Security as a Service (SecaaS)

We've gone through many of the varied offerings available in the cloud – from software as a service (SaaS), platform as a service (PaaS), infrastructure as a service (IaaS), and identity as a service (IDaaS). An emerging trend is the offering of security as a service (SecaaS), which is designed to address the sense of insecurity in the largely unknown and uncontrollable environment of cloud computing. SecaaS attempts to respond to the numerous security gaps that exist in diverse cloud implementations.

What is SecaaS?

According to ISSA member Marcelo Carvalho,

“Security as a Service (SECaaS) can address a number of cloud security needs in the same way we see other deliveries. Several security tools available in non-cloud environments could be offered such as IDS as a Service, Virus Protection as a Service, Logging as a Service, Identity Management as a Service, Cryptography as a Service, and many others addressing cloud vulnerabilities.”

Others classify SecaaS as a sub-type of software as a service (SaaS), as security refers to the delivery of second-tier infrastructure components, such as log management and asset tracking, as a service.

Advantages and Risks of SecaaS

Cloud customers who choose to use SecaaS options may have access to a diverse set of services which can address their security issues. There are a number of advantages, briefly described below:

• Multiple Services – Within a corporate environment, security tools are normally chose from one vendor or one technology as a result of budgetary limitations. In the cloud, an organization could select from multiple SecaaS solutions that meet the same objectives.
• On-Demand Costs – Security offerings might be better suited for on-demand needs, as it offers the advantage of no permanent investments.
• Focus – SecaaS providers might be more focused, as they would offer a more specialized profile of services, and thus better prepared to deliver cutting-edge products. Furthermore, outsourcing security tasks would allow an organization to devote more time and resources to developing its core competencies.
• Readiness – Automated failover capabilities and high SLA (service level agreement) assurance might be offered by SecaaS.

As attractive as these advantages may appear, it’s important to note that SecaaS also brings with it a set of risks. These are introduced below:

• Domino Effect – SecaaS can negatively affect the cloud environment in the event of security feature malfunction, or if there are weaknesses that generate a cascading scenario. This might take place in the event of a service being hacked, or broken, which would lead to a domino effect, due to the extent of the scale of the cloud.
• Shared Nature – Shared tools are a major concern of skeptical users, however, the centralized concept compensates by delivering a patched, updated and best practices-aligned solution.
• General Approach – The use of centralized solutions places a limitation on the consumer’s ability to customize service deliveries. This might force clients to adapt their processes or business characteristics to available security treatments, if they are somehow affected or restricted by their service providers.

Challenges for SecaaS

Given the numerous architectural, functional and intrinsic aspects of security as a service, there is no doubt that future SecaaS offerings must overcome a host of challenges and obstacles. Experts point out that the largest challenge is developing an internationally-accepted framework, or taxonomy, for security delivery which includes minimal specifications. Other challenges for SecaaS include:

• Abuse and nefarious use of cloud computing
• Insecure application programming interfaces
• Malicious insiders
• Shared technology vulnerabilities
• Data loss/leakage
• Account, service, and traffic hijacking
• Unknown risk profile

CSA SecaaS Working Group

In June 2011, the CSA (Cloud Security Alliance) sent out a call for contributions on an SecaaS Working Group. The CSA’s mission statement is “to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” As such, the goal of the SecaaS Working Group is to provide more clarity on the area of security as a service, produce a whitepaper as a result of SecaaS research, and develop a new domain for version 3 of the CSA guidance.

According to the CSA, the motivating factors for implementing this Working Group are as follows:

“Numerous security vendors are now leveraging cloud based models to deliver security. This shift has occurred for a variety of reasons including greater economies of scale and streamlined delivery mechanisms. Regardless of the motivations for offering such services, consumers are now faced with evaluating security solutions which do not run on premises. Consumers need to understand the unique nature of cloud delivered security offerings so that they are in a position to evaluate the offerings and to understand if they will meet their needs.”

Summary

This article introduces security as a service (SecaaS), which attempts to respond to the numerous security gaps that exist in diverse cloud implementations. After defining SecaaS, the article takes a look at advantages (e.g. multiple services, on-demand costs, focus and readiness), risks (e.g. domino effect, shared nature and general approach) and challenges of the offerings.  Finally, the article takes a look at the CSA’s new SecaaS Working Group, launched in June 2011.

CCSK Exam Preparation

In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:

• Cloud service models (Domain 1)
• Compliance impact and analysis requirements (Domain 4)
• Differences in SPI models (Domain 10)