When you ask IT professionals if they use cloud computing or software-as-a-service, most start by saying "no". But if you
ask some follow up questions, you will quickly find out about "that one application" that is a SaaS application.
In security, this effect is even more pronounced. Companies don't think they use security-as-a-service or "cloud" security.
Yet, many do, in the form of messaging security: e-mail antispam and antivirus. This type of security outsourcing, where security
is delivered as a service from the cloud and without on-premise hardware, is growing 12% year-on-year. It's becoming a great
outsourcing option for companies that lack the skills or do not want to retain and maintain the skills in some security function.
Seven deadly sins of cloud security
What would your ultimate network security look like?
Of course, not all security functions are suitable candidates to move into a cloud environment. Messaging security is particularly suited to cloud delivery for
two reasons. Firstly, e-mail travels through external gateways anyway, so security professionals don't have to worry too much
about putting their data "out there". Secondly, e-mail transmission has variable latency measured in minutes, so adding an
external gateway won't delay things noticeably.
In our research we've found that e-mail antispam accounts for the vast majority of cloud-based security services. Of those
companies using some form of security-as-a-service, 84% used e-mail antispam services. Antivirus was the second most common
with 42% share among security-as-a-service users. Other services include cloud-based firewalls, intrusion-prevention systems
(IPS), protection against distributed denial of service (DDoS) and vulnerability scanning.
Many of the above-mentioned security services are well suited to cloud delivery. Controls like firewall, IPS and DDoS protection are best applied on the far side of an Internet or WAN connection as they result in a reduction of transmitted data. Filtering
the unwanted traffic means less traffic to carry across expensive links and less pressure to upgrade congested links. Another
advantage of cloud delivery is the external perspective of the service provider, as is the case with vulnerability scanning,
where those buying the service want to know what vulnerabilities are visible from the outside (this is often a specific regulatory
requirement).
So why are companies buying security-as-a-service or "cloud" security? As with most outsourcing, there are a number of business
drivers that may be influencing the decision to purchase these services. Conventional wisdom would point to "cost" as the
top reason and as in many other situations the conventional wisdom is wrong. In fact, the primary driver for adoption of security-as-a-service
is that companies see these external services as more effective than in-house solutions. Antispam for e-mail is a good example
-- it's at the front lines of the security "war" and involves constantly changing attacks and countermeasures. What worked
a few months ago and gave your company pristine mailboxes will almost certainly result in a tsunami of spam a few months later.
So hiring, retaining and re-training people to fight this battle is expensive and less effective than hiring an external company
to do it for you.
