HerrBullermann - Fotolia

Rackspace security push eyes managed cloud, compliance services

Rackspace hopes its new emphasis on security-centric managed cloud services will be enough to overcome past security and availability problems, as well as differentiate itself from public cloud rivals AWS and Microsoft.

After retreating from the public cloud provider price war, Rackspace Inc. is hoping a stronger focus on security via its new "managed cloud" approach will help the company further differentiate itself from cloud computing heavyweights such as Amazon Web Services, Microsoft and Google.

The San Antonio-based cloud provider last summer made a major strategy shift as it relaunched its public cloud services as a managed cloud services offering; instead of selling wholesale infrastructure as a service, Rackspace now offers a range of managed services, from basic infrastructure management to full, end-to-end cloud operations management.

"Rackspace is basically taking what they succeeded with in the past -- managed services -- and applying to the cloud," said John Burke, principal research analyst at Mokena, Ill.-based Nemertes Research Group Inc. "As they have shifted to managed cloud services, it's really put the focus on security services that companies can select to layer on top of that cloud service."

Rackspace cloud security strategy explained

Rackspace security offerings generally come in two forms. First, the managed cloud services themselves can include security and compliance consulting services, which cover such areas as DDoS mitigation, vulnerability assessments, and PC compliance.

Second, RackSpace offers one-off security layers, such as Web application firewall protection and intrusion detection systems using technology from third-party vendors like networking giant Cisco Systems and storage vendor Brocade Communications Systems Inc., to complement the cloud services.

"This is absolutely how we're differientating ourselves from Amazon and Microsoft and Google. We'll hold the customers' hands and walk them through the cloud process," said RackSpace Product Manager Matt Shover. "We'll look at their infrastructure and ask how they want to secure it. If they want IDS, for example, then we'll do that for them."

In addition, Rackspace last fall introduced version 3.0 of its hybrid-cloud offering, RackConnect, which includes security enhancements of its own. Specifically, RackConnect now integrates isolated, single-tenant Rackspace Cloud Networks to keep traffic segregated in the RackSpace Public Cloud, which previously was only available for dedicated environments.

Compliance coverage

Rackspace's compliance services focus primarily on PCI DSS.  The services include consulting around implanting specific PCI-DSS controls as well as customized security services, such as managed firewall and managed anti-virus, to enforce those controls.

According to cloud solution providers, these compliance services are especially valuable to enterprises that are still in the beginning stages of cloud migrations.

Joe Gonzalez, cloud practice manager at Sigma Solutions Inc., a San Antonio-based solution provider and RackSpace Platinum Partner, said PCI compliance services are of significant value to Sigma Solutions' retail clients.

"As a cloud integrator, that's a huge help for us because compliance is a big issue for companies looking to move to the cloud," he said. "So that helps, but you still have to take the client through all of the compliance procedures and remind them that they're ultimately responsible for their data."

Shover said Rackspace has paid special attention to complaince, specifically because areas like PCI DSS are so difficult for midmarket and even large enterprise clients to handle.

"Just like we have Rackers [Rackspace employees] who speak networking or Linux, for example, really well," Shover said, "we have Rackers that can speak compliance really well, and they can walk customers through that process."

Burke said compliance is an area where Rackspace has an opportunity to shine, particularly as enterprises look to move more data and infrastructure into the cloud.

"Rackspace can ramp up their standard set of security services in a PCI-compliant environment without the customer having to do it all by themselves," Burke said. "And as companies are looking to do more of their important work in the cloud, these are the types of things they'll want to appease auditors and compliance officers before making that jump."

Managed cloud security

Rackspace's managed cloud security services take a similar approach to its compliance services. Gonzelez said many of Sigma Solutions' customers don't necessarily have the requisite knowledge of cloud security to make a confident leap into a cloud environment.

"The security services can be a huge selling point for enterprises," Gonzalez said. "They may have standard stuff in place like firewalls or SSL, but sometimes customers will ask about additional layers with IDS or threat management, and Rackspace can add those along with that management component."

The managed cloud approach, however, does have its drawbacks, according to some solution providers. Matt Johnson, co-founder and CEO of Raven Data Technologies Inc., a solution provider based in Reisterstown, Md., said his company used to partner with Rackspace but recently moved to other cloud providers like Microsoft. The reason? Flexibility and customization.

"We wanted a service where we had complete control over the security systems," Johnson said. "We wanted to be able to protect customer infrastructure with our own security systems and firewalls, and we felt that wasn't really available with the way Rackspace's managed cloud was structured."

While Rackspace has an extensive list of compatible third-party vendor products that can integrate with its cloud services, Johnson said he's found it's generally easier to work with Microsoft Azure and build his own security systems without management from the cloud provider itself.

Burke said there are security pros and cons with the managed cloud approach.

"On one hand, it may be more difficult to customize those security layers on top of Rackspace's cloud because Rackspace is already offering a lot of them," he said. "But on the other hand, they do have the ability to go down to Bare metal and do security management around the entire customer environment with dedicated instances."

Rackspace security setbacks

Rackspace experienced some notable pitfalls recently. In late September, the company suffered extended downtime when it was forced to correct a Xen hypervisor security flaw.

While the hypervisor flaw affected other major cloud providers such as Amazon Web Services and IBM Softlayer, Rackspace was hit particularly hard; the company had to reboot its entire public cloud fleet, region by region. The massive reboot was followed by a public apology to customers from Rackspace President and CEO Taylor Rhodes.

The number one barrier to entry for public cloud that we see is security.
Matt Shover, RackConnect product manager at RackSpace

Then, just before the holidays, Rackspace's DNS infrastructure was hit was a major UDP DDoS attack, which lasted approximately 12 hours and blocked traffic from accessing the Rackspace.com domain. The company resolved the issue and said additional details regarding the attack will be made once Rackspace completes its root cause analysis.

While Rackspace was criticized  by some customers for the downtime, Burke said the incident likely won't have a significant negative impact on the company or its security push.

"I don't think the DDoS attack will hurt them as much as it would've maybe two or three years ago," he said. "Sadly, I think people now expect these types of attacks and they're more forgiving as a result."

But one thing that analysts and solution providers agree will help Rackspace is adding more security options to its cloud services. For example, Burke said offering cloud encryption to customers would greatly benefit Rackspace, especially from a compliance perspective.

"Where they can really differentiate themselves," he said, " is by adding more security layers to the managed cloud services as the default offering."

Shover said more security enhancements and additions are in the works as Rackspace works to encourage enterprises -- both existing clients and prospective ones -- to extend more of their business into the cloud.

"The No. 1 barrier to entry for public cloud that we see is security," Shover said. "Ulocking the potential around cloud security is how we're really going to grow the business."

Next Steps

Find out more about Rackspace's managed cloud services vision

Learn the best practices for tackling compliance in the cloud

Dig Deeper on Public Cloud Computing Security