There has been no shortage of predictions about how much or how quickly the security software-as-a-service market will grow. But what remains to be seen is which security services make the most sense to deliver via SAAS.
Messaging security remains one of the most popular security services being offered through SAAS. However, a number of established vendors, startups and analysts believe Web security and other services will have their time in the sun soon as well.
"There's a set of services that are actually ideally delivered as a SAAS just from a technical, problem-solving implementation standpoint," said Paul Judge, chief technology officer of Purewire. "Those are typically things that already involve proxying the user's traffic and inspecting it."
Judge is banking that Web security falls into that category. Purewire was launched this year with that as a focus, as was fellow SAAS security startup Zscaler. For now, Purewire offers traffic inspection and Web filtering. However, Judge also listed firewall technology as an interesting possibility for SAAS-though he acknowledged it could be a problem due to the amount of traffic that would have to be inspected quickly.
"Vulnerability assessment, Web site application scanning-I think those are the two categories that are obvious and [there is a] strong reason to do in the cloud," Judge said. "[Anything] where you want to take the standpoint, or the viewpoint, of an attacker and assess the security posture of a company ... [for] those sets of things, it makes sense to do it from the outside instead of doing it inside the network."
Web security is clearly the next frontier in SAAS, said Paul Roberts, an analyst with the 451 Group.
"SAAS messaging security vendors like MessageLabs, Google/Postini, etc., crossed into the Web threat protection game awhile ago, and others are following suit," he said. "Secure Web gateway vendors like Websense has a dog in this fight, by way of its Surfcontrol acquisition [Surfcontrol had acquired Web and e-mail SAAS vendor BlackSpider Technologies], while Webroot has introduced some basic Web security services through its acquisition of Email Systems."
But there are a number of other areas that hold interest as potential SAAS security offerings as well, said Eric Ogren, principal analyst with The Ogren Group. Identity management, for example, is a newcomer on the scene and has been used effectively in Europe, he noted.
"Who wants the punishment of owning and operating your own identity management system?" Ogren asked rhetorically.
Another area is anti-fraud auditing and detection, which could be an attractive way to protect online transactions.
"As the world moves toward [Web] 2.0 capabilities, these skills will be useful in protecting Internet-based businesses-i.e., the problem will grow beyond credit card fraud; the solution will necessarily have to be cloud-based," Ogren said.