Cloud Computing to Fuel Security Market, Forrester Says

A new report from Forrester Research projects that the cloud security market will grow to $1.5 billion by 2015—a shift that will disrupt what Forrester calls the "security solution ecosystem."

In a report entitled "Security and the Cloud," Forrester analyst Jonathan Penn predicted that rather than reallocating portions of existing security budgets to cloud computing, organizations will allocate money to security within cloud projects—creating "a whole new category of revenue for the security market."

"I’d still say that there’s a lot more activity on SAAS [software as a service]-enabling security solutions—security in the cloud—than solutions that secure cloud," Penn told eWEEK.

"Concerns about cloud security have grown in the past year," he added. "In 2009, the fear was abstract: a general concern as there is with all new technologies when they’re introduced … Today, however, concerns are both more specific and more weighty. We see organizations placing a lot more scrutiny on cloud providers as to their controls and security processes; and they are more likely to defer adoption because of security inadequacies than to go ahead despite them."

In the report, Penn wrote that the areas most likely to provide opportunities in the cloud for vendors are data security, identity and access management, cloud governance, application security, and operational security.

"Tailoring solutions for the cloud is not simple and requires far more than improving scalability," Penn wrote in the paper. "Forrester sees many security vendors still trying to resell hosted boxes to cloud providers without understanding the nature of the integration into a provider’s operational environment that is required… Even if you’re already selling a product internally to providers for their own protection, selling it to service providers so that they can deliver it as an added service is totally different. Products need a range of hooks and APIs to support providers’ proprietary tools (e.g., for service desk and billing functions); configurable interfaces and portals … and a change in consumption model."

Many vendors do not truly understand the difference between enterprise-class and provider/carrier-class solutions, he added.

Jim Reavis, co-founder of the Cloud Security Alliance, said he expects to see a rebirth of the governance, risk and compliance market as more structured and automated approaches to governance will be necessary. IDM (Identity management) will also experience growth "as federation of identities and single sign-on become a necessity, while the scope of IDM will extend beyond users to devices, applications and data," Reavis said.

Cloud providers need to focus especially on operational visibility, one of "major deficiencies across the cloud provider landscape," Penn wrote. But just as technology is important, so is the emergence of better industry standards.

"Certifications and other operational standards such as SAS 70 Type II (or even the new SSAE 16 designed to replace it), SEI CMMi and ISO 27001 are ill-fitted assurances for the security of cloud environments," Penn wrote. "Nor can SLAs [service-level agreements] sufficiently cover everything: Adopting organizations need more detail and concrete assurances of operational practices—such as specifying both the control technologies and policies in place, access to system logs, and regular communication of results from security scans—rather than relying on general contract language."

Allen Allison, chief security officer at NaviSite, said there should be a revamping of all security standards as they relate to hosting in the cloud.

"A set of standards that dictates the expectations of various types of clouds and how they offer security and compliance would be expected in order to progress [with] adoption of cloud services," Allison said. "However, it must be understood that not all clouds are the same, not all security requirements are equal and not all customers have the same level of expectations; thus, costs of compliance should be considered as standards for cloud security are developed."