Two “mega-risks” that must be tackled when adding cloud services to your offering
Originally published in Security Dealer & Integrator magazine, August 2016
There are two megatrends that are disruptively impacting many industries – including security – and they both amplify the risks that integrators and cloud offering providers have relating to cloud-based services. They impact the design, manufacture and delivery of any cloud-based or cloud-assisted electronic physical security systems technologies. They are:
- Continually accelerating widespread technology advancement; and
- An epochal never-happened-before shift in control of the seller-customer marketplace.
Technology advancement is a given, and we all know this, but we are not good at grasping the ever-accelerating aspect of it. We also tend to think of the ongoing marketplace shift as “commerce moving online”— but there is much more to it than just a change to internet-based business transactions. In other words, we are underestimating the impacts of the two trends that are having the greatest impacts on security industry companies and customers.
These megatrends are bringing significant risks to security industry companies – especially integrators. Thus, without understanding the risks and challenges of these trends, it is easy it to make deal-killing and company-crippling mistakes without ever realizing it. The flip side is that with sufficient understanding of the challenges, it is just as easy to make deal-ensuring and company-advancing moves.
Mega-Risk
The term “mega-risk” applies to many risks resulting from these highly disruptive megatrends. It has often been said that with risk comes opportunity; however, grasping such opportunity requires an understanding of the risk and a strategy to take advantage of the opportunity. Trying to take business advantage of the opportunities that cloud computing provides without understanding the full risk picture is easily a recipe for disaster.
Marketplace Shift
An epochal marketplace shift is causing the 10,000-year-old “Age of the Seller” to be replaced by “The Age of the Customer®” – according to Jim Blasingame, author of the book The Age of the Customer (www.ageofthecustomer.com).
One of the most important things to know about the epochal marketplace shift is that it is an amplifier of many seller-side risk factors. Information in social media and online communities can have much greater reach and influence than a company’s own marketing messages do. That is phenomenally good when the online information is in a company’s favor; and phenomenally bad when the company is making mistakes and doesn’t know it. The worst-case situation is when the world (i.e. the company’s prospects and customers) finds out before the company does.
Blasingame explains, “For millennia, the marketplace dance between seller and customer was as beautifully simple as it was exquisitely effective, having at its nucleus three primary relationship elements:
- The product, controlled by the Seller.
- Information about the product, also controlled by the Seller.
- The buying decision, controlled by the Customer.
Then something happened that accomplished what no other event or innovation had been able to do for 10 millennia—the birth of a new Age.
In the new Age, the millennia-old marketplace dance is still beautifully simple. But the Age of the Customer has created a shift in who leads when the two dancers come together. Here’s the new paradigm:
- Products and services are still controlled by the Seller.
- The buying decision is still controlled by the Customer.
- Access to information, including customer experience, is now controlled by the Customer.
As you can see in the graphics below, the elements have shifted in terms of who controls of the relationship.”
Figure 1. The epochal permanent shift in control from seller to customer.
Image Source: The Age of the Customer, page 26
Blasingame further explains, “Compared to the historical timeline and pace of marketplace evolution, the shift to the Age of the Customer is happening at light speed. Nevertheless, since the Age of the Seller was the original standard by which markets were born and flourished for thousands of years, complete conversion will take time. Consequently, the two Ages now exist as parallel universes and will do so until the old Age finally succumbs to the new one.”
Figure 2. Parallel Universes.
Image Source: The Age of the Customer, page 29
This means that in less than 10 years, businesses will either have converted their business plans to account for doing business in the age of more customer control, or they will continue to operate using outdated thinking until the diminishing supply of old-style customers is depleted, and they are left with no business prospects.
Get Blasingame’s book to understand fully why security industry business model disruptions are not solely caused by disruptive technologies (as is commonly discussed), but are also due to the larger and more powerful force that is creating a permanent shift in the way customers are willing and able to do business.
Mega-Risk No. 1: Sellers Can’t Hide Mistakes
Seller mistakes and deficiencies are amplified by 21st century customer online communities. This is a more significant and growing risk than most sellers realize. As Blasingame explains in detail in Chapter 6, “The Influencers”, and as I am oversimplifying here, the growing trend is for prospects and customers to go first to independent online sources of information about a seller and the seller’s products, and then use that information to evaluate the seller and the seller’s own information. A customer can self-qualify as a prospect for a seller’s offering, without any direct contact with seller, and then can disqualify the seller also without any direct contact with the seller, and quickly move on to the seller’s competition.
The negative effects of making mistakes in seller verbal and written information are amplified as described above. This is happening in all industries, including the security industry. When it comes to cloud computing and cloud services, there is a large universe of cloud-savvy IT and business personnel who are very knowledgeable about cloud computing, cloud services and cloud-based offerings. It only takes one individual who is more technically savvy than the seller’s own marketing, sales or technical personnel are, to identify and shine a spotlight on a seller’s disqualifying mistakes. The same is true for any negative experience that a customer has with a seller.
This is a particularly important consideration for security industry companies who are offering, or planning to offer, cloud services. End users have communities where security related cloud services are being discussed and evaluated. Security integrators also have such communities, including IPVM.com.
There have always been risks relating to vendor mistakes and deficiencies, but Mega-Risk No. 1 amplified them to such a degree that Mega-Risk No. 2 is a serious consideration.
Mega-Risk No. 2: Inadequate Understandings of Advancing Technologies
For example, let’s look at how an inadequate understanding of cloud computing security – and the cloud itself – affects the security industry’s cloud computing arena. Security is one of Microsoft’s key selling points for its Azure brand of cloud services. Microsoft provides plenty of information about the security features of Azure, including an overview titled, “10 Things to know about Azure Security” (http://bit.ly/azure-security-10-things). When you read this overview, it is plain to see that Microsoft provides security for its own Infrastructure-as-a-Service and Platform-as-a-Service offerings, not for the cloud-service provider’s hosted application. The overview’s initial paragraph says, “Under the hood, the Microsoft Azure infrastructure implements a number of technologies and processes to safeguard the environment. This page covers how Microsoft’s Global Foundation Services runs the infrastructure and the security measures they implement.”
Another article, “Secure an app in Azure App Service” (http://bit.ly/azure-app-security), states, “While Azure is responsible for securing the infrastructure and platform that your application runs on, it is your responsibility to secure your application itself. In other words, you need to develop, deploy, and manage your application code and content in a secure way. Without this, your application code or content can still be vulnerable to threats.” (Bold emphasis in the quote was added for this article.) It is the software provider’s job to design application security into cloud Software-as-a-Service (SaaS) offerings — it is not the job of Azure or any other cloud infrastructure provider. This is the source of Mega-Risk No. 2: Inadequate understanding of cloud computing security.
Recently, several security industry providers of cloud-based offerings have proudly told me that they had moved their offering to Microsoft Azure, because of Azure’s high security. When I asked them to provide me with an application security architecture diagram for their Software-as-a-Service offering, they had no idea what I was talking about. The common response: “It is the Microsoft Azure cloud architecture.”
This could not have been a more incorrect response. The cloud infrastructure platform’s architecture (such as Azure or similar services) is definitely not the same thing as the security architecture for a hosted Software-as-a-Service application. Software application security is completely the SaaS vendor’s responsibility, not that of the cloud platform provider.
Investors, business owners, product managers and resellers all need to have a very clear understanding of this. I know of several security industry companies with SaaS offerings whose owners and investors will not allow them to spend money on documenting their security – or fixing it if need be – until a specific sales or profitability target is reached. If the company cannot provide documentation on the security of its SaaS offering, how can a customer’s technology evaluator approve the use of that offering?
A lack of security documentation puts a lid on sales, especially as prospective customers disqualify the vendor and spread the word. Any owner or investor should be able to prove to a cloud-knowledgeable evaluator that the security of its cloud-based application is sound and based on good practices. As mentioned in the previous article in this series, the Cloud Security Alliance (CSA) is defining and raising awareness of best practices for a secure cloud computing environment. The same companies I recently talked to, who had misunderstandings about the scope of Azure security, also had no knowledge of the Cloud Security Alliance – and neither did their software developers.
Heaven forbid that someone from a prospective customer’s IT department should start asking questions to the folks that I had previously talked to. It’s okay not to known an answer; it’s definitely not okay to give a wrong one.
Look for follow-up articles in the coming months, with various perspectives on cloud-computing-related opportunities for integrators, including more mega-risks in the next article.
Other Articles in this Series
This is the fourth article in Ray Bernard’s series dealing with cloud-based systems
Here are links to the other articles:
Avoid Key Cloud Services Mistakes
(SD&I March 2016)
www.SecurityInfoWatch.com/12177153
Cloud Computing: Clarity or Confusion?
(SD&I June 2016)
www.SecurityInfoWatch.com/12211857
Evaluating a Cloud-Based Service
(SD&I July 2016)
www.SecurityInfoWatch.com/12223384