Why security saas Makes sense Today


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Why security saas Makes sense Today

  1. 1. computerworld eBRIEfIngS SECURITY Why security saas Makes sense Today Table of ConTenTs sponsored by Seven Reasons to Adopt SaaS Security ..................... 2 The Savvy SaaS Selector ................................................ 5 On-Point Security with SaaS .......................................... 6 InsIghTs froM CoMpuTerWorld sTraTegIC parTner ConTenT
  2. 2. ThreaT landsCape makes it a fool’s game to manage it in-house because you can spend Seven reasons to thousands of dollars on hardware, software and personnel and still not lower your risk,” Zuccolin says. Adopt SaaS Security Instead, like many of his peers today, Zuccolin has opted for a soft- ware-as-a-service (SaaS) strategy, Service subscription takes the headache out a software application delivery of email and Web threat management. model where applications are host- ed on the Internet and companies pay for usage rather than infrastruc- ture and licensing. By offloading his email security to a provider, C by sandra gITTlen orporate IT teams are Zuccolin says he can focus his team waging a significant on developing policies and proce- security battle on dures that mitigate the overall data two fronts these days: privacy risk. stopping attacks via the Web and Chenxi Wang, principal analyst through email. They are tirelessly at Forrester Research Inc., says that trying to protect their networks SaaS offerings will become more against known and unknown vi- prevalent over the next few years ruses, spyware and phishing attacks. as services continue to mature and However, the more complex these organizations see SaaS as viable for threats become, the more infra- more than just standard business structure companies have to bring applications. “Companies are get- in-house, sending capital expendi- ting more comfortable with SaaS in tures through the roof. general—it’s becoming more of a It’s a battle that Aaron Zuccolin, norm. They’re realizing the benefit manager of information systems of outsourcing commoditized solu- at the Canadian law firm Watson tions, like security, to specialists so Goepel Maledy LLP, knows all too they can stay focused on their core well. He estimates that 80% to 90% business,” she says. of his Vancouver, B.C.-based firm’s In fact, companies are seeing email is spam—a risky proposition drawbacks to owning and manag- when he is beholden to data pro- ing their own security infrastruc- tection laws in Canada, the United ture. For instance, on-premise States and Europe. security software and appliances “Trying to manage that volume can create a single point of failure. day-to-day in-house would be ri- They can also be hard to scale as diculous,” he says. “Enterprise secu- threats increase, slow to respond rity is highly variable in terms of the to new threats, and a drain on inter- threats you have to deal with, the nal IT resources. solutions that are out there to deal Security SaaS solves these prob- with them, and the complexity you lems. Here are the top seven reasons want to endure as you scale. That why security SaaS makes sense: eBRIEFING • Why seCurITy saas MaKes sense Today
  3. 3. 1 Provides improved SLAs are also a good opportunity manageability [Enterprise security] is a to bring to light potential hidden In most organizations today, costs. Wang says it’s important to security revolves around fool’s game to manage negotiate fees for scaling and other building and managing either hardware and software or appliances. in-house because you common SaaS occurrences within the SLA to avoid potential budget IT teams must spend a majority of can spend thousands of busters down the road. 3 their time focusing on licensing, up- dates, performance and availability dollars on hardware, soft- Affords flexibility for a host of security systems strewn ware and personnel and and scalability about the enterprise. They also strug- Trying to keep up with gle with implementation and setup still not lower your risk.” the demands of protect- costs, as well as compatibility issues. ing email and Web se- AARon ZUCCoLIn, MAnAgER This leaves little time for managing of InfoRMATIon SYSTEMS, curity can be impossible—literally. what’s most important—the business WATSon goEPEL MALEdY LLP Consider that in most cases, IT teams processes that mitigate risk. must physically build out their net- With SaaS, companies can elimi- works to handle corporate growth. nate the burden of managing infra- guarantee a higher level of perfor- And as the network expands, so does structure and focus on developing mance, availability, uptime and se- the need for IT staff to manage it. and enforcing streamlined policies. curity than IT teams would be able SaaS enables IT teams to easily They can also direct responses to to deliver in-house. And there are and transparently scale security to overall threats via a single console, penalties to collect on if the provid- match business needs. For instance, rather than having to tweak con- er fails to meet this agreement. Most they can quickly add a group of figurations at distributed locations. SLAs offer a way for companies to users that resulted from a corpo- Zuccolin says this holistic view has access reports that feature details rate merger or beef up scanning made it easier and more effective on threat mitigation, throughput to protect the organization from for him to combat spam, spyware, and response-time performance, as unwanted Web content. They can virus and phishing threats. well as other key metrics. also make sure that mobile users “We’re more strategic now. We’ve SLAs also offer a clear understand- have the same security on- and off- gotten rid of the mundane work so ing of the different levels of support network—a difficult challenge with we can focus on our overall security customers will receive based on the on-premise solutions. policies such as lowering our risk threat priority level. “With SLAs, you Zuccolin says he relies on the and disaster recovery,” Zuccolin put escalation procedures in place flexibility of his security SaaS to al- says. In fact, he says rather than so you know what to expect when low him to adjust group and user worrying about time-consuming an abnormal situation happens. You policies on the fly to match new leg- tasks such as deploying and testing also know that things will be taken islative mandates. 4 patches, he can focus more on busi- care of, and when they’re not, who to ness analytics and problem solving. call,” Wang says. Provides high- quality security by 2 Zuccolin calls SLAs the best way features to get comfortable with the idea of security experts guaranteed SLAs SaaS because any concerns IT teams It would take a larger IT One of the biggest ben- might have can be addressed in writ- team than the majority efits to SaaS is knowing ing. “We focused on responsiveness of companies have to address the that the provider has in our SLA because if it takes us a day security challenges most organiza- promised to uphold a service-level to have a threat addressed, we lose a tions face, according to Wang. As an agreement (SLA). SLAs traditionally lot of lawyer productivity,” he says. example, she points to the fact that eBRIEFING • Why seCurITy saas MaKes sense Today
  4. 4. 711,912 new malware threats were re- ridding the network of that extra ported in 2007, which translates into [Companies] are real- burden, companies could also see a 1,950 new malware attacks each day. boost in performance. izing the benefit of out- 6 She adds that the Web is becoming increasingly more dangerous, with growing numbers of search queries re- sourcing commoditized Plays a critical role in defense-in-depth sulting in at least one malicious URL. solutions, like security, security To adequately combat most of these threats, IT teams need immediate to specialists so they Security experts recom- mend that companies and detailed knowledge of emerging can stay focused on have a multilayered approach to se- attack vectors. One or two staff mem- curity, but buying and managing the bers devoted to security can’t possibly their core business.” infrastructure required to do that detect and mitigate these risks quickly can be cost-prohibitive. ChEnxI WAng enough to ward off serious damage. PRInCIPAL AnALYST, Security SaaS enables IT teams to Wang says that less than half of foRRESTER RESEARCh InC. have a layered approach without all respondents to a 2007 Forrester the headaches. For instance, Wang survey reported using any kind of says Web security SaaS can handle real-time protection such as be- have affected other organizations. fast processing of connection-level havior-based detection, outbound Zuccolin says security SaaS gives filtering and an on-premise solu- content protection, heuristics detec- him immediate access to updates tion to perform the more in-depth tion, content inspection, reputation without having the typical delay re- content analysis. That first layer filters or URL filtering. quired to download and test a patch. lightens the load the on-premise so- With SaaS, companies don’t have He considers it the fastest response lution has to inspect, enhancing the to be security experts. Instead, they to zero-day threats. network’s speed and overall security. 5 can depend on the expertise of a Zuccolin says he uses his email provider that is constantly monitor- Reduces bandwidth security SaaS as an additional layer ing and combating new threats to requirements and to ensure outbound email is free of the network. Using signature, behav- improves network unwanted content and intellectual ior and heuristic analysis in tandem performance property so his company is seen as a with access and policy controls, a SaaS is not only a cost-sav- good corporate citizen. 7 SaaS provider can quickly thwart er, but also a resource-saver, accord- spam, virus, spyware and phishing ing to Wang. She says that offloading Enhances cost attacks within email as well as de- email and Web security takes a lot of savings surrounding tect inappropriate content and mal- pressure off the enterprise to handle security ware on Web sites that users visit. traffic generated by spam. One of the biggest issues And since this protection is in the For instance, if a company builds for many organizations is cloud, providers can eliminate the its network to support 15 million in- determining if security SaaS adds to threat before it impacts the network. bound email messages per day and the bottom line. As mentioned pre- For instance, companies avoid the 14 million are purely junk, that’s a viously in this report, by eliminating slow system performance, reduced lot of money wasted trying to deal the need for infrastructure and the employee productivity and other with the volume on-premise. “After personnel to manage that infrastruc- business disruptions that spam you move to an in-the-cloud offer- ture, SaaS offers immediate savings. causes. Cloud-based protection also ing, you only need to support a mil- In a 2007 study, market research gives providers a holistic view of po- lion messages per day on your own firm Gartner Inc. found that SaaS tential threats so they know how to network so bandwidth consumption secure Web gateway solutions cost protect customers from attacks that is drastically reduced,” she says. By as much as $40 less per user than eBRIEFING • Why seCurITy saas MaKes sense Today
  5. 5. appliances. Companies realize these caused by spam, viruses, malware experienced a decline in share value. savings by having a subscription and other attacks. As these seven reasons prove, model with predictable costs. By using a comprehensive secu- SaaS is definitely the best option for Companies can also see cost rity SaaS solution, organizations can tackling even the toughest Web and benefits from needing less stor- avoid the incurred costs of a data email security challenges. Not only age and bandwidth since a lot of breach. A survey by the Ponemon do IT teams get to hand off routine spam and other false content is Institute LLC found that 74% of re- security infrastructure tasks, but handled off-network. SaaS lowers spondents reported a loss of custom- they also get instant and scalable ac- help desk costs as well because IT ers, 59% faced potential litigation, cess to top-notch security protection teams spend less time fixing damage 33% faced potential fines, and 32% across the entire organization. w ThE SAvvY SAAS SELECToR five simple steps to finding a SaaS partner that meets your business needs. Handing over the management of Web and email security is a big step for most organizations. To ease that anxiety and ensure the success of your SaaS adoption, you need a solution that matches your business requirements. Here are some tips for find- ing the perfect SaaS partner. 1. dig deep into the provider’s service-level agreement. You’re agreeing to move your operational burden to the SaaS provider, so you will need an inside view into their operations. Also, get a commitment to guarantee the availability and uptime of your security service as well as its effectiveness, accuracy and security. The provider should offer you a way to track, record and audit these performance benchmarks. 2. Consider the data center footprint. If you’re a distributed or global company, look at the map of your provider’s data center sites. Make sure that you can not only connect to the closest data center, but that you also have failover capabilities to alternate sites in case of an outage. Test-drive these connections during the evaluation phase. 3. Plot out your integration needs. With Web and email security, it’s critical to detail what part of the existing infrastructure will need to be integrated with the SaaS solution. For instance, you should determine whether the provider will have to handle LDAP directories, Microsoft Exchange and other security infrastructure. The goal is to have a tightly integrated network that includes SaaS, not a set of siloed applications. 4. Ask about the size of existing customers. It’s too easy to get into a situation where your provider only has experience with small businesses, so make sure you ask about customers that have a similar scale as your organization. In addition, inquire about their deployment scenarios for larger customers for future expansion. If you are in an industry with strict security and privacy restrictions, such as medical or financial, gather references for customers in similar situations. 5. don’t overlook customer support. If something happens to your Web and email security during crunch time at your orga- nization, you’re going to want your provider at the ready. It is standard for SaaS providers nowadays to say they have 24/7 support, but it’s up to you to make sure that’s true. Evaluate whether their response times are the same or better than what you’d be able to do in-house. Also, look carefully at the different tiers of service the provider offers based on the severity of your issues. Your provider, no matter what your SLA, should be closely monitoring the network in order to detect problems before you or your users do. It’s important for IT teams to compare service providers based on these five criteria. If they pass in all these areas, you can rest assured that your Web and email security are in good hands. —Sandra Gittlen eBRIEFING • Why seCurITy saas MaKes sense Today
  6. 6. Qa Q: how are IT organizations accomplish- ing this goal? on-point Security Irwin: What you’re seeing is an evo- lution. First, IT teams used a com- bination of software and hardware. with SaaS But this required going out and buy- ing a bunch of infrastructure, con- figuring it and making tweaks that were specific to the organization. Then those configurations had to be locked down so that they weren’t open to manual error. K eeping up with Web Next were appliances, which were and email security a significant improvement over the threats can be a daunt- software/hardware option, because ing challenge for today’s they weren’t as error-prone. How- busy IT executives. Writer Sandra ever, they still needed ongoing man- Gittlen spoke with Michael Irwin, agement and updating. Also, it can be chief operating officer at Webroot hard to plan where to put your appli- Software, to discuss how SaaS ances depending on your network to- can help organizations offload the pography. While they should be close security burden without risking to your users, you don’t want them in data protection. a spot where IT can’t reach them. In both of these cases, you also Q: What is the state of security surround- have to spend a lot of time trying to ing email and Web applications today? predict and budget for future spends. Irwin: It’s not good. There is a mas- What if you get a denial-of-service sive explosion of new malware vari- attack? Do you have enough hard- ants. The browser is the main gate- ware and software or appliances to way for malware. In fact, the Web handle that event or do you have to is making up about 80% of new plan for a tenfold increase in traffic? infections because users are in- creasingly landing on infected sites. Q: how does software as a service solve There has also been a sharp increase these problems? in spam and a proliferation of mal- Irwin: SaaS is the next logical itera- ware in email. Existing Web and tion to help secure the perimeter. It email security technologies cannot takes out the ongoing management handle this increase in outbreaks— piece and puts it in the provider’s especially when you consider that hands. The subscription model new malware is constantly being eliminates capital expenditures generated on the fly. on infrastructure and appliances. At the same time, demands on There is no doubt that spam will IT groups are increasing but your continue to increase and that denial- budgets are not. So you have to of-service attacks will happen. SaaS deliver a higher level of protection ensures you don’t feel the strains of with lower costs. those inevitabilities. eBRIEFING • Why seCurITy saas MaKes sense Today
  7. 7. With SaaS, you get higher levels threats. Therefore, you can make significantly since email security of protection as threats expand and mitigation decisions quickly and SaaS first started in 1999. IT teams morph. Software and appliances intelligently. realize this is a viable model be- tend to become more specialized You also gain the wisdom of cause the alternative economics and complex as attacks evolve. Be- crowds. If your provider detects and are so disruptive. You have a list of cause of the time it takes to discover fixes a threat to another customer, things to get done with a very small vulnerabilities, create a signature, your service will be updated imme- staff and budget, so you need these test patches and deploy them, diately as well. types of solutions. you’ve always got a gap in security. Finally, SaaS affords a much bet- SaaS puts the onus for all this on the ter management model because you Q: In what type of or size of organization provider, who employs heuristics can oversee multilocation imple- does SaaS security thrive? and behavioral analysis in the cloud mentations and enforce granular Irwin: This delivery is applicable to to detect a majority of new vari- policies from a single console. the entire marketplace. Everyone ants before they even affect your from Fortune 50 companies down to network. You’re essentially moving Q: What about the belief that most IT individual users is struggling with the protection much closer to the organizations want security to be the same problem—stopping spam source of potential problems and managed in-house? and protecting Web applications. gaining a holistic view of malware Irwin: That view has changed pretty SaaS fills that need. w Sandra Gittlen is a Massachusetts-based technology writer and former senior editor at Network World. eBRIEFING • Why seCurITy saas MaKes sense Today