Security software-as-a-service vendors want your business and are offering services from URL filtering to message security. With large security vendors such as Symantec and Trend Micro placing their own bets on SAAS, customers and vendors alike should consider just what security technologies can be best delivered as an in-the-cloud service.
There has been no shortage of predictions about how much or how quickly the
will grow. But what remains to be seen is which security services
make the most sense to deliver via SAAS.
Messaging security remains one of the most popular security services being
offered through SAAS. However, a number of established vendors, startups and
analysts believe Web security and other services will have their time in the
sun soon as well.
"There's a set of services that are actually ideally delivered as a SAAS
just from a technical, problem-solving implementation standpoint," said Paul
Judge, chief technology officer of Purewire. "Those are typically things that
already involve proxying the user's traffic and inspecting it."
Judge is banking that Web security falls into that category. Purewire was
launched this year with that as a focus, as was fellow SAAS security
startup Zscaler. For now, Purewire offers traffic inspection and Web filtering.
However, Judge also listed firewall technology as an interesting
possibility for SAAS-though he acknowledged it could be a problem due to the
amount of traffic that would have to be inspected quickly.
"Vulnerability assessment, Web site application scanning-I think those are
the two categories that are obvious and [there is a] strong reason to do in the
cloud," Judge said. "[Anything] where you want to take the standpoint, or the
viewpoint, of an attacker and assess the security posture of a company ... [for]
those sets of things, it makes sense to do it from the outside instead of doing
it inside the network."
Web security is clearly the next frontier in SAAS, said Paul Roberts, an
analyst with the 451 Group.
"SAAS messaging security vendors like MessageLabs
Google/Postini, etc., crossed into the Web threat protection game awhile ago,
and others are following suit," he said. "Secure Web gateway vendors like
Websense has a dog in this fight, by way of its Surfcontrol acquisition [Surfcontrol
had acquired Web and e-mail SAAS vendor BlackSpider Technologies], while
Webroot has introduced some basic Web security services through its acquisition
of Email Systems."
But there are a number of other areas that hold interest as potential SAAS
security offerings as well, said Eric Ogren, principal analyst with The Ogren
Group. Identity management, for example, is a newcomer on the scene and has
been used effectively in Europe, he noted.
"Who wants the punishment of owning and operating your own identity
management system?" Ogren asked rhetorically.
Another area is anti-fraud auditing and detection, which could be
an attractive way to protect online transactions.
"As the world moves toward [Web] 2.0 capabilities, these skills will be
useful in protecting Internet-based businesses-i.e., the problem will grow
beyond credit card fraud; the solution will necessarily have to be
cloud-based," Ogren said.