Cybersecurity Cloud Migration: How Fast? How Far?

Sometimes, even for the most skeptical technology industry observers, it’s hard not to get caught up in the hype about the cloud. After all, the cloud offers so much adaptability, flexibility, and power for companies that at least on paper, it makes sense for them to leverage it to the greatest degree possible.

But in reality, the speed of cybersecurity cloud migration might be far slower than the more optimistic estimates out there. Currently, in most businesses, spending on on-premises security appliances and software dwarfs the amount companies are spending on cloud-based security products. The transition to the cloud in cybersecurity is often overstated in its progress and could be far more gradual than is widely believed.

And even in the world of on-premises computing, there are signs that people understand that the transition to the cloud is not just about API-driven IaaS, but about creating a more automated form of IT. Without the automation, the cloud can become expensive. This has led to a trend of companies migrating back to on-premises data centers.

I discussed this issue recently on the EAR Podcast with Fortinet’s CMO and EVP of Products, John Maddison. He pointed out that Fortinet isn’t focused exclusively on the cloud like so many other security vendors are. He estimated the transition to the cloud could take a few decades and that the transition will likely end up in a state of hybrid cloud versus all-in public cloud.

“We speak to a lot of customers who are either migrating to the cloud, building in the cloud, or consuming SaaS apps. There’s no doubt that cloud will be a large portion of the compute out there,” he said. However, as he pointed out, “We’re also seeing customers who still are building out new data centers of their own. In the next few years, a lot of enterprises will start to enable edge compute as well. We believe in a hybrid world. We believe there will be cloud compute, on-premises data center compute, compute at the edge through 5G, and compute in devices.”

Maddison argues that the speed of cloud migration will be slower than many imagine because of the existing investments in legacy architecture and because of the capabilities that legacy infrastructure provides to so many companies. Instead of envisioning a world in which all new cybersecurity products should be geared solely to the cloud, it’s far more practical to recognize that companies will need security for a wide range of ecosystems.

“It’s not that we’re saying that the cloud is not going to happen,” Maddison said. “It absolutely is going to happen and you need a different security model depending on how you’re going there. What we’re saying, though, is that it’s important to understand that it’s going to be hybrid for a long time, if not forever. So you need different types of technology and security. You need appliances, virtual machines, APIs, and containers. But most importantly, you need to be able to coordinate the policy across all of those things and maintain a feasible operational model.”

That last point is especially crucial. Operating in a hybrid world means that companies have to recognize and embrace complexity. The only way to have uniform cybersecurity in a hybrid, variable environment is to have governing security policies that address each component of an enterprise architecture. The ideal configuration is one in which one set of policies can be set and enforced on infrastructure that runs both in the cloud and on-premises.

“The cloud is attractive, and the idea of an entirely cloud-based enterprise landscape would certainly reduce complexity in some ways,” said Maddison. “But it’s not going to happen anytime soon, and will never be complete. So in the meantime, companies need to operate in the world that is instead of the world that may never be.”