Earlier this week, eWeek reported that Webroot is moving further into the software-as-a-service (SaaS) sector. The report says that during the next couple of months, the firm will expand its SaaS efforts from e-mail to Web security in the small- and medium-size business (SMB) sector. Data heading toward clients via Web surfing requests will take a brief detour to Webroot, where it will be scanned for viruses, spyware, and phishing and will have its URLs filtered.
This is a good move. SaaS and security go together perfectly. In general, SaaS provides companies with expertise that they lack. This has particularly strong potential in the security sector, where new threats and new approaches to thwarting those threats proliferate at a dizzying rate. It's hard for security pros to keep up, much less firms with undermanned and overworked IT departments -- or no IT department at all.
Security is being delivered in a growing number of ways. This InfoWorld article says that the concept of SaaS security is being validated by heavy hitters such as McAfee, Symantec and Trend Micro. However, SaaS is not good a good method to deliver all types of security. For instance, the nature of intrusion detection systems (IDS) always will require some on-site equipment. Other security measures, such as exploit prevention and compliance monitoring, will increasingly be done by outsiders.
Google is another big firm that sees the potential of security SaaS. IT Wales says the company has built on the technology it acquired with last year's acquisition of Postini. It now offers SaaS tools that root out spam and viruses, protect against data leaks and back up and archive e-mail.
Ironically, as vendors see SaaS as an increasingly important way to deliver security, there still is a lot of ambivalence in the IT community about the security of SaaS applications themselves. In other words, while vendors say that SaaS is a great way to deliver security, IT folks still wonder if non-security SaaS applications are secure. This strongly suggests a two-step approach from the SaaS community: Vendors must be sure that such platforms indeed are secure, and they must educate potential customers and overcome resistance.
This post at Diversity Blogs references a study from Fairfax Business Research on perceptions of SaaS security. The firm, which focuses on Pacific rim nations, found that 79 percent of respondents cited security concerns as reasons not to use SaaS. Almost half think data can be hacked, 32 percent think the data for these applications is too valuable to ship off site and 35 percent fear Internet connectivity issues could interfere with operations in a SaaS environment. The writer provides several steps that can be taken to overcome security issues. The key, as one responder to the post points out, is as much the perception of insecurity as real vulnerabilities.
This post discusses some of the questions IT departments should ask when considering SaaS, and a good portion of the post deals with security. The writer addresses the issue through the prism of his company, Rocket Matter. He says that SaaS requests to the firm use 128-bit secure socket layer (SSL) encryption and that passwords are encrypted. The company employs threat modeling and other measures that are not directly identified. The writer concludes that no system is totally secure -- whether is in the Internet cloud or a company's data center. He claims that vendors must be questioned closely to make sure they take security seriously and have designed it into their products.
There is no ceiling on the potential for SaaS security. While it isn't the answer for every type of security, it is a terrific model for many. However, vendors must work hard to avoid any mishaps that validate lingering perceptions that using security measures in the cloud are inherently less secure than those that are resident within the organization's walls.