The pros and cons of security software-as-a-service

Security software-as-a-service can help organizations reduce security headaches but also can present challenges.

Security threats and vulnerabilities have exploded in recent years. Attackers are more sophisticated and focused on information that has tangible value. The result for many organizations worldwide is an outpouring of time and money on security that never seems to slow down.

Sound familiar? If so, you're not alone. Organizations everywhere have gotten caught up in what many see as a security arms race. An ongoing investment in security technologies means constant maintenance and upgrades across multiple tools to stay current with the threat landscape -- regardless whether or not this supports the strategic priorities of the business. More than a few wonder if there isn't a better way to manage this investment more intelligently.

For many, the answer is the increasingly popular alternative of security software-as-a-service (SaaS). Software hosted by a third-party service provider has become well established for business applications, but security SaaS is different. While any SaaS offering may offer functionality to enhance security such as access control or secure connectivity, security SaaS exists primarily to support security. Examples include hosted message security and filtration (the expansion of "anti-spam" to include antivirus, anti-malware, and other capabilities such as anti-phishing), vulnerability assessment, Web browsing security, identity management delivered as SaaS for other SaaS services --and the list keeps growing.

There's something else that stands out about security SaaS: Some organizations have long been reluctant to outsource one of the most sensitive functions in IT, but today many are embracing security SaaS. What are the benefits that are leading enterprises as well as small- to medium-sized businesses (SMBs) to turn to hosted security technology? And what are the factors organizations should weigh before making security SaaS a part of their strategy? We'll examine these issues and provide strategic guidance for organizations considering the SaaS option for security.


If the primary value of security SaaS could be reduced to a single word, it would be "relief." With a SaaS approach, a third-party service provider takes on responsibility for the maintenance of the technology investment. In exchange for a regular, recurring fee, the customer gains readily adopted access to technology that is kept up-to-date with little or no customer action required. For the enterprise, it means expanding the reach of security management and outsourcing many of its complexities that free up resources for more strategic priorities. For the small- to medium-sized business (SMB), it puts a higher level of capability within their grasp.


In Enterprise Management Associates' 2010 survey of security SaaS users, large enterprises and SMBs alike saw improved access to capability with easy adoption as the greatest benefit. In many cases, there is little or nothing for the customer to deploy; they simply enable the service. For message filtration, service activation amounts to adding another relay to the mail system. The same is largely true for adding inline web proxies for safe browsing services. For vulnerability assessment, the capability can be used on-demand. The relatively straightforward adoption of offerings like message filtration has led to more than a few comparisons with utilities that are simply "switched on" -- and a revival of some of the old arguments in favor of what was once called "utility computing." Those considering security SaaS should, however, note that not all hosted security services are created equal in this respect. Readily externalized services such as message filtration may be more easily adopted than the outsourcing of deeply integrated technology on which the business has a critical dependency, such as access management for internal resources. User accounts still have to be provisioned, and may require synchronization with existing accounts.


Once the service is activated, ongoing maintenance becomes the responsibility of the service provider. This shifts the burden of capital investment and maintenance costs to a third party under contract. Capital investments in security products that in the past may have been unpredictable and sometimes challenging to justify in light of their initial costs are shifted over to the operations side of the balance sheet. Barriers to acquiring new security technologies are sharply reduced or eliminated at the cost of a regular and more predictable subscription.

The transparency of technology maintenance enabled by the SaaS model has high appeal. Says one customer of a vulnerability assessment SaaS offering from Qualys: "We began with this provider at version three of their service. Today, we're at version seven, and we didn't have to do a thing. We also got PCI capability added to this service without having to lift a finger --it just showed up. You can't imagine how happy we are."


Scalability and rapid adaptability are other advantages of security SaaS for large or highly distributed organizations. "Adding capability without having to add a dozen or more security engineers just to use it is a definite benefit for us," says Ed Bellis, CISO for an online travel company that uses a hosted email security service from Postini (now owned by Google) and a hosted vulnerability assessment service from WhiteHat Security. When the service provider adapts to new or emerging issues such as newly disclosed vulnerabilities or threats, it is that much less for enterprise security teams to manage.

Another enterprise benefit of the SaaS model is that some hosted tools can be accessed from virtually anywhere, by any aspect of the customer's organization. Hosted message filtration services can centralize email security across a global organization, improving consistency in accounting as well as defense while providing universal access to the service regardless of location. Vulnerability assessment SaaS enables a global business to cover a wider scope of applications worldwide. One major technology vendor uses this approach to identify issues that require further investigation with onsite tools and expertise, allowing them to better allocate precious security resources where most needed. The scalability essential to a successful SaaS offering further enhances the value of this approach to the enterprise. In effect, the customer "rents" not just the provider's technology, but the capabilities of its data centers as well.

The wide accessibility of a hosted service has been particularly valuable to Terry Wyatt, corporate security officer at a leading health care technology company that uses Hewlett Packard's vulnerability assessment SaaS for Web applications. "We don't have to engineer some complex architecture in order to enable access to findings from an internal tool across all our development teams," Wyatt says. "Each team gets its own portal to the hosted service, where they can find the results they need. Simply outputting results in a PDF report meant for auditors just doesn't cut it for remediation." This approach has played a key role in helping this organization foster more efficient and effective processes for vulnerability management.


Because the provider can distribute its costs across tens, hundreds or thousands of customers, a SaaS model can offer "enterprise-class" security capability to the smallest organization --and it can do so at the predictable cost of a subscription. For the SMB, this does more than relieve prohibitive initial investment costs and ongoing maintenance burdens; it gives them access to technologies that might otherwise be beyond their reach.

The SaaS model has helped smaller organizations embrace technologies such as single-sign-on for third-party services --something typically seen as an enterprise-level technology project. Lincoln Cannon, director of Web systems for a 1,500-employee medical device company, was able to use identity management SaaS from Symplified to extend internal single-sign-on to other third-party SaaS resources for office productivity applications and training.

"I knew that traditional approaches to single-sign-on were likely to be too expensive and involved to consider. Using a readily deployed SaaS offering enabled us not only to roll out single-sign-on to third party services, it also allows us to mash up authenticated services at the browser," Cannon says. "Now, when we make changes to documents in our SaaS office suite, they are reflected automatically in our SaaS training service through single-sign-on, relieving us of the need to create documents in one service and upload them to another in separate steps."

Not surprisingly, security SaaS adoption is growing substantially among SMBs. In EMA's 2010 survey of security SaaS customers, responses from organizations having fewer than 2,500 employees were compared to those from larger organizations. While a majority of all respondents (57 percent) indicated their use of SaaS would expand this year, the percentage of SMBs saying their use would grow significantly was five times greater than that of large enterprises (25 percent versus. 5 percent).

Advice from the Frontlines
Service providers and their customers say a phased approach is best when adopting security SaaS

As today's providers and customers hammer out the answers to the challenges presented by security SaaS, they are defining how to make the most of the hosted opportunity. What do these early participants in this still-emerging domain recommend to those considering security SaaS?

SaaS providers and customers alike recommend adopting security SaaS in stages wherever it makes sense to do so; they often suggest beginning with services that are most readily adopted. In the enterprise, initial deployments should be contained if possible, limiting impact on critical business applications or risks of exposing the most sensitive information where able. This allows the customer to become familiar with how the provider approaches such issues as SLAs, performance expectations, data confidentiality, and divisions of responsibilities between the provider and the customer.

Such an approach is not always possible when the need outweighs adoption risks. This may be particularly true among SMBs, who may need to outsource a wider scope of functionality. If starting with a limited approach is not feasible, reference customers can help the new client develop a feel for how the service may impact its users, as well as the vital resources or processes it touches. They can also help new customers learn how to make the most of the service, and share experience in working with the provider.

Having a broader potential use case in mind is another way to approach a phased adoption of security SaaS. Terry Wyatt, corporate security officer at a leading health care technology company, says the organization had the eventual integration of vulnerability remediation in view when it first considered Hewlett Packard's vulnerability assessment SaaS for Web applications. In phase one of the adoption, the service was used only by the security team to become familiar with its use and its impact on the organization. In phase two, the outcomes of assessments were first made available to development teams to familiarize them with the new tool for identifying security issues requiring remediation.

By phase three, developers had become sufficiently familiar with the service to initiate assessments themselves, freeing the security team for other important priorities. According to Wyatt, this not only made the most strategic use of limited resources, it also achieved an important objective by breaking down silos of technology and culture to foster a more effective approach to security management.



With all these positive values, why isn't security SaaS transforming security management wholesale? For starters, the broader security SaaS landscape is still taking shape, with a mix of technologies and players both old and new.

This means that vendors and early adopters alike are still defining the optimal balance between what providers offer and what customers demand. Prospective users will want to consider these factors carefully, since the more they ask of their providers, the greater the likelihood that providers will pass the added costs along to the customer, which may put the cost advantages of SaaS at risk. This is no small concern: In EMA's survey of current and former security SaaS users, unmet expectations of cost reduction was the number one reason for dropping a service: 63 percent of those who either quit or reduced their use of SaaS did so because it didn't reduce costs or in some cases, actually increased costs.


The youth of the security SaaS market is itself a factor: Some offerings such as message filtration have been around for years; others are just emerging. Well-proven services may be adopted with higher confidence than those whose impact may not yet be fully known. "We have yet to apply the service to a wider scope of our sites, because we want to make sure it won't tip over critical applications," says one user of Qualys' vulnerability assessment SaaS who, though pleased with the service so far, is taking a cautious approach to developing a thorough understanding of its impact.

The youth of some SaaS offerings is also evident in the service provider's approach to issues such as sensitive data protection. "Some service provider contracts declare values for loss or exposure that are substantially lower than the actual value of the data," says Randall Gamby, an enterprise security architect for a Fortune 500 insurance and finance company. "They don't understand that if they have an incident, we may not recoup our damages."

If the service fills a gap better than anything else, these factors may matter little to the business with a keenly felt need. Regardless, prospective customers will want to learn as much as they can about how service providers address the risks of new services. If the provider has relatively few customers, how significant is the customer's need in light of the provider's capability and its stability as a business? How flexible is an emerging provider willing to be to win business? If it has an established customer base, what do others say about the service? Does it have any key partnerships with other preferred suppliers? How do these factors influence the provider's long-term prospects?


While some security SaaS offerings like message filtration and vulnerability assessment are readily externalized and have limited impact on internal resources and infrastructure, others are not. Security services that are more deeply integrated with internal resources, or those where the service becomes critical to the customer's business, are more complicated to implement. Providers must offer adequate assurance of availability and performance in these cases. The security of the service itself may be a factor, but in some cases this can be addressed with approaches such as those that blend an on-premises interface with external services to give the customer greater control.

Identity management delivered as SaaS, such as the Symplified service Lincoln Cannon's company uses to extend single-sign-on, offers one such example. Providers in this space are aware that many organizations will be reluctant to expose sensitive internal access credentials to public networks. To solve this problem, they may place an interface (either software or an appliance) at the boundary between the customer's premises and access to the SaaS offering. This helps to abstract credentials and secure the customer's link with the service, thereby enhancing protection. Some may refer to this as a "hybrid" approach but that term has potential for abuse, particularly among vendors who simply add capabilities such as remote management to on-premises products in order to capitalize on the "security as a service" trend.

And there are other considerations where adoption may be less straightforward than simply flipping a switch. For example, does the provider require customers to maintain separate user accounts just for the service, or can they be synchronized with existing accounts? Would a service interruption be "business critical," or can outages or other disruptions be tolerated? SaaS providers know their customers have these concerns, and some are prepared to answer --where they can. Regardless, those exploring security SaaS will need to understand the various ways in which moving to SaaS can affect their organization.


This brings up the subject of the service level agreement (SLA). Adopters must remember that in exchange for the advantages of outsourcing technology management, the customer gives up a measure of direct control. Should the service be interrupted, compromised, or otherwise fail to deliver as expected, who has responsibility for what?

Providers recognize that customers need assurance that the service will fulfill expectations, but customers need to be clear on what really matters in an agreement. For example, if the customer has compliance or policy obligations to secure sensitive data or make information available in response to an "e-discovery" demand, how does this affect the service provider? What standards or regulatory requirements does the customer adhere to and are they compatible with the provider's existing practices? How much visibility does the customer have --or want --into how the service provider meets expectations? What about disaster recovery and business continuity? And what assurances can the provider offer to make good on its commitments?

Other SLA factors may enter into play should the customer choose to leave the service. Can the customer take any relevant configuration data, activity logs, or other meaningful management information to a competitor? When data sensitivity is a factor, does the provider commit to secure erasure after service ends --or for that matter, whenever the data is no longer needed? If so, to what extent (if any) can the customer verify? Does the service offer any alternatives that would relieve or eliminate the need for secure erasure in such cases, such as helping the customer to mask, tokenize or encrypt sensitive information?

Prospective customers should remember that just because a SaaS application is designed to meet the needs of a wide variety of users, that doesn't necessarily mean that the service can't be tailored to meet specific requirements. But they should also remember that this likely comes at a cost. Providers who offer affordable yet realistic assurances against the risks of outsourcing will likely be recognized by customers as being more responsive to their needs, giving the provider an edge in an emerging field where many already see high value.


Where will the security SaaS trend lead? Will it transform IT security technology as we know it today? In some cases, it's easy to imagine where vendors may go next. Antivirus vendors already offer products as well as hosted services that provide inline protection for email and messaging systems. They also provide signature updates to their antivirus products as a service. Not surprisingly, some AV vendors have recently moved to extend their services even further, with antivirus and anti-malware coverage for endpoints delivered as SaaS Data loss prevention (DLP) effectively complements inbound message filtration with outbound control, so its deployment as SaaS may not be far off. Encryption services could complement hosted DLP, broadening the scope of data security offered as a service.

In other cases, it may be difficult to imagine outsourcing more sensitive functionality to a third party, but consider where security services have already made inroads. Deeply integrated technologies such as security information and event management (SIEM) take input from security tools throughout the enterprise, but event management and incident response are already part of the managed security services (MSS) landscape. Can the deployment of the underlying technology as a service in its own right be far behind?

This illustrates how security SaaS is itself part of a larger spectrum of "security as a service." In a certain light, SaaS could be seen as a form of a managed service, since the customer effectively outsources the maintenance of the technology to the service provider. This is something to consider when SaaS may not yet be the right answer for a certain need today. Outsourcing deeply integrated security infrastructure may not yet lend itself to a SaaS model but that may change if or when trends such as cloud computing take hold. Until then, prospective customers should bear in mind that managed security services can help fill the gap between the outsourcing of technology and the outsourcing of the expertise needed to optimize on-premises efforts.

As the value of security SaaS continues to emerge, and answers to customer questions and concerns unfold, its true potential will become clearer. A number of both established and emerging vendors --and more than a few customers --already see it as playing a decisive role in shaping the future of IT security. In the EMA survey, the majority of today's adopters (59 percent) see security SaaS as more strategic than tactical. They see it as expanding capability and shaping their strategy rather than simply filling operational gaps.

The promise security SaaS offers for eliminating some of the most onerous headaches of security management and freeing customers to tackle more strategic priorities is not lost on these early adopters --nor is it lost on vendors staking their future on its potential.

Scott Crawford, CISSP, CISM, is managing research director of the security and risk management practice with Enterprise Management Associates (EMA), an IT industry analyst and consulting firm. Send comments on this article to [email protected].

Dig Deeper on Secure SaaS: Cloud application security