Cloud computing presents its share of risks that concern infosec professionals. At the same time, the cloud billing model offers a major security benefit to small and medium-sized businesses (SMBs) by making security more affordable for them.
Pricing Enterprise Security Products
Historically, enterprise security products have been expensive. (I wrote earlier how vendors can use low price as a competitive advantage.) In particular, the initial purchase and setup price—the capital expenditure (capex)—has prevented SMBs from deploying more than the bare essential security tools, say network firewalls and anti-virus. Adopting other security technologies, such as those mandated by PCI Data Security Standard, has been a significant financial burden.
Pricing a product usually involves extracting the maximum possible amount that the customer is willing and able to pay. This is why vendors often employ price discrimination practices. For example, the vendor might offer a full-featured version of the product at a high price for customers who value the features and can afford them. The vendor might also offer a lightweight version at a lower price; this allows the company to capture the portion of the market that’s comprised of the customers who cannot justify or afford the higher expense.
Enterprise security vendors have had a hard time offering lower-priced versions for SMBs that include an attractive feature set. The cloud makes this easier by providing an alternative billing model with inherent price discrimination characteristics.
The Advantages of Cloud’s Billing Model for SMBs
One of the essential aspects of cloud computing, according to NIST SP 800-145, is measured service. It involves “leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).” In other words, cloud providers can bill customers based on how much of the service was actually used.
SMBs that do not use many units of a security service find it more affordable use the pay-per-use billing model than paying for the product outright. This model also provides the product’s vendor with inherent price discrimination, since the customers who make greater use of the service pay more for it than the lower-volume customers.
A related aspect of cloud services billing model is its conversion of the initial expense of obtaining the product (capex) into a stream of regular payments called operating expenditure (opex). In the current economic climate, avoiding capex in favor of opex is attractive to many companies. This is particularly beneficial for SMBs, who might lack the cash flow to make a large capex payment, but who can keep up with opex payments.
For instance, consider the two-factor authentication feature that Google provides for its customers. Most SMBs wouldn’t have the money or the expertise to implement this security control for their systems. Yet, they get access to it by paying a relatively low monthly fee for Google Apps on per-user basis. (Google even offers this feature to its non-paying users.)
These financial aspects of cloud services give SMBs access to security technologies even when they would’ve been unable to afford to buy the tools outright. As cloud providers incorporate security services such as vulnerability scanning, log management and web application firewalls (WAFs) into their offerings, I expect to see more SMBs making use of the security services they wouldn’t normally consider for purchase. When that happens, everyone wins.