Midmarket Could Push Adoption of Hosted Security Model

Mirroring the growth of hosted enterprise applications, midmarket adoption of Web-based security tools will encourage larger companies to begin looking more closely at the delivery model, advocates of the systems contend.

Backers of the hosted security model say that growing adoption of the online services among midmarket companies will help push more enterprises to begin considering the offerings.

While Qualys, a self-described provider of on-demand vulnerability management services, continues to boost its clout in the enterprise space—with plans to double its customer base and revenue in 2006—smaller vendors attacking the midmarket, such as intrusion detection specialist Alert Logic, maintain that the success stories told by their users will inspire larger firms to embrace the software as a service delivery model.

Rather than requiring companies to install its network intrusion detection software in-house, Dallas-based Alert Logic markets an online service that promises the same benefits of internal systems, along with the full-time outsourced support of its monitoring applications and malware analysts.

By eliminating the need for customers to maintain their own network intrusion scanning devices and software, and providing users instantly with the input of its security researchers, the service can lower related expenses and provide more comprehensive protection, the company said.

Alert Logic customers say that much as Salesforce.com revolutionized the way in which companies purchase CRM (customer relationship management) applications, the savings and productivity gains delivered by the hosted security services makes for a strong argument in selling new projects to business executives.

Scott Smith, network engineer for real estate firm Lincoln Property Company, Dallas, said that for roughly $1,700 per month in subscription fees, far less than it would cost to hire someone to do the same job, he feels that his company is getting the strongest protection it could hope for.

"Using the online model has been like outsourcing the entire job to them; theyre looking at the logs and doing the job that we would otherwise be forced to hire someone to do," said Smith.

"IT doesnt make the company any money at all, so were constantly looking for ways to lower overhead while remaining secure; it makes a lot more sense for us to do it this way, as we probably wouldnt be embracing this type of technology without the option of the hosted model."

Smith said the service is also useful in defending other security investments to business leaders, as Alert Logics ActiveWatch offering arms his staff with detailed information about the type of attacks the firms network is facing, and how well its existing network infrastructure is holding up.

The administrator oversees IT operations for 3,500 Lincoln Property employees, and has been using Alert Logic for roughly two years.

While his company is located squarely in the midmarket, Smith said he sees no reason why larger companies wont seek out the savings and security benefits.

Much as Salesforce.com started out in the space and moved upstream into a number of large companies, he said he believes that hosted security services represent the future for everyone.

One of the biggest concerns in outsourcing security is the matter of trusting your companys defenses in the hands of outsiders, but companies effectively already do so by trusting security applications vendors to keep their products updated with the latest threat signatures, Smith said.

"Theres definitely a trust that needs to be in place, I cant say if larger companies are more or less likely to jump in, but Alert Logic had to sell us long and hard before we would trust them," he said.

"But the truth is that security isnt our business, so it makes a lot more sense in the end to defer to the experts, rather than try to develop the expertise on our own."

Alert Logic is perfectly happy to operate in the midmarket, where it has approximately 115 existing customers, and expects to add at least 100 more customers before the end of 2006.

Since most midmarket companies cannot afford traditional intrusion detection systems, based on their high price tags and weighty support demands, the opportunity for the hosted software provider is greatest in the segment, said Chris Smith, vice president of marketing at the firm.

/zimages/3/28571.gifRead more here about Microsoft Exchange Hosted Services, which will provide hosted services in filtering, archiving, continuity and encryption.

However, as the company is contacted by an increasing number of smaller divisions from major companies, he believes that the software as a service model is poised for takeoff in the enterprise.

"Its hard to predict where the trajectory will go, but we have departments in several Fortune 500s, and there seems to be more interest from those types of customers, just as we saw with hosted CRM," Smith said.

"In a broader sense, you also have to consider that security is a different animal within the world of IT, and most IT staffers are generalists; smaller companies have a more acute challenge, but the lack of experienced security expertise is something that almost every company is dealing with today, so outsourcing plays well."

On the topic of whether or not enterprises are as willing to hand over security operations to an outsider as smaller firms, Smith believes the issue of trust may be overblown, as more firms have come around to the notion that channeling sensitive data to hosted services is likely no more dangerous than many of the Web-oriented IT processes they engage in today.

The use of outsourcing services could also become seen as an effective way of passing on some security responsibilities demanded by government regulators onto technology providers, he said.

Philippe Courtot, chief executive of Qualys, which has its U.S. base in Redwood Shores, Calif., said that enterprises are already jumping headlong into hosted security, driven by compliance demands and the other benefits offered by the model.

Qualys customer list boasts marquee business names including DuPont, Hershey Foods, Levi Strauss and Nissan, and is adding new clients of similar stature almost every week, the CEO said.

"The move to the on-demand model for security is inevitable, based on the need for businesses to have around-the-clock protection and support, and the constant drive by leaders to drive down costs, which is what we do," Courtot said.

"The midmarket may be a good fit because many of these companies had no alternative because they couldnt afford traditional security technologies, but the movement were seeing among enterprises shows us that were better positioned for the future than the traditional security market leaders, who will try to follow us into the space."

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.