Security technologies delivered via the SaaS (software-as-a-service) business model may still be in their nascent stage, but some early adopters are already piecing together multiple offerings to outsource a significant portion of their IT systems defense infrastructure.
One such company is Imperial Chemical Industries, the massive London-based maker of paints and chemicals that is in the process of being acquired by industrial conglomerate Akzo Nobel to the tune of $16 billion.
With worldwide business operations and an annual research and development budget approaching $60 million, the chemicals giant is spending more effort than ever before in securing its assets and data, company officials said.
However, utilizing a handful of SaaS applications -- including vulnerability scanning tools offered by Qualys, e-mail and anti-spam filtering from MessageLabs, and Web filtering provided by ScanSafe -- IT executives at ICI claim they are maximizing personnel and budget in a manner that traditional on-premise security products wouldn't allow.
"We're pushing the envelope in terms of what's out there with security SaaS, but so far, it's been a fantastic success; SaaS can only be employed where IT truly benefits from doing something once centrally, but there are a number of sweet spots where that approach fits today," said Paul Simmonds, global information security director at ICI. "Over time we'll likely see a mix with SaaS being used more heavily where it can offer benefits of cost and management, just as with general outsourcing."
Having used Qualys' vulnerability scanning services for over five years, ICI is at the cusp of large enterprises that have begun replacing some in-house security tools with subscription-based services.
The company is currently considering use of hosted applications binary code scanning tools offered by Veracode, a relatively new start-up, under the idea that it can begin integrating multiple SaaS technologies to offload larger parcels of its security infrastructure to outside specialists, Simmonds said.
With five years of security SaaS experience under its belt, ICI is beginning to see the long-term promise of the services offerings, according to the executive. But the company is also cognizant that despite the benefits of moving to SaaS services, some elements of its network and data security must always remain on-site.
"The combination of outsourced vulnerability and binary code analysis through combining Qualys and Veracode is the type of thing that could be very significant as it's the kind of work that can truly benefit from being done once, centrally, in terms of running samples through tests. There's a huge opportunity there, and this type of scanning is very complex to do on your own," Simmonds said.
"At the same time, like everything else, you need to be selective in what you move into the cloud," he said. "Some things are a natural fit, but others will never work for this model; there's always a danger that when something like SaaS becomes an industry trend, like security appliances today, that the market tends to go overboard."
Emerging security tools like NAC systems and endpoint-oriented products, including data leakage prevention software, are among the types of technologies the ICI security chief said wouldn't ever likely be provided via SaaS.
In the meantime Simmonds said that the chemicals behemoth will continue to seek out new SaaS security alternatives as they come to market.
Philippe Courtot, chief executive of Qualys, is recognized as one of the chief evangelists of security SaaS in general, just as Salesforce.com CEO Marc Benioff has become associated with pushing the hosted applications model into the enterprise software space.
Security SaaS becomes a new business model
However, with 37 Fortune 100 companies among its enterprise customers and a groundswell of interest from smaller firms driving what he labeled as rapid growth at the privately-held firm, Courtot claims that security SaaS is moving quickly from an emerging phenomenon into a widely-accepted business model.
"When we needed venture funding in 2001, no one wanted to back SaaS for the enterprise in general, but the time when we needed to evangelize security SaaS for customers of any size is pretty much over, it's becoming commonplace," Courtot said. "People don't have technical or financial resources to deploy traditional on-premise solutions. They're being told to reduce cost and do a better job of securing their operations, all of which works in our favor."
As an example of the economies of scale offered by security SaaS technologies, Courtot said his company recently completed a roll-out of its services to a global auto manufacturer covering vulnerability testing for 180 different applications operated in 65 different countries -- in less than three months. Addressing the same applications scanning project using on-premise tools would have taken years, he said.
Qualys counts Nissan Motors and DaimlerChrysler among its automotive clients.
"What is driving security SaaS are a few simple reasons: At the low end of the market, companies don't need IT people to do the work, and at the high-end, CIOs are being pressured to reduce costs and have fewer security incidents," Courtot said.
"In the past, you had security people doing the perimeter work, and you can still build that infrastructure," he said. "But as soon as you move to protect a company from the inside, to provide defense in depth as is needed, the degree of difficulty is beyond even the most sophisticated companies."
Other security SaaS advocates point to pricing and delivery advantages of the model as drivers of continued adoption of the tools.
Veracode CEO Matt Moynahan said that one of the biggest selling points of his company's binary code analysis service is the fact that customers only pay for the tests that they run using its hosted testing engine and that they don't pay for the upgrades to the service that his company is constantly working on.
"We're trying to blur the line between broken pricing models, a lot of our rivals price by the number of lines of code they're scanning or charge per CPU, but we allow companies to simply give us a URL where their binary code is and we only test that, and it doesn't matter what type of scan or test is involved, it's all part of the subscription," he said.
While Veracode, only launched in January 2007, it has signed on several major customers, including one of the world's largest networking companies and a large Canadian ISP, said Moynahan. He estimates that the SaaS model allows the firm to undercut its competitor's prices by anywhere from 20 to 40 percent.
Longtime security software market leader Symantec has announced that it has already begun the work to create a SaaS iteration of nearly every one of its products. Company officials said that as the security giant goes through the transition it is gathering feedback from existing customers and trying to gauge the best opportunities for SaaS over the next several years.
"Any technology evolution like this has its early adopters, and then once there are enough proof points, people start to adopt them more broadly, but we're already seeing increased interest from customers of all sizes," said Chris Schin, director of product management for Symantec's hosted Symantec Protection Network.
"I don't think that the time is here for certain enterprises, and some may never embrace SaaS, and for securing and scanning the endpoint, we'll always likely see tools at the endpoint," he said. "But there will be a time when I think all enterprises at least consider SaaS for some operations and that this time may be coming soon; adoption does seem to be picking up speed as, opposed to some other highly-hyped technologies, the promise of SaaS appears to be backing up the hype."