When you ask IT professionals if they use cloud computing or software-as-a-service, most start by saying "no". But if you ask some follow up questions, you will quickly find out about "that one application" that is a SaaS application.
In security, this effect is even more pronounced. Companies don't think they use security-as-a-service or "cloud" security. Yet, many do, in the form of messaging security, ie email antispam and antivirus. This type of security outsourcing, where security is delivered as a service from the cloud and without on-premise hardware, is growing 12 percent year-on-year. It's becoming a great outsourcing option for companies that lack the skills or do not want to retain and maintain the skills in some security function.
Of course, not all security functions are suitable candidates to move into a cloud environment. Messaging security is particularly suited to cloud delivery for two reasons. Firstly, email travels through external gateways anyway, so security professionals don't have to worry too much about putting their data "out there". Secondly, email transmission has variable latency measured in minutes, so adding an external gateway won't delay things noticeably.
In our research we've found that e-mail antispam accounts for the vast majority of cloud-based security services. Of those companies using some form of security-as-a-service, 84 percent used email antispam services. Antivirus was the second most common with 42% share among security-as-a-service users. Other services include cloud-based firewalls, intrusion-prevention systems (IPS), protection against distributed denial of service (DDoS) and vulnerability scanning.
Many of the above-mentioned security services are well suited to cloud delivery. Controls like firewall, IPS and DDoS protection are best applied on the far side of an Internet or WAN connection as they result in a reduction of transmitted data. Filtering the unwanted traffic means less traffic to carry across expensive links and less pressure to upgrade congested links. Another advantage of cloud delivery is the external perspective of the service provider, as is the case with vulnerability scanning, where those buying the service want to know what vulnerabilities are visible from the outside (this is often a specific regulatory requirement).
So why are companies buying security-as-a-service or "cloud" security? As with most outsourcing, there are a number of business drivers that may be influencing the decision to purchase these services. Conventional wisdom would point to "cost" as the top reason and as in many other situations the conventional wisdom is wrong. In fact, the primary driver for adoption of security-as-a-service is that companies see these external services as more effective than in-house solutions. Antispam for e-mail is a good example -- it's at the front lines of the security "war" and involves constantly changing attacks and countermeasures. What worked a few months ago and gave your company pristine mailboxes will almost certainly result in a tsunami of spam a few months later. So hiring, retaining and re-training people to fight this battle is expensive and less effective than hiring an external company to do it for you.
Cloud computing has already arrived for security. It's often overlooked because antispam-in-the-cloud may not be as glamorous as "cloud computing" implies, but it is a practical, effective and cost-effective solution.
Antonopoulos is a principal research analyst at Nemertes Research