Friday20 May 2022

Cloud vendors and the security tax

Reading time is around minutes.

SaaS is the de facto way of doing business for the SMB (and even for the enterprise). The costs of building your own infrastructure and maintaining it are just too high for most. Instead, it is easier and more cost effective to let someone else handle it. Buying a spot in Amazon Webs Service, Google Cloud Platform, or Microsoft Azure it not complicated and the tools to help you set up your new business infrastructure are well done (if not always well documented). When you use these services, you do expect them to provide security, but what you may find out is that not all cloud vendors think that should come as part of the package. In fact, many look at them as little more than a way to gain extra revenue and not something that just should be done.

Before we get too far into this conversation, I do want to make something clear. Vendors should be able to add a bit extra to the price tag when it comes to providing security measures. However, it should not double or triple the cost of the service you are getting. You should also not need to bump up a tier to get security (from a business or pro plan to enterprise). Doing that is just not cool. Yet this is what we see almost across the board. We are even seeing cloud providers locking down their APIs unless you have the higher tier subscriptions. Again, we are not talking about a few dollars here and there, but more than 100% increase in cost. Moving from MS365 Small Business Premium to MS365 E5 is $37 per user per month.

Other security features like Single Sign On and even multi-factor authentication can have an add-on price just to use them. It has gotten bad enough that there are even sites that are tracking services that add in a security tax on top of the regular amount you must pay just to use the service. These services do not always have to be free, but it would be nice to see them not cost so much and to be offered at more stating tiers.

Starting and running a small business it hard, it costs money. Most of the time it is money that you do not even have (Venture Capital or Loans). That means you are starting out in the hole and trying to climb out from day one. As you are planning out expenses, you are planning out expenses you are going to be const conscious. If adding proper security to a cloud service offering is going to double your costs, it is likely to be left as a “do later” item. Attackers know about this mindset and are looking to go after the exposed targets, if for nothing else than access into the cloud service. The security tax has created an entire class of organizations that are open to attack and ripe for the picking. No, they are not the targets for the ATP groups, but they are targets for the Malware as a Service consumers. They offer the best return on their investment and take advantage of the security tax all the time.

As you are planning out your services (or looking to renew them) see what their security tools cost, if they are doubling your budget or adding too much overhead maybe it is time to look for a replacement. If enough organization make this type of move, it could change the way the industry treats security and that would be a good thing.

Last modified on Thursday, 20 January 2022 15:14

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.