Verizon will have to make a convincing case that its approach is a solid one. After all, in survey after survey, CEOs' main concern about cloud computing in any form is that it may not be secure.
"We've been doing cloud-based security for six years," said Jonathan Nguyen-Duy, security product management director, in an interview. With 237 data centers powering parent company Verizon Communications' IP network operations around the world, Verizon has experienced massive denial of service attacks and other assaults that might overwhelm average data center defenses. If a telecommunications leader's defenses are applied to a business, they will represent a significant upgrade of existing protections, he asserted.
All of its 237 data centers are regularly audited by outside parties to ensure they meet the security protections that Verizon claims for its operations, Nguyen-Duy added.
The May 12 announcement of security as a service is Verizon Business' latest foray into cloud computing. In June 2009 it launched computing as a service, or the availability of virtualized servers in its data centers for rent by the hour. At the end of April, It launched consulting services to share knowledge of how data centers may be built and operated in conjunction with public cloud resources, such as its computing as a service. At the same time it opened a second data center in Hong Kong to deliver more cloud services to the Asia Pacific region.
Security as a service, however, remains a new concept. Nguyen-Duy said any large or medium-sized business is likely to have multiple facilities where it wants a common standard of security protections. Verizon can provide security measures to any facility, putting monitors in place to analyze traffic moving over company networks geared to watch for threats.
At the same time, said Peter Tippett, VP of technology, Verizon Business can give each company a central console through which to view all its security as a service implementations. "Enterprises can tailor their security solutions to meet the unique needs of their business, with the ability to strengthen their security protection at a moment's notice," he said in the announcement.
That may be true someday, but right now customers interested in security as a service are waiting for its most basic offerings to materialize. In June, Verizon Business will roll out anti-virus, spam, and malware protections and filtering of unwanted traffic from designated URLs. These services will be built into the basic network service already being consumed by Verizon customers at no additional charge, but there is a 50-megabyte limit on the amount of traffic per month that they apply to. The services are intended to show Verizon has the ability to supply "clean pipes" to customers, Nguyen-Duy.
In the fall, Verizon Business will offer network firewalls as a service from its data centers, with intrusion detection and prevention as well. These services will be charged for as separate products from the network service.
Early next year, Verizon will make its denial of service detection and mitigation services available from the cloud. None of the Verizon security services are meant to be "rip and replace" services for existing on-premises security. Rather they complement those measures, and can be implemented when a common standard of security is sought for new operations that span both on-premises and cloud data centers.
Nguyen-Duy is aware of the skepticism that the cloud itself can be made acceptably secure, and that makes it harder for prospects to believe that security can reliably flow out of the cloud. Nevertheless, he says, the combined protections that Verizon can offer means "we will scrub traffic more efficiently" than customers can by themselves. Security as a service from the cloud will lead to 35-40% savings in security expenses, he claimed.