View from the defence: seven reasons for security as a service

I’m just back from RSA Europe 2008, where I was hosting a panel on software as a service (SaaS) in general, security as a service in particular, and dealing with the security risks of both. I don’t know what the feedback will be like from the audience, but it was one of the most animated panels I have had the pleasure to host.

The big and very blatant caveat, was that all of the panellists had some vested interest in the topic, as they were all SaaS providers. We had:

Gerhard Eschelbeck, CTO of Webroot
Peter Bauer, CEO of Mimecast
Eldar Tuvey, CEO of ScanSafe
David Stanley, MD EMEA of Proofpoint

Indeed, this was no accident – as we put together the programme for RSA Europe, we took note of the number of people who wanted to talk on this topic and their rationale, and agreed: “Wouldn’t it be best to invite them as a panel?” And so, we did – to great effect as each looked to differentiate themselves from the others in the face of an oft-skeptical audience.

Against this background, one section interested me in particular. Having worked through the general benefits of SaaS, the back-and-forth of responses to questions such as, “Isn’t it just hosting in the Internet age?” and other such pleasantries, the panellists worked through what security as a service brought to the party. I summarise, paraphrase and otherwise pillage the responses to yield the following:

Specialism. Providers can do things that may well be beyond the ken of their customers – this can particularly be true in the realm of security, where there is a dearth of domain experts.
Technological breadth. Where customers may only install one or another package to protect against the outsider threat, providers can (and do) install tools from multiple providers.
Augmentation. This is the ’standing on the shoulders of giants’ argument, in that whatever a customer wants to do, a provider can build on top. Many packages take things so far, and providers can then take things further.
SLA’s. Providers are contractually bound to the SLA’s they define, whereas internal services may not be subject to the same level of stringency. (“You’ve now managed to upset all the service managers in the room as well,” I remarked.)
Geographic reach. Providers tend to have a wide, often global reach with their services, which can make it easier for customers to roll out services if they are geographically distributed, while maintaining more centralised control
Scale. Many services are hard to scale across large numbers of users, which can be difficult for customers, but which is today seen as ’table stakes’ for providers.
Removal of burden. Last but not least, use of an external provider for security services equates to less things a customer has to do, and therefore the more time it can spend concentrating on its own business.

So – are these valid criteria? Our own view from the ground tends to be coloured by projects such as IT on the Front Foot, where our research suggests that forward-thinking organisations are more likely to look to external sources of services, whether outsourced, SaaS or whatever. So – nothing against the model in principle, as long as it is seen as a new delivery mechanism for many vendors (which is perfectly valid), rather than as a whole new-and-improved way of doing things for customers (many of whom have been drawing services from external sources for many years. From this point of view, the above list can make sense – but with a final caveat: that it is well worth looking at SaaS in the cold light of what you are trying to achieve, rather than what vendors are trying to do.