Information Security News: Security SaaS maturing fast

[InfoSec News <alerts () infosecnews org>]

http://www.infoworld.com/article/07/08/22/Security-SaaS-maturing-fast_1.html

By Matt Hines
August 22, 2007

Security technologies delivered via the SaaS (software-as-a-service) 
business model may still be in their nascent stage, but some early 
adopters are already piecing together multiple offerings to outsource a 
significant portion of their IT systems defense infrastructure.

One such company is Imperial Chemical Industries, the massive 
London-based maker of paints and chemicals that is in the process of 
being acquired by industrial conglomerate Akzo Nobel to the tune of $16 
billion.

With worldwide business operations and an annual research and 
development budget approaching $60 million, the chemicals giant is 
spending more effort than ever before in securing its assets and data, 
company officials said.

However, utilizing a handful of SaaS applications -- including 
vulnerability scanning tools offered by Qualys, e-mail and anti-spam 
filtering from MessageLabs, and Web filtering provided by ScanSafe -- IT 
executives at ICI claim they are maximizing personnel and budget in a 
manner that traditional on-premise security products wouldn't allow.

"We're pushing the envelope in terms of what's out there with security 
SaaS, but so far, it's been a fantastic success; SaaS can only be 
employed where IT truly benefits from doing something once centrally, 
but there are a number of sweet spots where that approach fits today," 
said Paul Simmonds, global information security director at ICI. "Over 
time we'll likely see a mix with SaaS being used more heavily where it 
can offer benefits of cost and management, just as with general 
outsourcing."

Having used Qualys' vulnerability scanning services for over five years, 
ICI is at the cusp of large enterprises that have begun replacing some 
in-house security tools with subscription-based services.

The company is currently considering use of hosted applications binary 
code scanning tools offered by Veracode, a relatively new start-up, 
under the idea that it can begin integrating multiple SaaS technologies 
to offload larger parcels of its security infrastructure to outside 
specialists, Simmonds said.

With five years of security SaaS experience under its belt, ICI is 
beginning to see the long-term promise of the services offerings, 
according to the executive. But the company is also cognizant that 
despite the benefits of moving to SaaS services, some elements of its 
network and data security must always remain on-site.

"The combination of outsourced vulnerability and binary code analysis 
through combining Qualys and Veracode is the type of thing that could be 
very significant as it's the kind of work that can truly benefit from 
being done once, centrally, in terms of running samples through tests. 
There's a huge opportunity there, and this type of scanning is very 
complex to do on your own," Simmonds said.

"At the same time, like everything else, you need to be selective in 
what you move into the cloud," he said. "Some things are a natural fit, 
but others will never work for this model; there's always a danger that 
when something like SaaS becomes an industry trend, like security 
appliances today, that the market tends to go overboard."

Emerging security tools like NAC systems and endpoint-oriented products, 
including data leakage prevention software, are among the types of 
technologies the ICI security chief said wouldn't ever likely be 
provided via SaaS.

In the meantime Simmonds said that the chemicals behemoth will continue 
to seek out new SaaS security alternatives as they come to market.

Philippe Courtot, chief executive of Qualys, is recognized as one of the 
chief evangelists of security SaaS in general, just as Salesforce.com 
CEO Marc Benioff has become associated with pushing the hosted 
applications model into the enterprise software space.


Security SaaS becomes a new business model

However, with 37 Fortune 100 companies among its enterprise customers 
and a groundswell of interest from smaller firms driving what he labeled 
as rapid growth at the privately-held firm, Courtot claims that security 
SaaS is moving quickly from an emerging phenomenon into a 
widely-accepted business model.

"When we needed venture funding in 2001, no one wanted to back SaaS for 
the enterprise in general, but the time when we needed to evangelize 
security SaaS for customers of any size is pretty much over, it's 
becoming commonplace," Courtot said. "People don't have technical or 
financial resources to deploy traditional on-premise solutions. They're 
being told to reduce cost and do a better job of securing their 
operations, all of which works in our favor."

As an example of the economies of scale offered by security SaaS 
technologies, Courtot said his company recently completed a roll-out of 
its services to a global auto manufacturer covering vulnerability 
testing for 180 different applications operated in 65 different 
countries -- in less than three months. Addressing the same applications 
scanning project using on-premise tools would have taken years, he said.

Qualys counts Nissan Motors and DaimlerChrysler among its automotive 
clients.

"What is driving security SaaS are a few simple reasons: At the low end 
of the market, companies don't need IT people to do the work, and at the 
high-end, CIOs are being pressured to reduce costs and have fewer 
security incidents," Courtot said.

"In the past, you had security people doing the perimeter work, and you 
can still build that infrastructure," he said. "But as soon as you move 
to protect a company from the inside, to provide defense in depth as is 
needed, the degree of difficulty is beyond even the most sophisticated 
companies."

Other security SaaS advocates point to pricing and delivery advantages 
of the model as drivers of continued adoption of the tools.

Veracode CEO Matt Moynahan said that one of the biggest selling points 
of his company's binary code analysis service is the fact that customers 
only pay for the tests that they run using its hosted testing engine and 
that they don't pay for the upgrades to the service that his company is 
constantly working on.

"We're trying to blur the line between broken pricing models, a lot of 
our rivals price by the number of lines of code they're scanning or 
charge per CPU, but we allow companies to simply give us a URL where 
their binary code is and we only test that, and it doesn't matter what 
type of scan or test is involved, it's all part of the subscription," he 
said.

While Veracode, only launched in January 2007, it has signed on several 
major customers, including one of the world's largest networking 
companies and a large Canadian ISP, said Moynahan. He estimates that the 
SaaS model allows the firm to undercut its competitor's prices by 
anywhere from 20 to 40 percent.

Longtime security software market leader Symantec has announced that it 
has already begun the work to create a SaaS iteration of nearly every 
one of its products. Company officials said that as the security giant 
goes through the transition it is gathering feedback from existing 
customers and trying to gauge the best opportunities for SaaS over the 
next several years.

"Any technology evolution like this has its early adopters, and then 
once there are enough proof points, people start to adopt them more 
broadly, but we're already seeing increased interest from customers of 
all sizes," said Chris Schin, director of product management for 
Symantec's hosted Symantec Protection Network.

"I don't think that the time is here for certain enterprises, and some 
may never embrace SaaS, and for securing and scanning the endpoint, 
we'll always likely see tools at the endpoint," he said. "But there will 
be a time when I think all enterprises at least consider SaaS for some 
operations and that this time may be coming soon; adoption does seem to 
be picking up speed as, opposed to some other highly-hyped technologies, 
the promise of SaaS appears to be backing up the hype."


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/