Security services provided in the cloud have the potential to provide cost savings and faster deployment compared with equivalent-capacity, premises-based equipment, but providers are yet to deliver on customer expectations.
Defined by Gartner as internet-fabric-based managed security services, in the cloud security services appear at the ‘peak of inflated expectations’ on Gartner’s 2009 Hype Cycle for Infrastructure Protection.
Services provided may include managed firewalls, intrusion detection systems, intrusion prevention systems, antivirus services, distributed denial-of-service protection services, messaging security and web gateway.
Gartner managing vice-president Ray Wagner says the introduction of in-the-cloud and as-a-service offerings in security had the potential to change the landscape for vendors by tilting the advantage toward bandwidth and security-as-a-service providers, and by giving buyers an additional option in build or buy decisions.
"Technologies at the ‘peak of inflated expectations’ on a Gartner Hype Cycle are there due to over-enthusiasm and unrealistic expectations, and limited successful implementations, as the technology is pushed to its limits,” says Wagner.
“Cloud security providers must deliver on customer expectations for the effectiveness, scalability and cost savings of performing security filtering in the cloud or as a service. The small or midsize business is an appealing initial market for these delivery models at lower price points, and we expect that the technology will become mainstream within two to five years.”
Gartner recommends that organisations look at leveraging security-as-a-service providers, and bandwidth and remote connectivity service providers for opportunities to consolidate premises-based equipment into cloud-based delivery options, especially for remote-office or branch-office situations that would otherwise require on-site deployment and hardware maintenance.
Technologies at the ‘peak of inflated expectations’ on a Gartner Hype Cycle generally soon tip over the peak and experience disillusionment among corporate users.
Gartner research director Lawrence Orans says that network access control (NAC) is a technology that has moved from the ‘peak of inflated expectations’ down to the ‘trough of disillusionment’ on the Hype Cycle for Infrastructure Protection since 2006, based largely on the fact that it is not commonly deployed to fulfil its initial usage case – quarantining PCs that are missing patches or have out-of-date antivirus signatures.
According to Gartner, most early adopters of NAC have taken a different approach to NAC policies and have found worthwhile usage cases for NAC technologies. Instead of blocking users from the network (and from doing their jobs) because their PCs are missing a patch, most organisations that have deployed NAC are using it to implement guest network services.
“NAC functionality is increasingly being embedded in infrastructure and in core security products such as firewalls and endpoint protection platforms, which will help make NAC more affordable and easier to implement and manage,” says Orans. “We currently rate the technology as early mainstream and estimate that it will reach maturity within two to five years.”
Gartner's security-related Hype Cycles assess major developments in both mature and emerging technologies in a broad range of areas related to security, risk management, compliance and governance, to help security professionals make critical technology purchasing and implementation decisions in an environment of economic uncertainty and constrained resources.
For example, security tools that are early in the development cycle are worth evaluating, but may be too immature for most organisations to use. Businesses that are facing immediate risks from the threats addressed by a newly introduced class of security tools, or seeking to gain competitive advantage by deploying tools early, may want to move ahead more rapidly.
Gartner has seven current security-related Hype Cycles, five of them updated in 2009. These interactive reports track technologies and technology vendors across a comprehensive set of markets and market segments, evaluating their technological capabilities, business value and real-world viability.