Security-as-a-service

Security-as-a-Service (SaaS) refers to the practice of delivering traditional security applications as an Internet-based service, on-demand, to consumers and businesses.

Security-as-a-Service is analogous to the conventional Software-as-a-Service model, whereby security applications are Delivered as a service using the Internet as the delivery mechanism. In the consumer market, the most common of these are the “anti-“ suite, including anti-virus, anti-spam and anti-spyware.

In the enterprise market, Security-as-a-Service refers to the delivery of second-tier infrastructure components, such as log management and asset tracking, in a service-oriented fashion, also leveraging the Internet as the delivery and access mechanism.

History

The term ‘Security-as-a-Service’ was first used in the consumer market in the year 2001. McAfee filed a controversial patent for delivering security software as a service over the Web in August 2001.

In 2003, ScanSafe invented the managed web security solution for URL filtering and malware scanning of Web traffic. This managed web security service is known as the Secure Web Gateway (SWG). The SWG service works on the internet level by redirecting an organization’s web traffic through a datacenter for policy application and cleaning.

In the enterprise market, security services vendor Vigilar introduced the first enterprise security-as-a-service solution with the introduction of its ATLAS solution in June 2007.

Vendors in the SMB market who deliver “Security-as-a-Service solutions include McAfee, Watchfire, and Jamcracker. In the enterprise market, vendors who provide security-as-a-service solutions include ISS, Panda Software, Qualys, and Vigilar.

Why Security-as-a-Service

Certain aspects of security are uniquely designed to be optimized for delivery as a Web-based service. These include:

offerings that require constant updating to combat new threats, such as anti-virus and anti-spyware software for consumers
offerings that require a high level of expertise, often not found in-house, and which can be conducted remotely. These include ongoing maintenance, scanning, patch management and troubleshooting of security devices.
offerings that manage time and resource-intensive tasks, which may be cheaper to outsource and offshore, delivering results and findings via a Web-based solution. These include tasks such as log management, asset management and authentication management.

Key Characteristics

Security-as-a-Service applications are generally priced on a per-user basis on the consumer side, and a per-device basis on the enterprise side. Pricing may also depend on bandwidth and storage requirements. SaaS costs to the buyer and revenue streams to the vendor are therefore lower initially than traditional software license fees, but are also recurring, and therefore viewed as more predictable, much like maintenance fees for licensed software. In addition, because the functionality is delivered as a service, rather than a device or piece of software, fees fall under operating expenses, rather than capital expenditures, for most customers.