The shift away from security products to services at
Infosecurity Europe in London shows that the industry is
maturing, says Bruce Schneier, chief security technology officer at
BT.
Clients care less about the details than about the end result,
he told Computer Weekly. Business is also becoming more confident
about outsourcing security-related functions.
Schneier predicts that this maturity of both business and
service providers will continue to grow so that within three years
much of IT security will be outsourced.
The trend, he said, will be to retain only a small group of
people inside organisations to direct the security strategy who
will call in outsourcers when they need to.
Organisations will outsource IT security in the same way that
they outsource security guards and alarms systems and most other
kinds of infrastructure today.
"Outsourcing is really what cloud computing is about, but
service providers need to be transparent enough to enable
businesses to make good outsourcing decisions," said Schneier.
The transition to cloud-based IT security services should be
fairly advanced within the next five to ten years as service
providers put all the necessary liability structures in place.
Guy Bunker, chief architect in the data management group at
Symantec, says the move to cloud-based IT security and other
services is inevitable because of increasing complexity and lower
cost.
However, he believes it will take a lot longer for than a decade
for the emerging cloud-based services industry to adopt low-risk
standards.
Secure cloud-based services depend on industry-wide adoption of
standards around user authentication and data exchange, storage,
encryption and disposal, but this will take time, he said.
Considering that after 10 years there are still no industry
standards around data archiving, Bunker is not optimistic that
standards for cloud-based services will happen very soon.
Progress towards industry-wide agreements on IT standards
typically happens with the "speed of a striking slug", he said.
In the meantime, Bunker predicts most businesses will adopt
cloud-based services "only where it makes sense." The decision
should be based on a careful analysis of risk and benefit.
The danger lies in the fact that many organisations are unlikely
to be aware of the potential risks involved because they do not
know the right questions to ask service providers, he said.
"In an economic downturn the temptation will be to go for cheap
services without proper consideration of the security risks," he
said.
A lack of standards creates the potential for problems with data
availability and security that businesses need to understand before
they can make informed decisions, said Bunker.
Without them it will be difficult to formulate meaningful
service level agreements so organisations need to find out exactly
how service providers will handle data.
Businesses will be able to assess the true risks, said Bunker,
only once they know where data will be stored, how it will be
secured, and how security processes will be reported on and
audited.
"Cloud-based services can be secure, but only if business truly
understands the risk," he said.