Security as a service: how are the patterns of risk and reward
changing?
Security as a service can provide cost savings and accelerated
implementation cycles, just as
software as a service (SaaS), writes John Pescatore,
vice-president and distinguished analyst at
Gartner. However, the "as a
service" approach can fail if applied under the wrong circumstances
using a poor implementation methodology. Security as a service
offerings must be built on highly reliable and highly secure
platforms, and must use open and/or standard interfaces and data
definitions. Service providers can offer the model to better
compete or to complement their service offerings, but security as a
service is not a good match for many security applications.
Security service offerings vary primarily by how much investment
(in capital expense and ongoing staffing) the business is required
to make versus the amount of customisation and control of the
service the organisation has. Gartner predicts security as a
service will see a compound annual growth rate of more than 30%
from 2007 through 2012.
Security as a service offerings already provide significant
revenue in distributed-denial of service protection, message
security, remote vulnerability assessment, secure web gateway and
security intelligence services.
The model has features that will restrain or accelerate its
adoption. First, there is no permanent organisation-owned equipment
or software, so failure of a security as a service provider will
mean total disruption of service. Second, security as a service is
a one-to-many model organisations that need high levels of
customisation will not find it attractive and they can also lose
control over their security applications. Third, security as a
service requires high-availability and high-speed connectivity to
the provider. This can be a significant cost that may reduce
savings, unless the security as a service provider is also the
bandwidth provider. Finally, the model may result in "hidden
lock-in" where the security as a service offering does not provide
open interfaces to data that may be retained at the provider's
facility.
However, the model avoids capital expense or large,
single-fiscal-year software expense hits, but it must be priced
aggressively to show direct cost savings over other delivery
models. The security as a service trend will drive corporate
pressure to use security as a service, just as the outsourcing
trend has driven security outsourcing. The predictable revenue
stream from security as a service will drive financial analysts to
assign higher multiples to vendors with security as a service
revenue streams than to those that are pure hardware or software
vendors.
Read more expert advice from the Computer Weekly Security Think
Tank >>