For Windows shops without full-time security pros, it's tempting for managers to offload mundane security tasks such as spam filtering or remote vulnerability assessment to a third-party service provider.
Windows shops that lack staff security specialists can now choose from sophisticated security tools once only within the reach of early adopters, such as those that provide application security, security event management and data leak prevention, to cite a few examples.
Most mainstream organizations today don't have the budget or resources to install these complex security tools, so the most common tool used by IT tends to be spam filtering, said Arabella Hallawell, an analyst at Gartner Inc., a Stamford, Conn.-based consulting firm.
Tools like antivirus software cannot pick up specialized Web malware, so only the most sophisticated organizations tend to use those products.
Some of the most common vendors who sell security software as a service (SaaS) are Google Inc., MessageLabs Ltd., Microsoft and WebSense Inc., which protect messaging. Alert Logic Inc., McAfee Inc., Qualys Ltd. and Rapid7 LLC sell remote vulnerability assessment services. Secure Web gateway services are sold by MessageLabs, ScanSafe and WebSense. And security intelligence services are offered by providers such as Internet Security Systems and Symantec Corp., to cite two examples.
Gartner estimates that the total market for security software revenue will grow from just over $8 billion in 2006 to about $12 billion in 2010. The market for managed security services will grow from just over $3 billion in 2006 to nearly $6 billion in 2012. The total security-as-a-service, 2007 to 2012, compound annual growth rate is estimated at 30%.
Gartner defines SaaS as software that is owned, delivered and managed remotely by one or more providers.
Though the idea of using a service to avoid having to purchase and support a premises-based product is appealing, it's important to realize that services may not always cost less, and sometimes, they may even cost more, said Paul Simmonds, a chief information security officer at a large, multinational corporation.
"It's a lot easier to hide much of the true costs of various security services, so while SaaS may save money, perform a better service and be available 24x7, you often need an in-depth ROI case focusing on the actual costs of all the components in an existing in-house solution to bring this to the surface," said Simmonds, who is also a member of the board of management with the Jericho Forum, an IT security leadership group.
Indeed, if you buy enough cars, it's worthwhile to consider buying your own gas station, said Mike Stump, director of information technology at Roundtable Corp., the franchise of Dairy Queen, which has headquarters offices in Lubbock, Texas, and Dallas.
For a company with a distributed environment of small shops, software services may be a good deal because you don't have to manage individual desktops or a security server.
"We pay $3,200 per year for 42 locations with two computers at each location," Stump said. "It's quick and easy."
Like all services, security SaaS is not right for every type of company, and second, just because you are using a service provider does not mean the IT staff is absolved from all management responsibility, Hallawell said.
"Though the internal IT staff [members] may not have to manage the service, they have to view reports, check what has been blocked and so on," she said.
And while managed services do help some enterprises, IT shops will be giving up complete control of their data. Messaging services were first attractive to small companies and now large companies are embracing them too. But while it is attractive to remove spam traffic from the network, there may be rejection of SaaS from the part of the organization that has responsibility for the corporate compliance initiative.
"Some organizations with a lot of control and complexity won't [use managed services]," Hallawell said. "They want the power. The messaging director may get kudos for putting in a good spam filter, but [IT] won't otherwise give up control."