Yes, Cloud Is Inevitable, Even in Security

On February 11, Netflix announced the complete migration all IT infrastructure to the Amazon Web Services cloud. Yes—all of it.  100%. Every single IT function—hundreds of them—including billing, customer and employee data management, analytics, big data, video transcoding, and even their “special sauce” algorithms for user recommendations.

Mind you, Netflix is the single largest bandwidth user on the Internet, accounting for over 38% of all traffic during peak evening hours. If they find it advantageous to use a shared cloud service, shouldn’t security buyers at least be considering this option? Are any of us operating at even a fraction of their scale? Can we achieve better TCO, or cyber security, or staffing efficiency on our own?

But perhaps Netflix is a special case.  After all, they are an Internet business, so this is the ecosystem they grew up in. Perhaps their massive scale and public-facing services demand a class of solutions that the rest of us just don’t need.

But Netflix is not alone. Consider GE, which would normally be viewed as classic, conservative, blue chip company. Surely they are hewing to the traditional model and keeping their massive IT resources under in-house management?  Nope. GE recently announced that they are eliminating 30 out of 34 data centers in favor of the cloud. Early IT benchmarks suggest massive cost reductions, lower maintenance, and faster time-to-market for software services.

These are not isolated incidents.  Given the impressive results, there is no reason to think that the IT migration line will be drawn at physical security systems. Why would they? Are security systems somehow ‘special’?  More special than finance, customer profiles, HIPAA compliance data, and prized competition-sensitive proprietary algorithms?

In the technology adoption framework provided by Everett Rogers’ widely referenced Diffusion of Innovations, the physical security industry has generally fallen somewhere between the so-called “late majority” and, worse yet, the “laggards” who are the last to leverage new inventions.  This is ironic because the industry always valued shared, centralized computing for alarm monitoring. However, it has been paradoxically slow to catch on for SaaS and cloud services delivery of other security applications.  

One could argue that the security industry is justifiably conservative when it comes to new technology adoption.  After all, the use of bleeding edge technology is not exactly something customers want in systems that are designed to—among other things—literally prevent bleeding.

Security technologies need to be tested and proven. Security software must be free of bugs and security holes. Security startups must prove that they will be able to survive long enough to justify product learning curves, and then provide ongoing support for years to come.  And no security professional wants to debut a spectacular failure—no matter how cool the technology.

But the signs are all around that the paradigm is shifting, even in security.

The earliest sign that something is about to be a thing is that the marketing departments of an entire industry rise up in unison and all start singing from the same choir book.  So it has been with manufacturers’ claims of having a “cloud product” or being a “cloud solution” or being “cloud-enabled”.

Not coincidentally, the year 2015 marked the first time that the security industry saw a conference dedicated to the topic of clouding computing for physical security applications; i.e., the first-ever Cloud+ conference, symbolically convened in the heart of Silicon Valley.  2015 was also the first year that we saw a poll of the industry where 52% of the respondents indicated that the cloud could now be considered a permanent part of the industry’s solution set.

There are many reasons that this tide has begun to shift: corporate use of the cloud for non-security functions; nearly inescapable use of the cloud for personal tasks; better understanding of cyber protections in the cloud; and the leadership of highly respected corporate icons.

Ultimately, however, the landscape will change because technology companies developing new applications simply won’t create on-premise versions of those products. Why would they? The entire landscape of software development—and available software talent—has shifted entirely and irrevocably to the cloud.  Good luck finding a programmer who wants to develop client-server applications for the next ten years.

This is leading the industry to skate to where the puck has already been for many years in the enterprise software.  The graph below shows approximate cloud adoptions rates in the security and general enterprise software sectors. What will inevitably happen—as it has with every other technology wave—is that the late-adopting security industry will slowly catch up to general adoption rates.  

My prediction is that much of this will take place over the next five years, and that many of us will join Netflix, GE, and countless other companies that have said goodbye to their last data center.