Cloud Computing - Evaluating Security-as-a-Service

By Matt Sarrel

(Back to article)

Over the past few years, more and more businesses have turned to software as a service (SaaS) to bring down costs. One category of offerings, which we'll call "security as a service" deserves special consideration. More and more traditional software security vendors are developing and enhancing their service based offerings. These offerings typically include protection against Web and email threats, monitoring of inbound and outbound network traffic, and assessing an externally facing website for potential vulnerabilities.

While all vendors argue the appeal of reduced costs, only a few vendors argue that their solutions are better offered as a service. This is a market in transition. I've been testing security solutions for years so I've been lucky enough to have a good vantage point for this transition. Most of these solutions were software only. Then many added centralized management and some shipped on appliances.

The earliest security as a service offerings merely moved this centralized management console into the cloud. This was a good start, but fell short of leveraging all of the advantages of the cloud. Offerings have gradually matured to utilize the strengths of the cloud. For example, Panda Security saves local processing power by analyzing malware in the cloud, not on the desktop. Many other vendors also make use of a cloud based infrastructure to conduct deeper and faster malware analysis. They can have more horsepower than at a single client site plus integrate threat information from many clients to create an accurate understanding of the threat landscape.

Pros & cons

Although more and more security functionality is being built into these offerings, security as a service still has its pros and cons. Firstly, many solutions still require a software agent to be loaded onto each end point. This is almost a necessary evil so look for solutions which automate deployment and updates of software agents.

Remote workers are a natural choice for security as a service but they aren't on your network so why do they need to use your internal security services? They can access the solution provider's data center just as well (or better than) yours so let them. Look for security as a service solutions that try to improve the security process, not those that merely claim lowered TCO and fast ROI.

It makes sense to have email and Web threat protection in the cloud primarily because that traffic flows across the Internet and can be cleaned before even entering a corporate network. It also makes sense to apply some basic traffic rules, such as those that drop denial-of-service (DOS) attacks for the same reason.

Carrying it a step further, however, it does not make much sense to deploy a firewall in the cloud. Such devices require immediate access to all network traffic and relaying such traffic back and forth between a security as a service provider would make network services mind-numbingly slow for users. Likewise, solutions that are heavily tied to internal resources, such as authentication and access-control software also work better on-site.

Always negotiate an SLA when contracting for security services. What happens if you are routing all Internet traffic through a security service provider and somehow service is compromised? It's unlikely that an SaaS provider will fail completely. What's more likely that there might be a performance glitch so an SLA is imperative if you are going to get your money's worth.

Here's the rundown on a few recently updated security as a service offerings:

McAfee Security SaaS - McAfee offers a number of outsourced services such as endpoint, email, web, and network protection in an outsourced model. McAfee SaaS Total Protection offers much more than a snappy name. This basically replaces McAfee's traditional suite of onsite security software to protect endpoints from email and web threats.

Panda Security Cloud Protection - This service protects endpoints against email and Web based threats. This is the third major enhancement to Panda's platform which means that it's mature. Early on, Panda realized that the way to go is to have an extremely lightweight client agent that merely communicates with a big time cloud infrastructure that does all the heavy lifting. This minimizes the burden placed on user systems. Panda's collective intelligence network analyzes hundreds of millions of suspected malware files every day.

Symantec Hosted Services - Symantec offers Hosted Endpoint Protection (anti-malware, software firewall, HIPS for Windows desktops laptops and servers) as well as email, Web, and instant messaging security via MessageLabs. It gets interesting when a company subscribes to multiple services and can then begin to assess threats across multiple vectors in order to mount a unified defense.

Zscaler Cloud Services - Unlike the others mentioned above, Zscaler was built from the ground up as a cloud security service. The solution requires neither hardware nor software to be installed at a client site and provides integrated Web and email security. Keeping an eye on performance, the company has over 40 data centers around the world and it's offering is built around a multi-tenant architecture. The Web based management GUI has a very Web 2.0 look and feel with flexible dashboards.

Matt Sarrel is executive director of Sarrel Group, a technology product test lab, editorial services and consulting practice specializing in competitive intelligence. He has over 20 years of experience in IT and focuses on high-speed large scale networking, network security, information security, and enterprise storage. He can be reached at matt@sarrelgroup.com, Twitter: @msarrel.