It's a conundrum that is faced by nearly every IT security department: The rising tide of cyber threats is driving a need for better security solutions; a struggling economy is driving a need to cut costs. How can an enterprise do both?
For many companies, the answer is to look at security software-as-a-service (SaaS) offerings. These growing offerings, which are offered by a variety of services and software vendors both large and small, promise to deliver improved security for at least some aspects of the business -- without the initial cash outlay required to implement new security equipment or software.
According to a recent study by Infonetics Research, 81 percent of respondents said improving the strength of the enterprise's security is the No. 1 reason for moving to the SaaS model. The other top reasons cited: cost, time to deploy, and centralized management. One key point: 82 percent of those surveyed plan to use SaaS offerings to augment, not replace, their existing security deployments.
Cost savings in SaaS, at least initially, are real, experts say. SaaS does eliminate the initial outlay in on-premise software and hardware security products. Because services are subscription-based, users typically pay a set price per user per month; rates depend on the number of users and the breadth of the security solution. Of course, the cost continues as long as you use the service, whereas capital expenses occur mostly at the outset.
SaaS offerings may also be more effective than their home-implemented counterparts. SaaS services are "always on," so customers do not have to wait for antivirus, anti-spam and anti-malware updates. While on-premise systems receive nearly the same continuous threat protection updates, there is an inherent delay between when a patch is pushed out and when the user is able to properly implement it. Trend Micro, for example, says third-party benchmark tests reveal its email security SaaS offering provides one to two points better spa blocking compared with its similar on-premises e-mail security equipment, primarily because of the continuous update model of SaaS.
On the negative side, SaaS offerings are sometimes unattractive because they may replace tools and systems that the enterprise already has in place. While providers attack this problem by offering hybrid services that work with the existing infrastructure, other users worry about the reliability and performance of third-party services, which could experience outages or latency that are beyond the enterprise's control.
If you decide to try an SaaS security service, even for just one or two specific tasks, then you'll need to choose a provider that matches your needs for functionality and cost. One of the biggest differentiators between providers is centralized management. Most security services support a Web-based management system. Moving to a hosted service will be even more compelling if customers can centrally manage their disparate security technologies under one management console.
Another noteworthy differentiator among security SaaS providers is the ability to provide service-level agreements (SLAs) that guarantee levels of performance and availability. Most anti-spam vendors guarantee to block 100 percent of known viruses. Many other SaaS providers guarantee 99.999% uptime.
For more information on evaluating SaaS offerings -- including descriptions of leading SaaS vendors and some important insights on pricing -- download the full Dark Reading report here.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.