IDC 1264
I D C S P O T L I G H T
A c c e l e r a t i n g C l o u d A d o p t i o n w i t h S t a n d a r d
S e c u r i t y M e a s u r e s
March 2012
Adapted from Worldwide Cloud Security 2011–2015 Forecast: A Comprehensive Look at the Cloud/Security Ecosystem by Phil Hochmuth and Christian A. Christiansen, IDC #230389
Sponsored by Open Data Center Alliance
IDC research shows that worldwide revenue from public IT cloud services exceeded $16 billion in 2009 and is forecast to reach $55.5 billion in 2014, representing a compound annual growth rate (CAGR) of 27.4%. This rapid growth rate is over five times the projected growth rate for traditional IT products, which stands at 5%. The economic downturn has amplified cloud services adoption due to the cost-cutting mantra of most organizations.
Concerns about security, however, still inhibit cloud adoption. The cloud security market is made up of a diverse set of technologies from on-premise software, hardware, and virtualized appliances to security software delivered as a service (SaaS). Various adoption models also exist. Security technology will be a critical component to enterprises in private cloud architectures. Also, cloud service providers (CSPs) will need security hardware, software, and SaaS products to help secure their public cloud service offerings, which can include cloud storage and servers (infrastructure as a service), cloud development platforms (platform as a service), and enterprise and consumer SaaS applications.
This IDC Spotlight examines the cloud market, the need for security, and the role that the Open Data Center Alliance (ODCA) plays in defining standard security monitoring and assurance practices.
Introduction
Cloud services will become a new paradigm of computing over the next several decades — the logical evolution of what IDC has called "dynamic IT" for years. In simple terms, IDC defines cloud services as business and consumer products, services, and solutions delivered and consumed in real time over the Internet. Further, cloud services entail shared access to virtualized resources over the Internet. IDC estimates that cloud services (public cloud) increased 34% in 2010 to nearly $22 billion, or about 1.6% of IT spending, and that percentage should increase to 3% by 2014.
Adoption of cloud will be driven by key advantages, including ease/speed to deploy/run,
flexible/efficient pricing models, reduction of in-house support costs, and forced standardization. Another rising driver is the entry of traditional "trusted brand" IT vendors into the cloud services market. The emergence of technologies that amplify the value of the cloud model — including affordable wireless broadband Internet access; lower-cost, rich-function mobile devices
(smartphones, mobile tablets, netbooks, etc.); and the growth of "big data" and cloud-based analytics — will also drive cloud adoption. In addition, digitization/transformation of key industries
IDC research shows that, by far, the greatest inhibitors to public cloud services adoption are security/privacy concerns and performance/availability concerns. If vendors fail to demonstrate steady improvements in addressing these concerns — or worse, if there are a significant number of high-visibility failures — these inhibitors could seriously slow growth rates.
The need for security products and technology for Internet-connected IT systems has almost become self-evident, as the volume of online threats increases drastically each year, with the focus of online perpetrators increasingly turning toward theft of personally identifiable information, corporate secrets, and data in general.
From the perspective of cloud customers, today's cloud security is adequate for low-risk, nonstrategic applications. According to IDC research, enterprises have specific security concerns about cloud providers, including the underlying multitenant infrastructure of a cloud service, the ability to manage and control security in a cloud environment, and compliance and auditing issues associated with data on cloud computing infrastructures. As a result, IDC expects more cloud computing providers and consumers to increase their use of security information and event management as well as security and vulnerability management tools over the next couple of years. These are top priorities among enterprises using or considering cloud computing services.
The demand by enterprises for more secure cloud environments will drive security spending by cloud service providers over the next five years — making this segment of the cloud security forecast the fastest growing at a 36% CAGR. As organizations adopt more cloud services and technology, they will expect the same level of security controls and safeguards integrated into the technology as they have with their own internal IT deployments.
The Benefits of Establishing Security Standards
The IT departments of many organizations are increasingly multisource, hybrid organizations taking on the role of "services brokers." In this capacity, IT departments want to manage and monitor internal and external services as a unified portfolio. In this scenario, having standard security levels as well as a standard way of ensuring compliance among cloud providers is critical.
Establishing common levels of security for a range of security functions, including antivirus, physical access controls, identity management, encryption, and so on, can enable cloud subscribers to accurately evaluate offerings among cloud providers and weigh those offerings against their own internal IT capabilities. In addition, subscribers can opt for the appropriate level of security for various applications and services in the cloud.
For cloud providers, standard compliance assurance levels can ensure subscribers that their offerings meet industry-accepted levels.
Market Trends
Cloud service providers will gradually increase spending on security products over the next five years; while accounting for less than one-quarter of overall cloud security revenue, CSPs will account for a little less than one-third of this market by 2015. Spending on security products for private cloud environments will be the dominant segment of the overall public/private cloud security market over the next five years, driven by organizations' need for advanced identity, monitoring, policy, data protection, and management tools to control these new, highly automated, virtualized on-demand enterprise datacenters.
IDC groups security products and technologies in the following categories:
Secure content and threat management including network, endpoint, messaging, and Web
security
Security and vulnerability management including security information and event management,
proactive endpoint risk management, policy and compliance, and vulnerability assessment
Identity and access management including Web and enterprise single sign-on, advanced
authentication, and user provisioning
These product categories can be delivered into public/private cloud environments as software licenses, hardware appliances, virtual appliances, or software as a service.
IDC research indicates that organizations considering public cloud technology want to see increased investment in security products and technologies from cloud service providers. According to IDC research, over 50% of organizations considering or deploying cloud technology said that the
integration of technologies such as encryption, secure VPN access, and two-factor authentication into cloud offerings would go the farthest in terms of allaying security concerns about cloud in general. Overall, increased usage of security products and technologies is the most desired measure
organizations want to see from a potential cloud service provider, more so than other safeguards and assurances such as demonstration of industry security certifications, the ability to monitor patrol systems running in a cloud environment, or even the ability to visit a potential cloud provider's datacenter.
Organization Profile
The Open Data Center Alliance (ODCA) is an independent organization with the mission of providing stakeholders a voice in shaping the future of cloud computing. The ODCA is developing a unified vision for cloud requirements focusing on open, interoperable solutions for secure cloud federation, automation of cloud infrastructure, common management, and transparency of cloud service delivery. Currently, the ODCA has more than 300 member companies worldwide. Membership is aimed at both enterprise IT cloud customers and cloud service providers.
To further its goal to develop a unified vision for cloud requirements, the ODCA recently published eight Open Data Center Usage Models. These member-defined requirements document the most pressing challenges and needed solutions for cloud deployment in four categories: Secure Federation, Automation, Common Management & Policy, and Transparency.
In the Secure Federation category, the ODCA has published two usage models: Security Monitoring and Security Provider Assurance. The Security Monitoring usage model seeks the development and adoption by the industry of a standard interface that allows cloud services subscribers to monitor the security status of specific elements of a provider's services, while the Security Provider Assurance model aims to establish requirements for standardized definitions of security levels within the cloud. When used together, Security Monitoring and Security Provider Assurance are designed to provide cloud subscribers with the following benefits:
Ensure that a cloud provider meets certain standards and common levels of security
Compare security levels among different cloud service providers and externally hosted clouds Enable organizations that subscribe to cloud services to make more informed choices about the
Achieve the ability to validate adherence to cloud security standards by either direct assessment or third-party accreditation
Security Monitoring and Security Provider Assurance are designed to enable cloud providers to demonstrate compliance with an industry-accepted standard through certification processes. The Security Provider Assurance usage model defines four levels of security:
Bronze: Basic security
Silver: Enterprise security equivalent
Gold: Financial organization security equivalent Platinum: Military organization security equivalent
The ODCA has defined requirements needed to achieve one of the four usage model levels for the following security processes and technologies:
Vulnerability Management Network and Firewall Isolation Identity Management
Security Incident and Event Monitoring (SIEM) Data Retention and Deletion
Confidentiality Integrity and Trust Availability
Challenges
A core requirement for success in any kind of standards-making body is buy-in from key vendors in the market, and the ODCA has done a good job of garnering support among these constituents. In addition, the ODCA has the support of buy-side organizations that are looking to allay their security concerns regarding cloud computing. One of the ODCA's ongoing challenges will be getting new and smaller players — both vendors and end-user organizations alike that will drive growth in cloud computing — to support standard usage models for Security Monitoring and Security Provider Assurance.
Conclusion
Even as cloud computing continues to grow significantly, organizations remain concerned about security and privacy issues. IDC research indicates that concerns about security are the most significant inhibitors to cloud adoption.
A B O U T T H I S P U B L I C A T I O N
This publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.
C O P Y R I G H T A N D R E S T R I C T I O N S
Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests, contact the GMS information line at 508-988-7610 or [email protected]. Translation and/or localization of this document requires an additional license from IDC.
