The New Economics of Cloud Security

Your Cloud Journey Has Begun. Now Comes the Fun of Figuring Out How To Secure IT

Capturing the benefits of speed, scalability, and agility from your cloud applications is a precursor for business success. And that is why you are deploying more applications and workloads with critical business data in the cloud. You might be developing new workloads and Security as a Service (SaaS) applications to take advantage of the public cloud, or migrating existing applications. You might be a 100-yearold enterprise, or a born-in-the-cloud shop. No matter your situation, it is highly likely that you are using the cloud as your preferred infrastructure of choice for rolling out new business applications. Meanwhile, the frequency, sophistication, and diversity of global threats continue to increase. So to take full advantage of everything the cloud gives you, you must enable relevant controls across a more complicated infrastructure.

But the flexibility of the cloud and use of integrated services make it different than securing on-premises applications, workloads, and data. You have to invest in different tools, implement different processes, and find and retain staff with cloud expertise. And let's be honest: even though you may be doing it today, you shouldn't deploy a new cloud-based workload without a thoughtful security strategy in place.

Part of getting cloud innovation right is enabling security up front. And if it's done properly, you can use the benefits of security solutions built for cloud to your advantage—as opposed to using legacy on-premises security solutions that will slow down your cloud deployments, and may leave your data and applications exposed. The speed of cloud innovation requires a security solution designed to work in the cloud to lower costs, speed up deployment, and reduce risks. That's the new economics.

Legacy Security Tooling: Difficult to Manage. Expensive. Risky. Other Than That, It Works Great

Until now, organizations that have addressed security have taken the conventional approach: buy and deploy third-party security software and find and retain the security staff to make sure that it is working around the clock. And this is for the few companies that can afford it—since the cost to build out a minimally viable, fully functioning 24/7 security operations center can run millions of dollars per year.

To effectively protect cloud-based workloads with the legacy approach, you would have to do the following:

  • Purchase, deploy, integrate, tune, and manage a variety of security products that are capable of detecting and protecting your cloud-based workloads and web applications— all across a variety of attack vectors targeting your web- and server-based applications and their data.
  • Reconfigure your cloud infrastructure to conform to the requirements of on-premises security tools.
  • Hire and build out a threat intelligence team that is capable of understanding the threat landscape, attack patterns and evolving toolkits used—the team needed to determine when and how exposures and events should be addressed.
  • Hire enough experts to staff a security operations center 24/7 to monitor your environment, filter through the thousands of events your tools are generating, and prioritize vulnerabilities to fix and identify attacks before they damage your business.

Not a pretty picture. And even if you do all of the above, you'll still very likely fall short of your goal. Here's why.

Even If You Build Your Own Security Operations Center, There Is No Guarantee It Will Be Effective

It's inevitable. In-house security teams end up struggling with a wall of noise: a glut of logs overflowing with discrete security "events" that reveal attackers attempting to penetrate systems, leaving precious little time left to deal with actual security incidents.

A typical customer is inundated with thousands of these alerts on a daily basis. Many of them are false positives: they look like threats, but they're really not. Meanwhile, other events that are legitimate get lost in the noise. And sophisticated attacks are leveraging methods that appear to be legitimate transactions but are in fact malicious in nature—using methods including SQL injection and cross-site scripting. These attack methods can require petabytes of security data to be analyzed, since no signature or rule-based detection method alone can identify these customized attack patterns.

Why go down this path just to build another problem for yourself? And moreover, why stick yourself with a security infrastructure that undermines all the great reasons why you went to the cloud in the first place?

How Can You Protect Your Assets Without Slowing Down Your Cloud Agenda? Or Breaking the Bank?

It's a quandary. You need to be able to launch new security controls as quickly as you launch new cloud services, or you lose the very advantages that prompted you to undertake your cloud investments in the first place.

You need to:

  • Protect more data assets, applications and workloads against an ever-growing variety of advanced threats.
  • Protect workloads owned by application developers and lines of business—workloads that can scale up or down in minutes depending on customer demand.
  • Keep your top-line generating cloud applications and workloads available.
  • Meet both customer and regulatory compliance requirements—mandates that you can't ignore but that require you to invest in staffing and tasks that don't build value for the business.
  • Move at cloud speed supporting ever compressed continuous delivery cycles.
  • Do it all for the same budget.

So…welcome to the new economics of cloud security. While the old way was a balancing act between controlling risk and cost, in the new economics, you also have to factor in the speed of the cloud. And not surprisingly, the solution is cloud based, too: a fully managed Security-as-a-Service solution built to protect cloud applications and workloads. Out with the old economics. In with the new.

New Economics Principle #1: Ditch the Ridiculously Huge CAPEX and OPEX Costs.

Security the old way is a huge capital and operational expense, treated as an unavoidable cost of doing business. With a fully managed Security-as-a-Service solution, you slash the overhead and can spend your IT budget on innovation and growing the business.

  • Eliminate large up-front capital expenditures. A monthly subscription eliminates large up-front payments for purchasing security software and hardware devices.
  • Lower ongoing costs. A fully managed Security-as-a-Service based solution handles the updating, patching, tuning, and configuration of security services, lowering ongoing operational costs. And an integrated team of security experts—included in the subscription—monitors, triages, enriches, and escalates the right security incidents so you avoid the hidden costs of effectively managing today's complex threats and compliance requirements.
  • Simplify workload security. Combining configuration and application vulnerability assessment, 24/7/365 threat detection, the ability to block malicious activity targeting your web applications, and compliance attestation into a unified service simplifies your security program.
  • Avoid investment in redundant security tools. A "single pane of glass" approach secures on-premises, hosting, and cloud environments with one solution.

New Economics Principle #2: Get More Value from Your Security Investments—Faster.

Security the old way involves spending bucketloads of time up front before you can thwart a single attack. A fully managed Security-as-a-Service solution helps you realize faster value from your security initiatives and your cloud initiatives overall.

  • Launch rapidly. Reduce the time of deployment from months for building your own security operations center to days using an integrated Security-as-a-Service model.
  • Keep the business running. Quickly meet regulatory, industry, and customers' security requirements, and safeguard your customers and organization without lengthy procurement and deployment cycles.
  • Leverage the broader threat intelligence network. Without having to monitor it yourself and without building your own threat intelligence team.

New Economics Principle #3: To Secure the Cloud, Use A Solution Built For The Cloud.

It only makes sense that if you're going to secure cloud applications, your security approach should also take advantage of everything the cloud gives you. Including speed and instant scalability, which are some of the biggest reasons you went to the cloud in the first place.

  • Eliminate choke points in application delivery and performance with API integrated controls.
  • Keep pace with elastic workloads with auto-scaling support.
  • Scan for application and configuration vulnerabilities in minutes during building, testing, and production.
  • Deploy controls in minutes through integration with Amazon Web Services and Microsoft Azure APIs, Chef recipes, and Puppet templates.

New Economics Principle #4: Reduce Your Risk. And Look Like A Financial Genius While You Do It.

Security the old way says to reduce your risk, you pour resources into security controls and expertise. A fully managed Security-as-a-Service solution lowers your overall risk in a way that just makes sense: offloading the task to someone who already has the infrastructure, data, analytics platforms, continuously evolving detection capabilities, and security experts in place.

  • Holistic risk reduction from one vendor, spanning exposure assessment, intrusion detection, and web application access control, using an integrated system that is proactively managed and monitored by global security operations experts
  • Threat avoidance through advanced detection and assessment technologies and expertise that focus on confirmed and verified incidents, not just events
  • Controls that span workloads across locations, applying the right method to detect and block the attacks targeting your environment
  • Multiple detection methods applied in concert, augmented with the in-depth knowledge and common sense of global security specialists

The New Economics Is Here. How the Heck Do You Take Advantage of IT?

The new economics of cloud security is about striking the optimum balance between risk, cost and speed. You can't let security get in the way of the speed the cloud gives you.

Alert Logic® puts the new economics of cloud security to work for you, with fully managed security delivered as a service and built for cloud and hybrid environments. This makes it easy to purchase, launch, and achieve your security goals, all without investing in in-house cloud-security expertise.

  • No large capital investment, lengthy implementation, or heavy training requirement
  • Simple subscription model that protects at a much lower cost than traditional security solutions
  • No software upgrades to manage or expensive security experts to train and retain
  • Security technology backed by a team of certified security and compliance experts working 24/7 to keep your data safe and secure and your environment compliant
  • Management and monitoring by security experts for continuous protection
  • A single vendor that supplies an integrated security value chain—from products through services—to assess, detect and block threats and meet compliance mandates

Case Study

Bentley Systems provides software tools that support some of the world's largest construction projects, including roadways, bridges, airports, skyscrapers, and industrial plants. The high-profile nature of the projects dictates that security and data integrity are always major considerations.

By turning to Alert Logic for security, Bentley:

  • Attained compliance with key industry standards, including Sarbanes-Oxley and the stringent ISO 27001 information security mandate.
  • Met its goal of achieving scalability, flexibility, and the ability to perform across a diverse set of environments, both on-premises and cloud based.
  • Handled requirements for intrusion detection, vulnerability assessments, and real-time log file collection and management.
  • Secured applications, workloads, and data hosted by Microsoft Azure, Amazon Web Services, and Bentley's regional cloud provider.