Symantec Discusses Security SAAS Plans for 2010

One of the underlying trends in security of late has been the adoption of cloud-based services. On the acquisition front, the past few years have seen several independent SAAS security vendors get gobbled up.

Among those was Symantec's acquisition of MessageLabs. After more than a year under Symantec's wing, former MessageLabs CEO Adrian Chamberlain—now senior vice president of Symantec's Software-as-a-Service group—said he sees a future with even more security technology in the cloud.

"The world is moving toward security-based services," Chamberlain said in an interview with eWEEK earlier in December. "You can see the penetration in the developed countries of hosted security displacing licensed software and appliances."

For Symantec, taking advantage of that means blending not only hosted and on-site technology but also the respective sales forces and channels. In the year since the acquisition, Symantec has recognized the inherent differences between customer operations and R&D in its services and licensed software businesses as well as the relationship between those units and marketing, Chamberlain said. Looking ahead, the company will stress what it feels is appropriate bundling of services and software businesses.

"Stage two, which is about to happen quite soon, is to put hosted variations of our offerings within the Symantec protection suites," he said.

The company is on that road with Symantec Data Loss Prevention 10, which allows users of hosted e-mail security services to monitor and protect outbound e-mails without requiring on-site e-mail gateway infrastructure.

"In many ways I think not just with us, but with almost all the hosted services providers, many of our customers are ahead of us in saying they'd like services in the cloud we simply haven't developed yet because it's just tough … We know we see big demand for Web services … and for more and more sophistication in the ability to set policy around the Web usage," Chamberlain said. "We see a big demand for archiving, business continuity and encryption."

Customers are also showing an interest in URL filtering, he said.

"The services I've just described really are in their infancy in being developed ... I think you will see further developments where technology will be able to manage files in the cloud ... that will further advance the argument for shifting on-premises or licensed software solutions into the cloud to set policy," he said.

Symantec's emphasis on SAAS should not come as a surprise. Symantec CEO Enrique Salem predicted SAAS would account for 15 percent of the company's business in five years. However, a number of challenges remain before the acquisition can be truly successful, opined Forrester Research analyst Jonathan Penn.

"Most notably, there's the technical integration between [on-premises] e-mail security and hosted: There shouldn't be a notable difference in quality of protection between [on-premises] and hosted, and for that to happen they must run off of a unified technology platform that creates parity between the two offerings," Penn said. "Second is the way in which Symantec takes all this to market, which today is as two distinct solutions. Symantec should be packaging this such that customers selecting Symantec for e-mail security should be able to select their preferred delivery model simply as an implementation option. As it stands today, the packaging is not at all integrated in this fashion."

Other vendors will also face the same challenges. There were a number of acquisitions in the security SAAS space in 2009, including McAfee's purchase of MX Logic, Cisco Systems' acquisition of ScanSafe and Barracuda Networks buying Purewire. Where Symantec will seek to differentiate itself, Chamberlain said, is by trying to offer the most complete and integrated portfolio of security technologies.

"You can buy these services at the moment through a series of point plays, you can get archiving specialists, you can get Web specialists … what we expect customers will want is to buy the hosted services of one provider who can offer a universal interface on which you can set policy and authentication once," he said.