Do I go to my cloud service provider (CSP) for cloud security tools or to a third-party vendor?
Who will secure my cloud usage, a cloud provider or a dedicated vendor?
Who is my primary cloud security tool provider?
This question has been haunting me since my analyst days, and I’ve been dying for a good, passionate discussion on the topic. So, we did it on Google’s Cloud Security podcast, where the co-hosts broke down positions, looked at arguments before the discussion, and then… competed with each other 🙂
The results were so fun and interesting that this blog was born!
Use Case for Third-Party Vendor Tools
These arguments revolve around three main concerns: trust, consistency, and innovation.
Some observers also highlight the theoretical conflict of interest when a cloud provider is responsible for building and securing the cloud (I don’t know why people say this, as there is no conflict in my opinion). This aspect also emphasizes the importance of consistency across multiple cloud environments and argues that specialized security vendors are more likely to innovate faster. They may also address customer needs more quickly, especially narrow vertical needs.
You simply can’t trust the cloud builder to secure their own stuff (or “let the cat guard the cream,” as someone bizarrely put it on social media). Third-party vendors promise unbiased security analysis and can uncover security issues that telecom providers may deprioritize, benefiting the broader public and individual users. This separation of duties means a more objective assessment of cloud security. Consistency is critical for multi-cloud. Third-party tools provide a consistent security framework across multiple cloud platforms. This simplifies management and reduces the need for specialized knowledge of each telecom provider’s unique security offerings. Startups are building better tools; that’s their focus and sole mission; telecom providers suffer from the “big-company security” syndrome of being slow and political. Third-party vendors, whose primary business is security, are more likely to develop innovative and effective security solutions than telecom providers, who may view security as a secondary concern. Helpful Argument: Do you trust your ISP to secure the network/environment that belongs to their competitor?
CSP-Native Status
These arguments revolve around three main concerns: deep platform knowledge, built-in security, and seamless integration.
The deep platform knowledge that CSPs have means strong, default “automatic” security. The fluidity of CSPs’ native tools and the massive resources (we mean it, by the way!) that CSPs devote to security also play a major role. CSPs are very well positioned to keep up with the rapid evolution of cloud services, and to secure them as they build them.
Cloud providers know the platform and the cloud better overall, and can leverage undocumented or poorly documented capabilities to secure the cloud. Security that is deeply integrated into the platform is “more secure,” and it also ties in better with asset tracking and other IT/DevOps capabilities. This deep knowledge translates into superior security capabilities, both operationally and conceptually. Built-in features are better than add-ons, with fewer seams to crack and penetrate. Native tools provide cloud providers with seamless integration with other services, streamlining workflows, and reducing the risk of vulnerabilities that can arise from stitching disparate tools together. This results in a simpler, more manageable security toolkit. Recent breaches highlight the risks associated with these integration points, underscoring the benefit of built-in security. Using native tools reduces the number of vendors and third-party solutions that need to be managed, resulting in a simpler security toolkit and lower administrative overhead. When cloud platforms and security tools share the same foundation, operational teams benefit from simplified access and workflows. Helpful argument: Cloud providers keep up with securing new services as they launch. There are a lot of cloud services being launched.
The verdict
“It depends on” winning! That’s right. No, we’re not hedging or bluffing. Are you disappointed? To make it practical, we need to answer the “it depends on what?” organizational facts: how you use the cloud, which cloud, how many clouds, what your threat model is, etc. None of the arguments on either side include a “killer” or decisive argument that stops the discussion and hands victory to one side. Often, starting with native CSP tools and then supplementing with third-party solutions to address any gaps (if any) is the right way to go (this was also Gartner’s advice in my day, by the way).
Listen to the audio version (better jokes!). And yes, read “Snow Crash” if you've failed to read it before.
resources:
The Great Debate on Cloud Security: CSP vs. Third-Party Security Tools was originally published at Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog post from Anton Chuvakin's Medium stories by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/the-great-cloud-security-debate-csp-vs-third-party-security-tools-6563e3dc6ac9?source=rss-11065c9e943e——2
