Security and Risk Management Strategies Blog

Blogger: Trent Henry

Software as a Service (SaaS) is quite the rage. Google, Microsoft, Salesforce.com.... The list of vendors providing such capabilities goes on, and it's becoming a who's who in the software industry. The value proposition is obvious: use the Internet to connect to software hosted and managed by someone else; don't buy equipment, don't staff personnel, and don't take on the headaches of running IT in-house. The desired result is cost savings. And it's definitely been borne out by customer testimonials. They say there are advantages in reduced capital expense, faster deployment, better focus on core business activities, and pay-as-you go capacity planning.

But what about SaaS for security?

I'm not talking about the security practices of SaaS vendors themselves, although that is a tantalizing question. Rather, does information security SaaS itself make sense? Firewalls are software, right? E-mail filters are software. Arguably, all the major protection mechanisms from the perimeter layer on down could become services. It might not be fun to think about back-hauling all Internet traffic to the firewall service provider for filtering, but, hey, it's certainly possible (and, frankly, we're often already doing the equivalent with branch sites). Probably the question isn't "can" but rather "should" security become SaaS?

It's a good question to ask because vendors are lining up to offer solutions, and we better have our stories straight before management makes the decision for us. The latest company to enter this fray is Symantec, with a recent announcement about the Symantec Protection Network. This is an evolving platform for delivering security SaaS. It's not the managed security service (MSS), mind you, with simple remote monitoring of your premises infrastructure, but the first step toward intended "security in the cloud." Clearly we've seen elements of this before. Iron Mountain Digital and Sungard provide remote network backup. Postini and MXLogic (among others) provide e-mail filtering offsite. These features are two that Symantec plans to roll out, accompanied by others (no doubt reflective of Symantec's enterprise security suite features) over time.

Is it a good idea? For companies with limited staff and expertise, the phrase "stick to core competencies" certainly resonates. Perhaps SaaS-provided security is better than no security (or bad security). But for a large enterprise, it's not so clear. The goal of information protection is to reduce risk by adding controls for confidentiality, integrity, availability, use control, and accountability. Risk reduction and cost savings don't have to be antithetical, but short-changing risk at the, er, expense of cost-reduction would be a bitter pill to swallow. And this might be what SaaS security offers in the near term: less cost, but more risk.

It's an issue that's soon going to be critical for CISOs and team to tackle. We're discussing it at the end of the month at Burton Group's Catalyst conference. Eric Maiwald's talk, "SaaS for Collaboration and Content: A Smart Move or an Invitation to Disaster?" will be a key element. Join in the conversation.