Cloud Computing Will Win Out, Says Qualys CEO

by Dana Tierney, Senior Assistant Editor

"Corporate data wants to be available from anywhere," said Philippe Courtot, Chairman and CEO of Qualys in a keynote address at RSA conference 2009.

Fifty percent of corporate data resides unprotected on PC desktops or laptops, and one in ten laptops is lost or stolen within one year of purchase. In addition, today it takes 29.5 days on average to eliminate half of known critical vulnerabilities, he said, citing Qualys research presented at the conference by Qualys CTO Wolfgang Kandek.

Why is security so hard? It has too many variables in the current computing environment and too many security patches; its landscape changes too fast, and new releases appear too slowly. But new factors have emerged, such as Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) providers. "Who would have predicted that Amazon would become a potentially significant player in the high tech industry?" he asked. But, he said, it makes perfect sense if you think about it, because they have invested in building a global infrastructure. Amazon has proven to be a dark horse, said Courtot. "Now that they have built all that infrastructure they have a huge cost advantage" and Microsoft is actually scrambling and "burning the midnight oil" with its Azure product to keep abreast of EC2.

The information technology business needs to be agile, Courtot said. Today's supplier could be a competitor tomorrow, and globalization provides added complexity. Why is cloud technology so disruptive? At one point SaaS was thought "beautiful," but for small and medium enterprises (SMEs), not for enterprise organizations, because it did not have the IT resources they need. But cloud computing has proven that it eliminates costs and complexities and scales in multiple ways.

The same solution that used to reach out to a few thousand people can now reach out to millions, he said and you no longer need "all the high-level lifting and integration." When you have a technology like Amazon's that scales at the size of the planet, your incremental costs are "absolutely small." You can achieve policy compliance "with a few engineers" and you don't need to go through a complex try and buy process with your vendors. Users also gain a better or easier ability to switch, as long as they have specified the right in their contract to take their data and run.

Economic crises such as we face will accelerate adoption of the cloud. It's been around for more than ten years, though, so why embrace the cloud now? The answer lies primarily in previous resistance to change. There were other factors, such as limitations in JavaScript's attempt to reproduce an interactive UI. AJAX needed to escape from Microsoft. And there was the dot bubble.

"I put my own money into Qualys because the VC we had did not want us to continue," he said. But now, a tsunami of enterprise SaaS solutions is coming to a browser near you.

But what about security? "In a counter-intuitive reality," Courtot said, security can be made more granular and invisible in the cloud. This is possible because outside the cloud, the data is stored everywhere and we have lost control of that data ... once the data is in one place, then the magic happens. You can now invest the money to secure the infrastructure of that one place and you can control the access to that data.

Courtot explained the implications of cloud computing for the high tech industry. It is not economical any more to buy and maintain hardware and software, not because of the software, but because of the personnel needed to maintain it. Consolidation is accelerating because of the savings it allows on the costs of server and server upkeep. Also, he has seen a major shift in those who are buying security solutions. The buyers of today are the enterprise. The buyers of tomorrow are the cloud computing vendors. You cannot lock them in any more. For instance, he said, his company currently uses Oracle, but if he can get the "same performance or better at a fraction of the cost I will switch, and why? Because our customers don't care anymore what database we use."

"Who would have thought Amazon would be a player? It is not about the survival of the fittest or of the biggest but of the one who adapts," he emphasized. In the implications for security professionals there is both good news and bad news:

"Resistance not an option any more," he said. "If you continue resisting the movement to the cloud you will be replaced because the business need is becoming too big." It is not going to happen in one day, however, and we still need to deal with the current complexity, so security professionals will have a much more strategic role. Obviously there are missing pieces – there are always missing pieces. We need a more secure and advanced browser, with much more interactivity that allows us to span from the laptops to the phones. We also need stronger authentication, federated in the cloud. We need secure, open protocols and standards. We need a legal and contractual framework:

• stronger SLAs
• independent audits and compliance
• data privacy, location and ownership

"I urge the vendors to abandon their proprietary agendas," he said, and embrace the changes proposed in such security community initiatives as the Cloud Security Alliance and the Jericho forum.

"And remember," he said. "In the cloud we trust. But obviously we are security people, so we know it is our job to verify."

The full speech can be viewed at http://media.omediaweb.com/rsa2009/webcast.htm?id=1_3.

Dana Tierney is the Sr. Assistant Editor at House of Fusion, where she causes authors to cry over their once-thought perfect articles. They recover, and their articles are better for it. But still, the sound of grown men weeping...

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie