The time has come for the cloud platforms, such as AWS, Google (GCP), and Microsoft Azure to provide security for free to all their customers. There are too many unprotected environments and too much confusion. A free set of security tools that seamlessly integrate with each platform would once and for all drop any excuses not to be secure.
A few years ago, I predicted that the large cloud service providers (CSP), like Azure, are slowly consuming security products and offering them as services. This was not a prediction, but rather pointing out the obvious. This had been going on for years, starting with AWS offering web application firewall as a service. With each passing year, the CSPs have expanded their security services. For example, Microsoft added Sentinel, GCP built Chronicle, and AWS added GuardDuty. Microsoft is particularly aggressive in bundling their security tools and capabilities into Azure and Office 365 platforms.
The CSPs already have the tools. They have the knowledge. They have the ability. Why not give customers free security as part of their hosting costs?
The free offering should be a complete defense in depth platform: endpoint security, vulnerability management, network firewall, intrusion detection, web application firewall, data encryption, identity management, and centralized log monitoring. Unite them into a single console, offer them for free to any customer hosting workloads on the platform.
Why should they do this?
A Case for Free Cloud Security
While there are many reasons for free cloud security, there are three compelling ones that deserve attention:
1. It Would Show a Commitment to Security
CSPs are increasingly entangled in the security of their customers. When there is a breach, customers are quick to blame the CSP. AWS for example has a long history of being blamed for leaky data buckets, which is entirely unfair since they do not control the access rights. Offering a complete suite of security tools, for free, would demonstrate a commitment to ensuring customers host their workloads securely. It also would allow the CSPs to integrate security tools into their templates and blueprints.
2. It Will Accelerate Cloud Adoption
Large and small companies routinely cite security concerns as a primary reason for not migrating to the cloud. This 2019 story validates that thesis. Offering free security would encourage a lot of companies (even enterprise sized ones) to move to the cloud. Free security lowers the burden of relocating workloads to the cloud. It allows companies to more quickly build secure environments that can host sensitive workloads. It may also convince companies that fear cloud adoption that it is safe.
3. It is Good Business
Free security would not come cheap for the CSPs but it would increase billings. One of the things I noticed when I helped customers move workloads to the cloud, was that security drove additional spending. Once an organization was comfortable with the security of their platform, they were comfortable moving more workloads into the cloud. Moreover, there was a natural sprawl of usage. In one customer, I recall their AWS billings more than quadruped when we deployed strong security controls.
Free security makes cloud hosting more attractive to customers. It also reduces a customer’s expenses. That frees up budget for more cloud spending on instances, databases, and other services.
What about the existing security vendors?
Their business would erode. Stand-alone security vendors like Crowdstrike, Qualys, or Palo Alto Networks would see some lost business. This means they would need to adapt to offer more advanced security capabilities beyond the baseline. That is still good for the rest of us.
Can we trust CSPs with security?
We already do. Our data is already at these CSPs. You think all those SaaS application subscriptions you purchased are running on some Dell server in a data center? They are running at AWS or Azure. I have seen the security operations at these CSPs. They do a significantly better job at security than 99% of the organizations out there. They have to, otherwise customers would abandon them.
It Creates Platform Lock-in
That already exists. For all the talk of “multi-cloud” strategies, extremely few organizations implement them. Multi-cloud strategies are insanely expensive. This would not fundamentally alter the lock-in issue.
There is No Way AWS Could Compete with the Likes of Palo Alto Networks
They do not have to. This is not about building the best security tool possible. This is about building a capable set of tools that can deliver a reasonably acceptable security baseline. Again, think Microsoft Defender. Is it the best AV on the market? No, but it is better than nothing. For smaller to mid-sized organizations, it is completely adequate. A free cloud security platform would offer an adequate set of tools, not top-of-the-line stuff.
What is Good for One, Is Good for All
There is one more compelling reason for cloud providers to offer security for free – it is the right thing to do.
Decades ago, the Bill and Melinda Gates Foundation began funding immunization efforts in developing nations. Eliminating curable diseases was not only good for the people, it was good for all of us.
Microsoft did something similar. It began bundling Defender Antivirus with Windows. Initially the product may have had weaknesses, but it spread anti-virus to the masses. Entire strains of common malware disappeared.
Cloud providers are in a similar position. They could make their platforms stronger and more desirable with a complete, bundled security platform. Then small businesses, non-profits, and governments world-wide could operate more securely. Which is good for us all.
AWS, Microsoft, and Google, you can make this happen. Do it. Do it for your own interests. Do it for ours.