Security-as-a-service

From Wikipedia, the free encyclopedia

Security-as-a-Service (SaaS) refers to the practice of delivering traditional security applications as an Internet-based service, on-demand, to consumers and businesses. Security-as-a-Service is analogous to the conventional Software_as_a_Service model, whereby security applications are delivered as a service using the Internet as the delivery mechanism. In the consumer market, the most common of these are the “anti-“ suite, including anti-virus, anti-spam and anti-spyware.

In the enterprise market, Security-as-a-Service refers to the delivery of second-tier infrastructure components, such as log management and asset tracking, in a service-oriented fashion, also leveraging the Internet as the delivery and access mechanism.

Contents

[edit] History

The term ‘Security-as-a-Service’ was first used in the consumer market in the year 2001. McAfee filed a controversial patent for delivering security software as a service over the Web in August 2001.[1]

This managed web security service is known as the Secure Web Gateway (SWG). The SWG service works on the internet level by redirecting an organization’s web traffic through a datacenter for policy application and cleaning.[2][3]

Vendors in the SMB market who deliver “Security-as-a-Service solutions include McAfee, Watchfire, and Jamcracker. In the enterprise market, vendors who provide security-as-a-service solutions include Internet Security Systems, MessageLabs, Panda Software, Qualys, ScanSafe and Vigilar.

[edit] Why Security-as-a-Service

Certain aspects of security are uniquely designed to be optimized for delivery as a Web-based service. These include:

  • offerings that require constant updating to combat new threats, such as anti-virus and anti-spyware software for consumers
  • offerings that require a high level of expertise, often not found in-house, and which can be conducted remotely. These include ongoing maintenance, scanning, patch management and troubleshooting of security devices.
  • offerings that manage time and resource-intensive tasks, which may be cheaper to outsource and offshore, delivering results and findings via a Web-based solution. These include tasks such as log management, asset management and authentication management.

[edit] Key Characteristics

Security-as-a-Service applications are generally priced on a per-user basis on the consumer side, and a per-device basis on the enterprise side. Pricing may also depend on bandwidth and storage requirements. SaaS costs to the buyer and revenue streams to the vendor are therefore lower initially than traditional software license fees, but are also recurring, and therefore viewed as more predictable, much like maintenance fees for licensed software. In addition, because the functionality is delivered as a service, rather than a device or piece of software, fees fall under operating expenses, rather than capital expenditures, for most customers.

[edit] Security-as-a-Service vs. Managed Security Services

Unlike previous generations of Managed Security Services, security-as-a-service does not require the customer to give up complete control over their security posture. Instead, internal administrators can control their security policies, upgrade systems, etc. via a web-based interface. Internal administrators maintain control of their security policies and can change them without calling an outsourced provider, but at the same time gain useful information regarding a devices status and history (uptime, current and past patch levels, outstanding support issues) and other device-centric information on demand via a web interface.

[edit] Best practice

Telling users what to do, when to do and how to do after a product purchasing is the code of conduct that ensures a correct and secure product consuming. One of the most effective ways of conveying those messages is to rely on the product release notes that is kept most current with due diligence, in addition to providing a product manual. Good examples are given by software manufacturing, which often provides product updating and paches [4], [5]. To protect vendor's rights and being responsible for after-sale services, the availability of sensitive and critical service information and downloads can only be restricted to those of the members and dealers who hold registrational identification details, or those of the customers who have either the product serial or receipt numbers [6], [7], [8]. Some of vendor's are even more prudent and provide their services only to those of customers who get their products registered with service ID, and have created their technical support accounts after purchasing [9], [10]. Although in the mean time, it's quite difficult to find the vendor's system that is ISO/IEC 15408 certified by an ISO/IEC 27001 acrreditated organization, the scheme has been developed and need time to be implemented with a wide coverage.

[edit] References

  1. ^ http://www.theregister.co.uk/2001/08/07/mcafee_files_patents_for_security// The Register: McAfee files patents for security as a service
  2. ^ Gartner, Inc. “Pros and Cons of SaaS Secure Web Gateway Solutions” by Peter Firstbrook, April 16, 2007
  3. ^ Gartner, Inc. “Magic Quadrant for Secure Web Gateway, 2007” by Peter Firstbrook, Lawrence Orans and Arabella Hallawell, June 4, 2007
  4. ^ IBM. Flash BIOS Update - IBM System x3455 (Type 7984, 7986). Retrieved on March 25, 2008.
  5. ^ BMC Software. LOADPLUS® for DB2: Release Notes - Revised. Retrieved on March 25, 2008.
  6. ^ John Wiley & Sons (2006). Access Article. Retrieved on March 26, 2008.
  7. ^ Asustek Computer Inc. ASUS MEMBER AREA. Retrieved on March 26, 2008.
  8. ^ UStec. Dealers. Retrieved on March 26, 2008.
  9. ^ Intel Corporation. Software Products. Retrieved on March 26, 2008.
  10. ^ Dell. Drivers & Downloads. Retrieved on March 26, 2008.

[edit] See also