IT securityTrend: Businesses increasingly rely on SAS for security

Published 20 July 2009

More and more companies have gravitated toward the idea of “software as a service” (SAS) — using software that is delivered remotely instead of hosted on in-house servers; more and more companies are now offering security products as services — but is it the best approach to security?

Where there is a security need, there is a business opportunity. Businesses looking to make their IT departments more efficient and cost-effective have gravitated toward the idea of “software as a service” (SAS) — using software that is delivered remotely instead of hosted on in-house servers. Recognizing this trend, several computer-security companies have begun offering their products as services. McAfee, for example, has just released a new version of a suite of security products called Total Protection Service, as part of its own push toward “security as a service.”

Technology Review’s Erica Naone writes that the security industry’s shift toward delivering software from “the cloud” highlights some of the difficulties involved in transitioning to this approach. Experts agree that the newer approach can increase efficiency and bring technical benefits, but some also warn that not all security products work well when delivered this way. Since companies often disagree over what it means to provide software as a service, the shift can also create confusion for potential business customers looking to evaluate their options.

McAfee’s Total Protection Service suite operates remotely, with the exception of a few small pieces of software installed on individual employees’ computers. The product protects computers against Web and e-mail threats, monitors inbound and outbound network traffic, and analyzes devices connected to a corporate network. It also assesses a company’s website for potential vulnerabilities that attackers could exploit.

McAfee’s upgrade to Total Protection Service is a logical expansion of what the company was already doing, says Natalie Lambert, a security analyst for Forrester Research. Lambert says that other companies are likely to follow suit, by offering products that shift as much as possible into the cloud in order to appeal to clients looking to lower costs. For now, she notes, McAfee’s traditional products still have more functionality than what it’s offering as a service; in the future, she expects little difference.

Spain-based Panda Security is another a company that offers security products delivered as a service. Josu Franco, the company’s corporate customer unit director, says the approach can save customers money, particularly when employees work from a variety of locations, and can streamline the process of managing software and keeping it up to date. He adds, however, that fully protecting a business still means installing some software on the devices being protected. Moving security completely in the cloud, while also protecting the end user’s device, “is not a viable option today.”

Some security products make more sense delivered as a service than others, according to John Pescatore, who specializes in security and privacy as a vice president and research fellow at Gartner Research. It makes sense, he says, that most e-mail security products are based in the cloud, since e-mail comes to organizations through the Internet and can be filtered before arriving. Denial-of-service attacks, which involve flooding a computer server with dummy requests that make it impossible for it to respond to legitimate traffic, are also good candidates for cloud-based solutions, Pescatore says. In fact, many companies already rely on Internet-service providers to filter their Web traffic remotely.

Naone notes that other common security products, such as firewalls, which rely on large amounts of bandwidth, make less sense delivered via the cloud. Products that are heavily tied to internal computer processes, such as authentication and access-control software, also work better on-site, Pescatore says. Furthermore, if a product still requires a customer to install some software, Pescatore doesn’t consider it a true security-as-a-service offering.

Paul Judge, chief technology officer of Purewire, an Atlanta-based Web security company, argues that the software-as-a-service approach is especially suited to handling modern Web threats. This, he says, is because users typically use a range of different devices and networks to do business, requiring, he says, “an approach that can always sit between the user and the Web, no matter where the user is.”

While the service approach is perceived as a way to save money, Judge says it can offer unique technical advantages too. It is possible to analyze threats better from the cloud than from a single appliance installed for a client. For example, some JavaScript attacks require deeper analysis to be detected, and a single device may not have the necessary processing power. By centralizing the task in the cloud, Judge says, his company is able to use specially designed hardware that enables deeper analysis at a higher speed.