Cloud computing promised cost savings and simplified IT management, among other things. In many ways, the cloud has lived up to its ideals, and in other ways, such as API security, shadow IT and the securing of clouds across hybrid environments, the cloud has proven challenging.
To get a sense of how enterprises and security vendors are adapting, we reached out to Timothy Eades, CEO at cloud application security provider vArmour. vArmour was founded in 2011 with backing from Highland Capital Partners, Menlo Ventures, Citi Ventures, Work-Bench Ventures, Redline Capital and Telstra. Timothy Eades has been the CEO since 2013; prior to that role, he was the CEO at Silver Tail Systems.
Here’s an edited version of our conversation.
DevOps: How do you see cloud architectures evolving over the years ahead?
Timothy Eades: There is considerable evolution coming. At vArmour, we have a philosophy about this: Bet on the road maps, not against them.
I think we are seeing a lot of security vendors starting to scratch their heads and wonder: Where do we invent new security technologies that can help us differentiate? The road maps for winners are going to be those that bake security into their products. This way, cloud technology will only get stronger and more secure. If one imagines an x- and y-axis and the x-axis is the strength of security capability and the y-axis is simplicity, the vendor road maps, for those who will be successful, will be about getting that balance right.
Currently, there’s considerable complexity involved when it comes to configuring and securing the public cloud. If you are Tim’s Pizzeria and you are running on AWS, it has to be made simple and more intuitive. I was talking to some friends recently about the Windows operating system and how everything has become so simple. But back in the day when you and I were growing up, we used to say “RTFM” almost daily. Nowadays, there is no manual.
That’s mostly thanks to Steve Jobs. Steve Jobs came along and made everything so simple that it shouldn’t require a manual. The worst-case was it might require a YouTube video to understand.
The cloud has to go through that same transition. Everything has to be made simpler, more intuitive. Otherwise, we are just going to get very weak configurations, because people are not going to configure it right. They’re not going to secure them right. They believe that they are inherently secure.
DevOps: What do you think will be the catalyst that will continue to drive cloud vendors getting the simplicity and security balance right?
Eades: I think it’s going to be a competition. I think the market sees the need for the drive to simplify. And it’s going to take the competition to get there. That’s a real battle between AWS, Azure, VMware and others. The good news is that VMware is going to embed a lot of security capabilities, and that will force Amazon, Azure, and Google Cloud to respond.
DevOps: Cloud can get complicated quickly; even that small pizza shop may run a dozen cloud services.
Eades: Yes, they are running a bunch of different services. The funny thing is, there is always a lack of security skills at play, too. And we all know that when businesses put things in the cloud, that they think it just became secure. They don’t have the skills to understand that it’s not as secure as they believe. I think the regulators are still scratching their heads a little bit about all of this because Amazon has been preaching its “shared responsibility” model. But, as we now know, it’s not shared liability.
And people haven’t woken up yet to that fact, that shared responsibility is not shared liability.
DevOps: How do you see enterprises consuming the various modalities of cloud in the years ahead, on-premises, public, private cloud and the different mixtures of each?
Eades: It’s just amazing. Consider a company located in Europe. They have to have data on servers everywhere. So they’re using AWS and Azure and others. I think the large enterprises will continue to be hybrid cloud, but they won’t have a private data center. They just won’t.
A friend of mine runs cloud security at a large bank in New York. Their current data center will be their last data center. They’re not going to build another data center. They’re just not.
It’s the lifetime of the applications that they look at, and they wonder: Do I still want a data center? It doesn’t take long for them to get to “no.”
One of the banks we worked with over the last three years, as they were moving many of their applications into the public cloud, they were trying to understand the interaction of their apps. They wanted to know how stable the performance of their apps is in the public cloud. They will tell you now that they don’t see the difference between their Amazon cloud and their private cloud. There’s no difference because they’ve all the bandwidth that they need.
If you can’t tell the difference from a usage and from a financial perspective, more enterprises are going to depart from their data centers.
I think you are going to see a very, very long tail of private data centers among very large enterprises, but the cloud will consume the rest of IT.