providers for their own protection, selling it to service
providers so that they can deliver it as an added service is totally different.
Products need a range of hooks and APIs to support providers' proprietary tools
(e.g., for service desk and billing functions); configurable interfaces and portals
... and a change in consumption model."
Many vendors do not truly understand the difference between enterprise-class
and provider/carrier-class solutions, he added.
Jim Reavis, co-founder of the Cloud Security Alliance, said he expects
to see a rebirth of the governance, risk and compliance market as more
structured and automated approaches to governance will be necessary. IDM
(Identity management) will also experience growth "as federation of
identities and single sign-on become a necessity, while the scope of IDM will
extend beyond users to devices, applications and data," Reavis said.
Cloud providers need to focus especially on operational visibility, one of "major
deficiencies across the cloud provider landscape," Penn wrote. But just as
technology is important, so is the emergence of better industry standards.
"Certifications and other operational standards such as SAS 70 Type II
(or even the new SSAE 16 designed to replace it), SEI CMMi and ISO
27001 are ill-fitted assurances for the security of cloud environments,"
Penn wrote. "Nor can SLAs [service-level agreements] sufficiently cover
everything: Adopting organizations need more detail and concrete assurances of
operational practices-such as specifying both the control technologies and
policies in place, access to system logs, and regular communication of results
from security scans-rather than relying on general contract language."
Allen Allison, chief security officer at NaviSite, said there should be a
revamping of all security standards as they relate to hosting in the
"A set of standards that dictates the expectations of various types of
clouds and how they offer security and compliance would be expected in order to
progress [with] adoption of cloud services," Allison said. "However,
it must be understood that not all clouds are the same, not all security
requirements are equal and not all customers have the same level of
expectations; thus, costs of compliance should be considered as standards for
cloud security are developed."