Skip to main content

Security as a Service - Infosec the Cloud Way?

Last month Google acquired VirusTotal, an on line virus and malware scanning tool.  VirusTotal has been around about 8 years, and provides a simple and focused virus and URL scanning service.  They basically act as a service wrapper and aggregator for some 60 anti-virus engines and tools.  They then provide the ability for a file or URL to be scanned by the the underlying engines, before returning a scan result from the various different partners.  This is a simple, yet powerful concept for several reasons.

I'd imagine Google's main interest would be in the ability to scan a particular URL that is returned from a user's Google search, before they go ahead and click through it.  This would help Google to identify any malicious links, trojan destinations and so on, increasing their credibility and the safety of it's users. VirusTotal also provides various internet browser plugins, which would likely become an integral default part of the Chrome browser too.


The interesting concept behind VirusTotal is the basis of it being a service provider and aggregator.  Whilst they are not a fully fledged anti-virus tool (they can't obviously provide quarantine services for example), they provide a very powerful additional security service.  As with a standard software-as-a-service offering, there is nothing to install or configure.  This instantly takes the effort and complexity away from the end user.  The end user has no real concern how the underlying software is configured or is managed.  Their only concern is having access to a results-lead service.  Throw some data, a question, a problem (or in this case a file or URL) at a piece of software via it's API, and you receive the end result. That result can then be consumed and wrapped into the users originating software or service and used how they see fit.  Each consumer could have an entirely different use for the result.

The main benefits of this as-a-service approach, are twofold.  Firstly, is the obvious ability for the service provider to aggregate data from various different sources.  To do this as an individual, would be time consuming, costly and complex to develop.  Whilst capitalism helps fuel product differentiation,  helping the consumer from a choice perspective, it also creates headaches from an information management perspective.  How does the consumer decide which product is the most cost effective, detailed or accurate? (the concept of market management is beyond the scope of this blog, but think of things like Google's price comparison engine, or  Aggregators are now an expected part of consumer behaviour.  Making that concept become part of a service provision seems natural.

The second benefit, is that the end user or consumer, can focus on things they like or are good at.  In the case of VirusTotal, the end user is more interested in browsing the web or using software.  They don't want to have to spend time installing or building scanning engines just to stay safe.  By farming those non-specialist services out to a specialist provider, frees up the time and money of the consumer to focus on what they enjoy, or what their business is supposed to deliver.

If we look at information security from a business perspective for a moment, many businesses may not have a dedicated infosec team, policy manager or strategy.  Everyone likes to be (or more importantly likes to feel) secure, but the costs and complexity of that are sometimes too great.  Security can often be seen as an avoidable cost to the business, with security controls and policies seen as hindering employees from driving sales revenue or completing important business tasks.  Outsourced managed security service providers are increasing in popularity, as many organisations know they need to have complex network operations and log monitoring centres, but can't staff or manage them inhouse.

By being able to break that outsourcing process down to an individual security process level could potentially achieve the same thing.

Other Uses

Cloud is buzz, we know that.  Organisations are being constantly bombarded with platforms-as-a-service, infrastructure-as-a-service, software-as-a-service, (aggregated-services-as-a-service?) and many struggle with the legal, security and operational aspects of migrating key business functions onto a 3rd party provider.  But in the long run, is this the only real economically efficient outcome, of using best of breed suppliers as we do today, simply delivered via the internet?

From a infosec perspective, there could be a plethora of individual services that could be managed externally.  Qualys have made a mark in the vulnerability scanning market.  File and URL scanners are now common. Geo-location and IP address mapping services are now common.  What about IP address reputation management or network black listing?  All freely available today.

The concept of identity reputation management is a contentious issue, but with increased focus on cloud based identity and user services, this could easily become a powerful as-a-service offering.



Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…