RSA 2009: Cloud computing will disrupt security market

Some changes good, some bad

Cloud computing providers may spend more on security than enterprises

The growing popularity of security being offered over the cloud will be a major disruptive force in the industry, according to Philippe Courtot, chairman of Qualys.

In his keynote to the RSA 2009 conference, Courtot said that the move to a cloud model for security was essential, since current security methods were failing. To back up his point, Courtot said that five years ago it would take 30 days to address half of a network's vulnerabilities, and that today, according to a recent Qualys study, that figure had barely dropped to 29.5 days.

“Something has to change. The cloud is going to be very disruptive but it offers some key advantages,” he said. "One big advantage of the software-as-a-service model is you don't need to do a complex proof of concept, you can 'try and buy'. It also gives users the ability to switch, as long as you can take your data and run.”

This would be highly disruptive to security product and service vendors, he continued. In the future, the most important purchasers of security products would be cloud suppliers, not enterprises, Courtot predicted.

However, several hurdles need to be overcome before the cloud model is complete, he said. Above all, the industry needs a secure browser. He praised the recent return of competition to the browser market and said that we would soon see a robust browser that could provide stability and security.

For the chief security officer, the road ahead is more complex, since they will have to both manage existing systems and learn about the new cloud architecture. Nevertheless, security professionals would still be needed to be the final arbiter of any change over to a cloud model, Courtot said.

But some, like security guru Bruce Schneier, dispute the claim that cloud computing will be a game changer. In a video interview with vnunet.com he explained his position.

“Cloud computing isn't anything new, it's the old client/server model,” he said.

“Fundamentally, when you deal with computers in any form you have to trust your vendors, whether it's your operating system vendors or your application vendors or your service vendors.”