Cloud Makes Security More Affordable for Smaller Companies

Cloud computing presents its share of risks that concern infosec professionals. At the same time, the cloud billing model offers a major security benefit to small and medium-sized businesses (SMBs) by making security more affordable for them.

Pricing Enterprise Security Products

Historically, enterprise security products have been expensive. (I wrote earlier how vendors can use low price as a competitive advantage.) In particular, the initial purchase and setup price—the capital expenditure (capex)—has prevented SMBs from deploying more than the bare essential security tools, say network firewalls and anti-virus. Adopting other security technologies, such as those mandated by PCI Data Security Standard, has been a significant financial burden.

Pricing a product usually involves extracting the maximum possible amount that the customer is willing and able to pay. This is why vendors often employ price discrimination practices. For example, the vendor might offer a full-featured version of the product at a high price for customers who value the features and can afford them. The vendor might also offer a lightweight version at a lower price; this allows the company to capture the portion of the market that’s comprised of the customers who cannot justify or afford the higher expense.

Enterprise security vendors have had a hard time offering lower-priced versions for SMBs that include an attractive feature set. The cloud makes this easier by providing an alternative billing model with inherent price discrimination characteristics.

The Advantages of Cloud’s Billing Model for SMBs

One of the essential aspects of cloud computing, according to NIST SP 800-145, is measured service. It involves “leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).” In other words, cloud providers can bill customers based on how much of the service was actually used.

SMBs that do not use many units of a security service find it more affordable use the pay-per-use billing model than paying for the product outright. This model also provides the product’s vendor with inherent price discrimination, since the customers who make greater use of the service pay more for it than the lower-volume customers.

A related aspect of cloud services billing model is its conversion of the initial expense of obtaining the product (capex) into a stream of regular payments called operating expenditure (opex). In the current economic climate, avoiding capex in favor of opex is attractive to many companies. This is particularly beneficial for SMBs, who might lack the cash flow to make a large capex payment, but who can keep up with opex payments.

For instance, consider the two-factor authentication feature that Google provides for its customers. Most SMBs wouldn’t have the money or the expertise to implement this security control for their systems. Yet, they get access to it by paying a relatively low monthly fee for Google Apps on per-user basis. (Google even offers this feature to its non-paying users.)

These financial aspects of cloud services give SMBs access to security technologies even when they would’ve been unable to afford to buy the tools outright. As cloud providers incorporate security services such as vulnerability scanning, log management and web application firewalls (WAFs) into their offerings, I expect to see more SMBs making use of the security services they wouldn’t normally consider for purchase. When that happens, everyone wins.

Updated

About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more