Compliance Fuels Security on Demand

Efforts to combat compliance regulations are being seen as a big reason for the software as a service model being adopted across the security industry.

The software as a service delivery model is poised for adoption across the security industry, with some hosted applications providers tabbing customers compliance efforts as an emerging driver of the trend.

As has proved in the CRM (customer relationship management) sector, many business customers appear increasingly willing to consider the move to hosted applications to replace on-premises software.

Some experts and industry players believe that the hosted model is already changing the way many companies manage IT security and compliance operations.

Among those predicting growth of the SAAS model is Ben Fathi, corporate vice president of the Security Technology unit at Microsoft, in Redmond, Wash.

As the software makers newest in-house security guru, Fathi said that the emergence of consumer tools such as Microsofts One-Care PC management service is indicative of a shift that will also resonate inside enterprises.

"I think its fair to say that the managed service model is the future of software in general, and this is true of security as well," Fathi said.

"Companies are looking at the issue of how costly it is to keep their security defenses up-to-date. Theres a lot of benefit to the approach of automated software updates, and not just for installing fixes; the whole industry is moving in this direction."

Fathi said he expects to see additional hosted support services added to Microsofts ISA Server security gateway software, which promises to fight many types of Web-based threats.

While Microsoft is just getting its feet wet in the security sector, more established security software service providers including Qualys say that compliance requirements are helping to ignite demand for hosted tools.

The company has yet to officially launch a new Web-based IT policy compliance monitoring service, but Qualys Chairman and CEO Philippe Courtot said his company is already winning deals to provide the service as it goes up against well-known, on-premises alternatives.

"These companies are being asked to collect data from so many different systems and make sense of it for compliance, and the enterprise software model is already very distributed in nature," said Courtot in Versailles, France.

Qualys is showing customers a beta version of its compliance service, which is planned to launch before the end of 2006.

/zimages/1/28571.gifClick here to read about a startup aiming to automate identity compliance.

Shrugging off the notion that SAAS has appealed more to smaller companies than to enterprises, Courtot points to his companys customer list, which includes multinationals such as DuPont, Levi Strauss and Nissan Motor Co.

Hosted security services have already taken root in the anti-spam and firewall applications markets, with vendors such as Postini and AT&T building sizable businesses in those sectors, respectively.

Postini, in San Carlos, Calif., added a new Web filtering service to its package of hosted security applications in early June in an effort to address customers demand for even more online tools, said Andrew Lochart, senior director of marketing at the company.

"Three years ago, people were reluctant to consider security as a service, and you dont change peoples minds overnight. But our existing customers are demanding even more services," said Lochart.

"Its gotten to the point where most businesses will at least consider our model versus [on-premises alternatives], and we think theres an even bigger trend brewing where services will replace many security appliances."

Industry analysts agreed that some types of security applications increasingly will be replaced by outsourced online applications but indicated that some security processes, such as systems authentication management, wont likely move off-site anytime soon.

"Everyone sees how easy it is to filter out spam by routing e-mail through an outsourced provider or to have [a company] like AT&T manage your firewall appliances, but for any security process that is coupled closely with end-user identities, companies are going to want to retain control," said John Pescatore, an analyst with Gartner, in Stamford, Conn.

"Theres a big difference between having go down and your workers lose access to contact information versus having them lose access to transactional systems or some application on which a business truly depends."

Another challenge for security software services providers will be finding a way to offer customers the same level of applications customization with which they are already familiar.

"Services definitely represent the future of software, but companies will still want security baked into their applications," said Pescatore. "Adoption will primarily be driven by customers opportunities to reduce staffing needs for high-priced developers, and, if security services are to succeed, theyll need to do that."

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.