Just about the only business-naming trend hotter these days than "as a service" is "in the cloud," and IT security offerings are no exception. "The cloud has become a trendy buzzword," says Craig Balding, a security practitioner at a Fortune 500 company, and proprietor of cloudsecurity.org. "Now's a great time to re-brand all those hosted services and call them cloud based."
Gartner analyst Kelly Kavanagh puts it more bluntly, "Wall Street is enamored with anything 'as a service.' Buyers, however, couldn't care less. They're getting the same slice of baloney."
Adding his entree to the sandwich menu is Jay Chaudhry, serial entrepreneur whose credits include building and selling CipherTrust, AirDefense and others. Chaudhry recently launched Zscaler, a new security vendor that claims an in-the-clouofCoreto sell all those boxes that sell the security magic into the enterprises to the same extent they have been...the security vendors will be hooking into APIs provided by these cloud providers." Cloud security as a service offering that will "change the way businesses allow users to access the Internet."
But Zscaler joins a crowded field, as just about every vendor formerly known as a managed security service provider goes through the name change. And, at the same time, the market for outsourced security services stares down a likely transformation as other applications and services move into the cloud, changing the way enterprises buy tools and services.
Gartner defines "security-as-a-service" as "security controls that are owned, delivered and managed remotely by one or more providers" and consumed in a one-to-many model on a pay-per-use or as a subscription based on use metrics, says Gartner's Kavanagh. However, Gartner takes issue with the trend toward using the two terms interchangeably, instead defining in-the-cloud security as security functions that are provided by the Internet access provider and generally not separable from the bandwidth provider. Kavanagh puts services like DDOS prevention and carrier provided URL blocking in the in-the-cloud category.
The consultancy, in a November 2007 report, also separates security services offered on an MSSP basis, through external hosting, insourcing, and maintenance services. Gartner pegged this entire security market at $18.1 billion in 2006 and forecasts the "as-a-service" market to grow at a compound annual rate of 30 percent through 2012.
Zscaler's security-as-a-service offerings include signature-based anti-spyware and antivirus; standard URL filtering along with he ability to manage access to Web 2.0 features; data leakage protection through the HTTP channel; and log analysis and forensics capabilities. Chaudhry likes to compare his company to that other "as-a-service" standout, Salesforce.com. "Just as Salesforce.com's multi-tenant architecture differentiated it from the current solutions, Zscaler's architecture-coupled with a global security network-sets a new standard in the SaaS security space," Chaudhry says in the press release unveiling the new venture.
Analysts say Chaudhry is on the right track with Zscaler. "It's hard to evaluate this particular endeavor in light of five years from now, but we've seen a fair amount of pretty good interest in some of the functions he's talking about delivering remotely," Kavanagh says. "But I think the list pricing they talk about is high. To be long-term viable they really need to emphasize that you can displace two or three products that you already own (for the same price)."
The advantages to the security-as-a-service model, if implemented correctly, should be the avoidance of major capital expenses and utilization of high-availability, low-latency commodity services, along with low switching costs if a new provider offers a better deal. Also high on the list is the absence of infrastructure maintenance costs and hassle. "One of the things that's very powerful about SaaS, or security as a service, is that you can take on infrastructure, software and hardware, and leverage that across multiple clients," says Corey Merchant, vp of product management at SecureWorks. "That's as opposed to having to deploy individual copies of software, and this way when updates are made all the clients benefit immediately."
The drawbacks, Kavanagh says, could include the risk of total disruption of service if the provider goes down; the inability to implement highly-customized builds; loss of change control; and a "hidden lock in" to a particular vendor.
The services most ripe for security-as-a-service delivery include messaging, threat and vulnerability data, and remote vulnerability assessment. Gartner predicted last year that functions unlikely to be delivered as a service include intrusion detection systems, security event management, log management and network access control and content monitoring and filtering. But some of those predictions have already fallen flat, with Zscaler, SecureWorks and others offering some or all of these "as a service."
So the bottom line is that security-as-a-service is likely to grow briskly, along with all those other software-as-a-service and cloud computing applications that are the buzz right now-think of virtualization as the first step. Follow this trend down its logical path, and it means that institutions that elect to purchase software as a service, or resources in the cloud, may have to also adapt where they purchase their security services. Given this, security vendors will see their delivery model, and perhaps customer bases, shift. "They're going to have to mutate," Balding says. "They're not going to be able to sell all those boxes that sell the security magic into the enterprises to the same extent they have been...the security vendors will be hooking into APIs provided by these cloud providers."