Security SAAS Makes Messaging Strides

Efforts at security in the cloud, also called Security SAAS, are currently focused on messaging security, but expect the concept to expand as the enterprise workforce relies more on mobility and applications in the cloud.

Messaging security has been a big beneficiary of early security SAAS (software as a service) adoption. Analysts at IDC have predicted that worldwide spending on hosted messaging security services will reach $1.4 billion by 2011—up from just $300 million in 2006.

According to Gartner, SAAS market share will grow in several security segments over the next five years, notably in areas such as remote vulnerability assessment, which Gartner predicted will jump from 10 percent to 30 percent by 2013.

"Messaging security is the big area now," said John Pescatore, an analyst with Gartner. "I think Web security—both protecting Web servers and also protecting users and browsers—will grow fast. Vulnerability assessment has already started to grow as a service; so has DDoS (distributed denial of service) prevention."

Vulnerability assessments provided by vendors such as Qualys are a good fit as a cloud-based service, as they can be done efficiently from the cloud and typically don't require any deep knowledge of business-specific aspects, like what an application actually does, Pescatore contended. Early in 2008, Perimeter eSecurity acquired Edgeos for its SAAS vulnerability scanning technology.

Already, a number of vendors are doubling down and offering multiple security applications in the cloud. Trend Micro, for example, made a big splash in June with talk of its Smart Protection Network, which correlates Web, e-mail and file threat data using reputation technologies and continuously updates threat databases in the cloud. Trend Micro also announced in June the beta program for Worry-Free SecureSite, the company's Web site vulnerability scanning service.

Security rival McAfee meanwhile launched its Secure for Web Sites service in May, which also scans for security holes in Web sites. Smaller security companies have also made moves around Web-based services. Webroot, for example, launched Webroot Web Security SAAS in June.

"The Web security ones I think will grow are like what we call Secure Web Gateways, like the Websenses, Secure Computing, Trend Micros of the world," Pescatore said. "Those put outbound URL blocking and inbound Web malware filtering between users and the Web—but what about when the users are out on their laptops and that is not between them and the Web … if you had your browser proxy through mywebsecuritycompany.com as an in-the-cloud service, that would solve the problem."