|
|
|
|
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Executive Summary
The challenges of IT security management have expanded substantially for organizations worldwide.
Vulnerabilities and threats alike have exploded. Sophisticated exploits are becoming more difficult
to control. Complex and often overlapping compliance requirements make security risks impossible
to ignore. Budget pressures both internal and external make it difficult for security teams to find the
resources they need to address these challenges—but in light of all these factors, they can ill afford to
cut corners.
These issues raise a difficult question for today’s technology-centric business: How can it afford not
only to maintain the investment in security technology and expertise needed to answer these chal-
lenges, but to expand capability to deal with increasingly serious threats—particularly when resources
are already stretched to the limit?
For many, security services have become an answer. Four times more organizations plan to expand
their use of Managed Security Services in the next 12 months than those who expect their use to
decrease. Fifty-seven percent of those who use hosted security technology delivered as Software-as-
a-Service (SaaS) expect their use of Security SaaS to grow in the coming year. Small- to medium-sized
businesses (SMBs) in particular expect a significant increase in their use of Security SaaS by five-to-one
over large enterprises.
These and other findings were the result of ENTERPRISE MANAGEMENT ASSOCIATES®
(EMA™) research into the trends and drivers behind the adoption of “Security as a Service,” con-
ducted in the first half of 2010. In an EMA survey of more than 200 organizations worldwide, large
enterprises SMBs alike provided key insights into drivers behind the adoption of security services.
Among key findings:
• Sixty-five percent of all respondents spend more than 10% of their IT budget on security. 32%
of respondents spend more than 20%, while 8% spend more than 30%. Organizations increasing
their spending on IT security over the previous year exceeded those reporting decreases by nearly
5-to-1.
• Regardless of increased security spending, resource constraints on security management remain
significant. Attacks against Web servers and data privacy concerns stand out as top security
concerns—yet 27% of enterprises and 44% of SMBs say they do not have the resources they need
to manage Web application security. In one of the world’s largest technology companies, a team
of only 13 is responsible for prioritizing vulnerability management across a global network of as
many as 56,000 subnets.
• Finding and retaining qualified personnel are the top security staffing challenges. This exacerbates
one of the most difficult issues faced by enterprises—security management at scale. Large
organizations need highly scalable automation to compensate for extreme disparities between the
sheer size of their security challenges, and the personnel available to meet them.
• Services options help nearly half of all organizations solve these challenges. Out of 223 total
respondents, 42% indicated that they were current users of Managed Security Services (MSS).
Forty-three percent indicated that they were current users of Security SaaS (hosted security
technologies offered by third-party service providers).
Security as a Service
©2010 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 1
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
• Forty-six percent of MSS customers expected their use of MSS to grow in the 12 months following
the survey. Overall, MSS customers expecting growth in their use of Managed Security Services in
the next 12 months outnumbered those expecting a decline by more than 4-to-1. No respondents
expected any significant decrease.
• As noted previously, 57% of all current Security SaaS users expected their use of Security SaaS
to grow in the 12 months following the survey. SMBs expect a significant increase in their use
of Security SaaS by 5-to-1 over large enterprises (25% vs. 5%). Established domains such as
message security and filtration and vulnerability assessment (at the system level as well as for Web
applications) were among those where use was most frequently reported to be growing—but so
were antivirus and anti-malware as services, which may indicate that the market is ripe for a more
direct delivery of this technology as SaaS.
• Reduced cost is a primary value of the services option—but so is improved access to security
technology and expertise. Security SaaS gives organizations on-demand scalability for security
technology from the outset, while Managed Security Services can help organizations access hard-
to-find security expertise.
• When organizations reduce their use or do not adopt Managed Security Services or Security SaaS
(a minority of respondents in both cases), failure to realize cost benefits are a common factor.
This was particularly true in the case of Security SaaS, where it would seem customers expect to
be the ultimate beneficiaries of the service provider’s economies of scale. Concerns about data
privacy also rank high, however—an issue that remains a recurring theme in the outsourcing of IT
generally, and one which the industry must take on more directly if trends such as cloud computing
are to maintain their strong momentum.
• Because services are delivered under an agreement, the measurement of performance—particularly
for Security SaaS—may define new ways in which to measure security. Already, the concept of
“five nines” well known to network performance managers now has its parallel in security services,
among SaaS providers that guarantee 99% spam capture, fewer than 0.0003% false positives for
anti-spam accuracy, or fewer than 0.0001% false positives for the accuracy of antivirus as a service,
just to cite a few examples.
• It would therefore seem that performance measures would be included as a standard aspect of
the Service Level Agreement (SLA) between the service provider and the customer. In fact, 25%
of the 150 respondents using either Managed Security Services or Security SaaS have not defined
specific performance requirements with their security service providers. A similar number (27%)
have not defined remedies for provider performance issues in their service contracts. This may
change as the market matures, and customers demand more performance standards in light of the
experience they gain with the services option.
Security as a Service is showing strong promise, not only as a means of closing existing tactical gaps
in security management, but as a new way to approach or extend security strategy. Already, 56% of
Managed Security Services users, and 59% of those using Security SaaS, see the services alternative as
more strategic than tactical, enabling them to extend security strategy in ways they previously could
not. As trends such as cloud computing continue to advance, today’s leaders in Security as a Service
may find themselves in the strongest position to stake out leadership in security “for” the cloud as
well as from it, helping to define what IT may become as enterprises extend the reach of technology
beyond the boundaries of today.
Security as a Service
©2010 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 2
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Introduction
Few today would argue that the management of IT security has become an expensive and complex
challenge for an organization of any size—and it is a challenge that has grown substantially in recent
years. Gone are the days when worms were noisy but relatively harmless in terms of the threat they
posed to the business. Today’s attacker is often well-focused, armed with a sophisticated array of tools
and techniques, and with a definite goal in mind: information assets having tangible value.
The continued escalation of security concerns has led to an equally significant increase in the demands
on organizations of every size. As the malicious grow in capability and the sheer numbers of vulner-
abilities and attacks increase, businesses are continually forced to step up their investment in defense.
But this investment comes at a cost. While some technologies that foster better security also help IT
better serve the business, such as configuration and change control,1 the need to invest in defense too
often hampers investment in more strategic priorities. Technologies purchased in the name of security
must be maintained and kept as current with the threat landscape as possible—but as with all tech-
nologies, they face obsolescence sooner or later. That obsolescence seems to many to have accelerated
in recent years—and this too has driven increased investment in security for some. Even with that
investment, many wonder just how effective the maintenance of in-house defense can be in the face
of today’s more serious threats. As one security manager put it, “we have gotten into what is effectively
an arms race with the attacker, but there are limits to how far we can go to respond.”
As one security manager put it, “we have gotten into what is effectively an arms
race with the attacker, but there are limits to how far we can go to respond.”
For many, the answer to these concerns lies in the services option. Turning to a service provider
to maintain security expertise offers a number of attractive alternatives. Security services can mean
outsourcing competence in security that may be expensive or difficult to maintain, particularly when
outside an organization’s primary business focus. It can effectively mean offloading the maintenance of
security technology to a third-party with recognized credibility. It offers the promise of a higher level
of expertise than the customer may be able to cultivate or maintain on their own, when security is a
core business of the service provider.
Domains of Security Services
The security services landscape may be divided into four main domains:
• Professional security services may include a wide range of engagements, from consulting on
security strategy and practices, to penetration testing, incident investigation and response, or
product security evaluation.
• Security systems integration may be provided as a service in its own right, but is perhaps most
often offered to assure that a security technology purchase is deployed correctly, for maximum
effect. It may also be part of a larger engagement, as with a deployment of Identity and Access
Management (IAM) as part of a larger application integration effort, for example.
1 See the 2008 EMA research report, IT Governance, Risk Management and Compliance in the Real World, http://www.enterprise-
management.com/research/asset.php?id=737, for a study of the relations of multiple IT management disciplines—including
configuration and change control—to positive outcomes in both managing risk and serving the business.
Security as a Service
©2010 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 3
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
• Managed Security Services (MSS) offer the management of an organization’s security
technologies and/or practices by a third-party. The third-party is known as a Managed Security
Service Provider (MSSP). As opposed to professional services or systems integration, Managed
Security Services may be more ongoing. Managed firewall and managed Intrusion Detection
Systems (IDS) are examples of managed security services, where the service provider monitors
and maintains security capability on the customer’s behalf. The service provider may also deploy
security technologies for the customer, and may initiate, or fully manage, incident response or
other security management processes on an ongoing basis if part of the service contract.
• Security Software-as-a-Service (Security SaaS) is a model for delivering security technology
based on the Software-as-a-Service (SaaS) concept, in which technology is offered as an on-
demand hosted service by a service provider (as opposed to the customer permanently installing
and maintaining the technology on-premises). Vendors may have previously offered (or may
offer simultaneously) the same technology as an on-premises product offering, but this need not
necessarily be the case. Hosted message security and filtration (the successor to hosted anti-spam)
is a popular example of a technology traditionally made available as an on-premises product, but
which has enjoyed success in recent years as SaaS. Other examples include hosted “safe surfing”
services for Web browsing security, hosted vulnerability assessment tools, hosted endpoint security,
and identity and access management hosted as SaaS, for other SaaS or cloud computing services.
Services Categories vs. the Services “Continuum”
Despite these definitions, it should be noted that security services often represent more of a continuum
than domains that are always clearly distinct from each other. Security system integrators often provide
professional services as part of their offerings; both are highly project oriented. A professional services
engagement for penetration testing may be a part of a larger Managed Security Services contract.
Distinctions between Managed Security Services and Security SaaS may also be blurred, since both
may be seen as providing both technology and expertise. The primary difference with SaaS is that the
expertise is effectively “transparent”—meaning that users generally interact with the user interface of
a hosted application created and maintained by the service provider, as opposed to interacting with
the provider’s personnel directly (unless dealing with support or business representatives). Still, SaaS
technologies could be construed as something of an extension of managed services, since the service
provider manages the technology. Conversely, Managed Security Services may be confused with SaaS
when services are enabled or supported by technology that the service provider, not the customer,
owns and maintains “off-premises” (from the customer’s point of view).
The question of perception also arises when asking individuals to distinguish between “internal”
and “external” (or “third-party”) services and service providers. In a large, distributed enterprise, for
example, one group may provide security services to another. While the service provider and service
consumer in this case are both internal to the enterprise as a whole, one may appear to be external to
the other at the divisional, business unit, group or other organizational level.
This continuum of the services landscape should be borne in mind when interpreting a survey of
security services users, since perceptions of differences between types of services may vary among
individuals. Regardless, these overall categories are useful for calling out types of security services
available in the market today.
Security as a Service
©2010 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 4
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Security SaaS vs. Security “in” the Cloud
In a study that deals in part with Security SaaS, the question will likely arise: If SaaS is an aspect of
cloud computing, how is “Security SaaS” different from security “in the cloud?”
As with more than a few discussions of cloud computing, the distinctions between security “in”
or “of ” the cloud and security delivered “from” it may be—well, a bit cloudy, particularly as SaaS
may be considered part of the cloud computing landscape. In this study, however, “Security SaaS”
means something different.
The U.S. National Institute of Standards and Technology (NIST) identifies SaaS as one of the
three service models of cloud computing (the other two being Platform-as-a-Service or PaaS, and
Infrastructure-as-a-Service or IaaS. The 2010 EMA Research Report, The Responsible Cloud, exam-
ines these models in detail). In this sense, SaaS describes a general method for delivering essentially
any type of application software as a service.
Any SaaS offering may include security functionality, such as user account provisioning and access
control. “Security SaaS,” however, as used in the context of this report, means that security
is the primary function of a SaaS offering. Vulnerability assessment technology offered as a
hosted service is one such example. Though Security SaaS may be delivered “from the cloud,” and
may provide security functionality for cloud computing as well as for more traditional environ-
ments, this should be distinguished from security “in” cloud computing.
Consider, for example, a Cloud IaaS or PaaS provider that offers virtualized security appliances
among its many customer options. Consider as well the user account provisioning and access
controls present in many SaaS offerings such as Customer Relationship Management (CRM) SaaS.
These are arguably better examples of “security in the cloud,” since security is either integral to the
service offering or a part of the provider’s broader portfolio. While these, too, may be considered
examples of “security as a service,” security in this case is an aspect of the IaaS, PaaS or SaaS offer-
ing, but not necessarily its primary focus.
The distinction of Security SaaS is that security is its fundamental objective—but this does not
mean that Security SaaS has no relationship with security “in the cloud.” Indeed, Security SaaS
could become one of the primary means of providing security to cloud computing. As intercon-
nected cloud computing resources provide services to each other, today’s Security SaaS leaders
may well carve out a very strong position for providing security-specific services, should “clouds
of clouds”—meaning, interconnected networks of hosted or cloud computing services—play a
role in defining what IT may become. (For a recent survey and analysis of the emerging field of
cloud computing, including its security ramifications, consult the 2010 EMA Research Report,
The Responsible Cloud.)
Security as a Service
©2010 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 5
IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
The Focus of This Study: Managed Security Services and
Security SaaS
Of these four categories of security services, Managed Security Services and Security SaaS stand apart.
While professional services and security systems integration have long been, and will continue to be,
an ongoing part of the IT security industry, Managed Security Services and Security SaaS are different,
because they represent alternatives to the ongoing in-house maintenance of security technology and
expertise. They have also attracted a number of recent new adherents.
Managed Security Services and Security SaaS are different, because they represent
alternatives to in-house maintenance of security technology and expertise.
This is worth examining, because security has long been a sensitive issue when it comes to outsourcing.
Many organizations have been reluctant to turn security functions over to a third-party for a number of
reasons, such as giving up direct control over risk management or concerns regarding the handling of
sensitive information, just to name two. Have these factors become less of an issue as service providers
have become more established? Or has dedicated security expertise become more highly valued, as the
evolution of threats continues to accelerate along with the cost of maintaining security in-house?
2010 EMA “Security as a Service” Survey
To answer these and other questions regarding the drivers and values motivating the adoption of
security services, EMA conducted survey-based research in the first quarter of calendar 2010, with
additional in-depth interviews with working security practitioners conducted during the first and sec-
ond quarters of the year.
For the survey, 223 respondents were initially qualified out of a field of over 1,000 approached.
Qualification was based on knowledge of IT security operations and involvement in the IT security
buying decision among large enterprises as well as small- to medium-sized organizations worldwide.
Of this group, 150 indicated that they were current users of Managed Security Services, Security SaaS,
or both. This further qualification helped provide valuable insights for this study:
• It provided a basis for estimating the penetration of Managed Security Services and Security SaaS,
based on definitions of both provided to survey respondents.
• It provided a group of meaningful size for researching the drivers and values of those adopting
Managed Security Services and/or Security SaaS.
Understanding “Pushback” as Well as Motivators for Adoption
The more narrowly qualified group of 150 respondents was required to be current users of either
Managed Security Services, Security SaaS, or both. This “either or both” approach further yielded three
sets of respondents among the 150:
• Those using both Managed Security Services and Security SaaS
• Those using only Managed Security Services, but not Security SaaS
• Those using only Security SaaS, but not Managed Security Services
Security as a Service
©2010 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com
Page 6
|
|
|
|