Cloud Computing

Are Cloud Providers ‘Too Big to Fail’ – Let’s Hope So

In a rather ludicrously titled article (yes, even for me!) ‘Too big to fail’ cloud giants like AWS threaten civilization as we know it” the author nevertheless addresses an interesting point. And while I almost entirely disagree with the final conclusions, they represent a valid, if extreme viewpoint. If those conclusions are a little self-serving, this can be forgiven in light of my own issues with some Cloud Providers.

The basic premise is that traditional hardware (servers etc.) sales are dropping, while cloud-based and managed services are on the rise. With the corresponding drop in hardware related skills (no demand), eventually we’ll be dependent on one of the big providers (Amazon, Google & Microsoft).

This is apparently very bad, as: “If one of these goes down hundreds of thousands of other companies go down too.” This is the “interesting point” I referred to earlier, unfortunately the reasoning presented simply makes no sense. Two examples provided are:

  1. power grid failures or natural disasters – with the fallout propagated worldwide; and
  2. AWS’ hiking of its UK prices post-Brexit as an example of how quickly customers could be affected.

First, suggesting the Google, Amazon or Microsoft have a single point of failure that could take them down globally is ridiculous. Second, with regard price fluctuations, this is likely the result of organisations choosing a provider based on price alone, and not performing adequate due diligence. In trying to save money by using US based provider, and not writing mitigating language into contract, you are the ones leaving yourselves exposed.

I’m really not picking on either the subject of the article, or the author, I’m just using this to demonstrate my point. Cloud services, done PROPERLY, are the future. Or without the stupid buzz-phrase; outsourced services over the Internet are the future of infrastructure management. The issue is that a lot of Cloud services are abysmal, and the due diligence performed by many organisations nothing short of a disgrace.

But outsource they will, and they should. For example, how many organisation really want to hire dedicated teams to perform all of the following;

  1. Design Operating System Hardening Guides;
  2. Build and maintain servers;
  3. Install and configure all relevant security software/application;
  4. Patching and Vulnerability Management;
  5. Data Encryption;
  6. Access Control;
  7. Logging & Monitoring
  8. …and the list goes on.

Whilst finding a single cloud provider to take care of this is almost impossible at this stage, that’s where it’s going. Only the economy of scale available to large providers can make these offerings cost effective enough to be an option for non-enterprise businesses. And frankly, the only businesses who actually care about how data is made available, are the ones being paid to make it happen for someone else.

The motivations behind the referenced article are rather simple to deduce; 1) they have a vested interest in selling hardware, and b) they can make more money through channel than Cloud.

Fair enough, but channel’s loss of market share, and their inability to pivot is entirely their fault. They are now suffering because they have never tried to put their products into perspective. The rush to maximise profit margins was at the expense of making themselves a truly valuable partner.

If channel had only put a consulting wrapper around their offerings, they could still be selling solutions, not stuck trying to flog pieces of metal and plastic.

Perhaps this article will make more sense now they they are feeling the pain; Attention Channels/Resellers, Don’t Forget Consulting Services!

[If you liked this article, please share! Want more like it, subscribe!]

Attention Channels/Resellers, Don’t Forget Consulting Services!

A long time ago, on a career path far far away, I was responsible for the delivery of security consulting services across the EMEA and APAC regions. Even as someone fairly new to a Director level role it was clear that any company not selling cybersecurity through as many external channels as possible would be hard pressed to cover enough ground to achieve significant success.

It was also clear to me that it was the cybersecurity resellers (VARs and the like) who were best placed to cover more ground than any internal team could possible hope to match. Plus, most of the bigger VARs already had potential pipelines hundreds strong because EVERY organisation who has bought security relevant equipment is a target for security relevant consulting. They may not know it or even want it, but they will at least understand why they were approached.

The only problem was that not one VAR gave a damn, and the main reasons were two-fold;

  1. Consulting cannot be commoditised – VARs are generally ‘box shifters’, they sell a piece of equipment at a profit and move on. Selling consulting of any sort is a significant learning curve, an investment of effort no VAR was prepared to make; and
  2. Not enough margin – VARs are used to significant margins on hardware, there’s not much wiggle-room in the world of consulting. Especially in the hugely price-compressed world of QSAs/PCI for example.

Both of these are fair points, and there are challenges that I have not mentioned. There are also undoubtedly others of which I am not even aware, but I still think VARs have missed an enormous opportunity. Assuming of course they actually have their client’s best interests at heart.

When a security consultant performs a gap analysis they will cover almost every aspect of a cybersecurity program, including the security controls in place. From network devices and servers, to more ethereal products like data loss prevention (DLP) and web application firewalls (WAF), to software like anti-virus, file integrity monitoring (FIM) and encryption. All controls are examined in turn, gaps documented, and an acceptable remediation plan agreed with the client.

What you now have is a laundry list of EVERYTHING the customer needs to properly manage their security program. There is no way a VAR would ever have been able to cross-sell / up-sell to that extent. Even salespeople working at security consulting companies rarely have this kind of insight! A good consultant can expose opportunity like no VAR in the history of VARing.

No, I am not suggesting that VARs hire security consultants to help sell technology the client doesn’t need, and in fact, there are times when a consultant will prevent a client from buying technology for which the client simply has no use or cannot possibly manage. What I am saying is that most organisations want to buy from a trusted vendor, but rarely know the right questions to ask. Too often the end up with what they asked for, not what they needed. VARs will not know the difference, a consultant will.

The fact remains that all organisations who don’t have in-house expertise need help at some stage; A network administrator can install and manage a firewall, but it takes a security expert to optimise the architecture based on the business processes. A SIEM administrator can import logs and generate alerts, but it take a security expert to optimise the output to incident response. And so on.

It’s the VARs who help their clients manage not only their technology needs, but their business needs who will truly make a difference. And a lot more money.

[If you liked this article, please share! Want more like it, subscribe!]