SaaS Secures in Uncertain Times
SaaS Improves Web and Email Security in Tough Times
The software-as-a-service model can help you stay ahead
of Web and email threats without breaking the bank
on infrastructure and management.
There are three truisms about a tight economy that every IT manager knows: You have to
support more projects with fewer people and tighter budgets; approvals for infrastructure
build-outs are scarce; and it’s your job to ensure employee productivity remains high .
Spending is going to
These may seem like Herculean tasks, especially when you’re dealing with ever-increasing
be affected by this
threats to your Web and email networks, but IT executives and industry experts say success
so organizations need
can be found by moving to a software-as-a-service (SaaS) delivery model . “Spending is
to rethink how they
going to be affected by this economic slowdown, so organizations need to rethink how
they manage noncore, yet critical, tasks such as Web and email security,” says Brian Burke,
yet critical, tasks
program director for security products at Framingham, Mass .-based research firm IDC .
such as Web and
Recently, enterprises of all sizes have turned to gateway appliances to block spam, scan for email security.
viruses, and perform URL and content filtering . But performing these tasks on the network – Brian Burke,
Program Director for
can be costly in terms of hardware, software, bandwidth and administration . For instance, Security Products, IDC
a boost in spam oftentimes results in the need for additional appliances and licenses,
increased email server capacity, expanded storage space, a hike in bandwidth, and
dedicated man-hours to deploy and manage these infrastructure build-outs .
These expenses are hard to fathom in today’s fiscally challenged environment . “Organizations are definitely experiencing
appliance fatigue . The number of boxes they have to manage is overwhelming, and the costs continue to add up,” Burke says .
To combat this problem and free up valuable resources, companies are starting to use Web and email security SaaS to handle
threats before they hit the network . This approach not only helps to save time and money, but it actually improves protection
by defeating today’s highly complex and dynamic threats in the cloud, in real time .
Understanding Today’s Vulnerabilities
While IT budgets may be shrinking, there is definitely no shortage of attacks IT professionals
face in regard to Web and email . Burke says the link between the two is becoming indis-
tinguishable, thanks to the use of Web 2 .0 technologies such as social networking, Wikis A lot of email servers
and blogs in the workplace . He adds that spam is also on the rise, accounting for more than
and appliances are
80% of all enterprise email, and the number one threat to email security is now embedded
URL links within these messages .
they can’t keep up
with the volume
These statistics make it easy to understand how vital a comprehensive Web and email they’re expected
security plan is to an organization . In fact, Burke predicts that Web and email security are to handle.
so intertwined that in the near future IT teams will address them in a unified manner . – Brian Burke,
Program Director for
Security Products, IDC
Until then, trying to stay on top of these threats on-premise in terms of infrastructure and
knowledge is a costly and exhausting endeavor for many enterprises . “A lot of email servers
and appliances are faltering because they can’t keep up with the volume they’re expected to
handle,” Burke says . And with new viruses and malicious Web sites popping up with abandon, IT organizations have had to be-
come security gurus, chasing down signatures piecemeal, pushing out updated policies, and adding to URL blacklists, all while
being careful not to hamper user productivity with application downtime and false positives .
In addition, many organizations are beholden to data retention laws, so any messages that make their way onto the network —
even spam — must be stored for a certain length of time . The result: an incredible waste of storage resources .
SaaS Secures in Uncertain Times
Before we look at how SaaS specifically addresses Web and email security challenges such as those discussed above,
let’s look at how SaaS is beneficial in general .
With SaaS, an application is hosted and delivered over the Internet by a provider,
negating the need for on-premise hardware, software or dedicated personnel .
Rather than continually paying for hardware, software and maintenance licenses,
you pay a fixed price on a per-user basis that provides everything you require,
including all support and maintenance . This enables you to dynamically add or $80
subtract users based on your growth, paying only for what you need, when you $60
need it . Also, because SaaS is essentially a subscription, companies can count
application usage as an operating expense as opposed to a complicated — and
depreciating — capital expenditure . In fact, one esearch firm found that a SaaS $20
solution can reduce the annual application cost per user from $100 to $60 versus $0
a traditional appliance-based solution . Appliance SaaS
SaaS also offers companies leverage vs . on-premise solutions because they are based on service-level agreements . This key
differentiator means that companies have a contract with the service provider to guarantee optimal performance and reliability .
SaaS applications generally offer similar functionality as their on-premise counterparts, but with a distinct benefit . As soon as
the provider develops new features, customers can take immediate advantage of them without having to spend time download-
ing and testing code to ensure proper network integration . In addition, SaaS is controlled through a team’s Web-based console
so IT can easily set and manage company use policies for all users .
SaaS and Security: A Natural Fit
Where the SaaS model really hits home is with Web and email security because it provides IT teams a way to stop threats
before they clog — or take down — the network . All vulnerabilities are dealt with in the cloud .
To understand the economic ramifications, consider this real-world example . At Dallas
County Community College District (DCCCD) in Mesquite, Texas, the email network supports
inbound and outbound messages for more than 65,000 mailboxes . Of the almost 3 million
There’s no question
messages DCCCD received each day, more than 95% were spam, exposing the district to
worms, bots and other vulnerabilities that threatened the network and user productivity . To
Security SaaS] has
manage that spam explosion on-premise, DCCCD would have had to add more staff, appli- taken a significant
ances, bandwidth and other infrastructure . load off the network in
terms of server capac-
Instead, DCCCD switched over to Webroot E-Mail Security SaaS, which was “as easy as
ity, bandwidth and
changing a record in our domain name server to redirect to Webroot,” says Steve Glick, As-
sociate District Director for Information Technology at DCCCD . “There’s no question this has
taken a significant load off the network in terms of server capacity, bandwidth and
– Steve Glick,
Associate Director for
storage space .” Information Technology, DCCCD
Webroot E-Mail Security SaaS has also alleviated the burden on Glick’s network support
specialist, who was tasked with supporting the security appliances and their surrounding
infrastructure . Now, instead of having to beef up staff, Glick has been able to redeploy the network support specialist to other,
more strategic projects . “Web and email security SaaS are particularly helpful for IT organizations that lack dedicated security
personnel,” Burke says . “Because security is their primary focus and they are watching for threats across a broad spectrum,
SaaS providers like Webroot are better equipped to detect new vulnerabilities and ensure your on-site and mobile workers are
thoroughly protected .”
SaaS Secures in Uncertain Times
Cutting-Edge Tools and Services
Webroot uses a combination of multiple best-of-breed antivirus and anti-spam engines as well as its own anti-spyware tool,
Webroot Spy Sweeper®, and an automated threat research system to keep its Webroot Web Security SaaS and Webroot E-Mail
Security SaaS services cutting edge . Users are also protected by zero-hour heuristic filters that guard against new and unknown
virus variants and keep false positives low . And because traffic is filtered through Webroot data centers, distributed denial-of-
service attacks can be neutralized before they reach corporate mail servers .
Using the multivendor approach for anti-virus engines also allows Webroot to offer a high-quality, inexpensive SaaS solution
without compromising security . Companies can cost-efficiently guarantee that their corporate acceptable usage policies regard-
ing Web sites and content are enforced for on-site and remote workers . In fact, Webroot Web Security SaaS can apply proactive
notification of company Internet use policy to search engine results, indicating whether a site can be accessed, potentially
contains malware, or is blocked .
That’s one of the attractions for Adam Edwards, partner at London-based Cumberland Ellis
Law Firm LLP who has to ensure that his users are protected from inappropriate content
while complying with the firm’s Internet use policies, best practice and the law . “Email and Because security is
Web are at the core of everything we do here, and we have a certain level of paranoia about their primary focus
our clients’ privacy and security . We have to make sure that we maintain absolute confidenti- and they are watching
ality and properly secure our clients’ data, a part of which includes ensuring that we are not for threats across a
attacked or compromised by malicious code via the Web,” Edwards says . broad spectrum, SaaS
providers like Webroot
Edwards relies on Webroot Web Security SaaS and Webroot E-Mail Security SaaS to ensure
are better equipped
that preconfigured corporate policies are being adhered to without hampering employee
to detect new vulner-
productivity . He uses the Web-based console to track and mitigate false positives and to
abilities and ensure
make sure that employees can access the spam quarantine . But it’s not only policy enforce- your on-site and
ment that Edwards enjoys about Webroot Web Security SaaS and Webroot E-Mail Security mobile workers are
SaaS . He’s also a fan of the inherent disaster recovery feature, which has saved him the cost thoroughly protected.
of installing a more fault-tolerant system on or off-site .
– Brian Burke,
Program Director for
For instance, the law firm recently suffered a Microsoft Exchange Server outage, but users Security Products, IDC
were still able to access their email via the Webroot service . “If we had to maintain an off-site
mirrored Exchange Server ourselves, it would be a costly technical feat . This way, we always
have the previous month’s worth of email at the ready wherever in the world our employees
are,” Edwards says . The biggest cost benefit of the Webroot SaaS offerings is the security expertise the company brings to the
table at a significantly lower TCO . “From a practical standpoint, there’s no way with only one full-time IT manager supporting 80
users that we can fully master every aspect of security in-house,” Edwards says . “Web and email security require 24/7 attention,
and since that is Webroot’s business, they have a much greater chance of recognizing and blocking threats than we ever could .”
SaaS Secures in Uncertain Times
SaaS Marks the Next Step in the Journey
In an uncertain economy, businesses of all sizes are struggling to find new ways to survive.
The same is true for information technology teams, which are being forced to reevaluate
how they deploy and manage applications across the enterprise. Webroot CEO Peter Watkins
recently discussed this difficult environment with Technology Editor Sandra Gittlen and ex-
plained how IT teams can cost-effectively tackle one of the most difficult challenges, Web
and email security, with software as a service (SaaS).
Q: How has application management, particularly in the areas of Web and email security, changed
for it in the past few years?
A: The bar has constantly been raised for how IT deploys and runs existing applications . There is tremendous pressure
to cut costs and drive out redundancies throughout their current systems as well as to find efficiencies in implementing
new applications . Many organizations have been burned by applications that were too complex to deploy and manage .
Q: How does the economy compound this struggle?
A: I’m not sure most IT managers have experienced this type of recessionary climate before and, unfortunately, many are
going to be subject to disproportionate cuts in terms of staffing and budget . Companies will be thinking only about
what directly brings money in the door — such as new sales applications — and expect other areas to be severely
scaled back or delayed . In addition, they will expect what has become the base of services that IT provides, such as
email and Web security, to become utilities and be provided at the lowest possible cost .
Q: How can software as a service lessen this burden?
A: Let’s start with the primary benefit of SaaS — it’s far easier to deploy and manage because there is zero to minimal
implementation of hardware and software needed within an organization . This eliminates many of the costs associated
with a typical security project . For instance, if you are trying to secure Web and email access at remote sites, you no
longer have to send out a staff member to install and manage an appliance or other infrastructure . Also, the length
of your deployment will be dramatically shortened because there is nothing to install and no interaction with the
network or desktop to worry about .
Too often, we hear about IT teams that tried to roll out an on-premise solution only to find it was more complex than
they planned, needing more bodies, more time and more money . With SaaS, you can trial the application and see
firsthand what the deployment cycle entails . Often-times, you can have your application up and running enterprise-wide
within a few hours, freeing your staff and budget for other, more strategic purposes .
SaaS solutions in the security space are also far more effective than their on-premise counterparts . With an on-premise
solution, customers are stuck with the single antivirus tool and signature recognition software their vendor uses .
Conversely, Webroot uses a multivendor approach, including five different antivirus engines, to block malicious
code from getting inside your organization .
Q: Have you noticed that overall organizations are more accepting of SaaS solutions than they
were even a year ago?
A: Definitely . It’s skyrocketing in areas such as CRM and payroll . Email security is already well past the early adopter
phase and we expect Web security to experience the same growth over the next few months . And while there is still
more education that has to be done about SaaS, organizations are starting to realize they don’t want viruses, spam and
other threats to come onto their network so they are seeing the value of dealing with those vulnerabilities in the cloud .
Q: Who typically holds the decision-making power regarding SaaS within an organization?
A: When it comes to email and Web security, that’s clearly the domain of IT . They take the lead and specify what they
want, to make sure there are clean pipes to and from the Internet .
Q: What changes has the SaaS industry undergone that makes it more appealing to
A: Before SaaS, there were application service providers that hosted what was essentially on-premise software out of
data centers . While they modified the applications to be Web-friendly, they were kludgy . SaaS offerings have been
engineered from the ground up to be delivered over the Web . And they also support multi-tenancy — allowing more
than one customer on a server — to drive down costs . In addition, these services have been optimized in terms of their
Web interface, performance, Internet delivery infrastructure, security and other key areas . In many ways, they offer far
better reliability these days than most corporate networks .
Q: Do you think organizations will go back to on-premise solutions when we pull out of this
A: No, I think we are on a very clear evolutionary path here . Early on, IT was gung ho to buy and deploy software
themselves . Then they turned to appliances because they offered an all-in-one solution . Each step has been designed
to make application deployment and management simpler . And SaaS is clearly the next step in that journey . I’m
confident SaaS will prove from a technical, ease of use and pricing perspective to be a benefit to IT organizations
everywhere for the foreseeable future .
Sandra Gittlen is a Massachusetts-based technology writer.
SaaS Secures in Uncertain Times
Getting the Most From SaaS
Signing on with a software-as-a-service (SaaS) provider may have you worried that you are giving up
control, but that doesn’t have to be the case. Here are some surefire ways to guarantee you stay in
the driver’s seat.
1. try before you buy.
There’s no better way to understand how SaaS will benefit your environment than seeing results for yourself . While this
can be cumbersome with appliances and on-premise solutions, SaaS offerings make evaluating the benefits of Web and
email security as easy as redirecting your traffic to an alternate URL or altering your MX record . You can even send
production traffic through the SaaS provider’s environment to check real-time latency and the other impacts on the
end-user experience .
2. Get it in writing.
The most important part of any SaaS offering is the service-level agreement (SLA), which outlines your provider’s guar-
antees . You’ll want to make sure that the SLA covers performance, uptime, notification of downtime, and other critical
factors as well as the repercussions for failing to meet those guarantees . For instance, your provider should offer 24/7
availability . You’ll also want a false-positive rate for catching viruses that is lower than 1 in 400,000 . To ensure these
metrics are being met, have your provider send you regular reports .
3. Know your compliance mandates.
When it comes to security, it’s imperative that you understand the guidelines for data protection that your company
must follow . For example, do you have requirements that dictate how long you have to retain business records or privacy
restrictions regarding customer information? Develop policies that reflect these mandates and then convey them to your
SaaS provider . Together you’ll be able to conduct audits that ensure ongoing compliance .
4. Share your SaaS success.
It’s easy to measure the success of a SaaS solution . For instance, if your email security solution is stopping 98% of
the spam that would otherwise have to be handled by your network, then that’s a tremendous savings in terms of
bandwidth and server capacity . Or if your Web security service has blocked hundreds of attempts by employees to visit
“bad” sites, then you’ve essentially stopped malware from taking down the network and increased worker productivity .
Make sure to share these benefits with corporate executives so they understand the business value of your
SaaS decision .
5. enjoy your newfound freedom.
With SaaS, you no longer need a dedicated employee to chase down the latest virus signatures, test and deploy
patches, or update URL blacklists . All this is handled automatically as part of your service . You also don’t have to spend
time purchasing, provisioning and maintaining hardware, software or appliances in-house and at remote locations . This
means that you can redeploy staff to more strategic and mission-critical tasks .
The Webroot ROI Calculator allows you to estimate total cost savings based on
your specific email and Web security solutions.