When it comes to security, software-as-a-service (SaaS) technology is hot. In a report published last month, Infonetics Research projected that despite a horrendous economy, the security SaaS market will grow at a rate of 46 percent annually for the next five years, making it by far the fastest-growing segment of the security services market.

Such explosive growth is a bit of a surprise, given the fact that SaaS security offerings have been around for more than a decade. Why has the market suddenly jumped onto the SaaS bandwagon? To help answer this question, Dark Reading recently interviewed the top executives at two of the oldest SaaS security providers: MessageLabs, which is now a part of Symantec and celebrated its tenth anniversary earlier this month, and ScanSafe, another 10-year-old SaaS provider, which was the first provider to launch a Web-oriented SaaS security offering.

Ten -- even five -- years ago, SaaS was a tough sell, says James Palmer, vice president of SaaS strategy at Symantec and a top executive of the MessageLabs unit. Many enterprises were reluctant to outsource any aspect of security to a third party, and there was serious doubt about whether an outsider could manage an "in-house" function as well as a dedicated IT staff.

"It was a little easier in the email space," Palmer says. "A lot of companies were already using a third party for email services, so it was less of a leap of faith to use a third party for email antivirus services. But it started very slowly."

Roy Tuvey, who co-founded ScanSafe 10 years ago with his brother Eldar, had similar memories. In fact, ScanSafe started out as an email and Internet marketing firm -- a hot business in 1999.

"We had entered into a joint venture with the leading Internet caf vendors around the world," Tuvey recalls. "When users would go into those cafs and use their Webmail accounts, all of that Webmail traffic would get routed by our data center in London, and we would introduce targeted marketing content. People would check their email and find a targeted ad, and that was our revenue stream. That helped us develop the genesis of the technology behind what we do today, which is scanning traffic for viruses and malware."

The early security service providers -- known then as application service providers (ASPs) -- were part of a wave of services that rolled out during the Internet boom, the executives recall. Many of those providers had weak business models and weaker balance sheets, and when the Internet bubble burst, so did they.

"A lot of ASPs went out of business, and that created skepticism in the market," Tuvey says. "There was a perception that a lot of service providers were not reliable or secure. And that made customers slow to adopt."

That situation began to change as the threat began to expand in the early 2000s, and enterprises became regularly bombarded by viruses with names like Code Red, Nimda, and ILoveYou. MessageLabs -- which now holds some 19 patents on anti-malware technology -- began developing services designed to stop or limit the impact of the viruses, which were a terror to clean up after infection.

"We marketed it not as a way to save money or staff, but as a more efficient way to solve the problem," Palmer says.

Later, when Web-borne viruses and other attacks came on the scene, ScanSafe began offering filtering and other security capabilities that went beyond Internet cafes and into larger network environments. Huge Internet service providers, such as AT&T, began offering ScanSafe's services, and users began to become more comfortable with the idea that they could get some of their security capabilities from an outside provider.

"The comfort level has changed because the need has changed," Tuvey says. "Every day, users spend more time on the Internet, and organizations depend on it more. They're dealing with distributed environments and geographies that don't lend themselves to hardware or appliances. Users are more mobile, and the threats are more complex. The confidence level [in SaaS] has shifted."

And how, Infonetics says. In fact, the research firm predicts that SaaS will be the single biggest factor in the rapid growth of the entire managed security services market, which is projected to grow 78 percent in the next five years. "Strong interest in SaaS and broad availability of SaaS offerings from a wide variety of players -- from network providers and security specialist service providers to large content providers and product manufacturers -- drive continued growth in the market," the Infonetics study says.

"We're a long way up the adoption curve now," Palmer says. "In the U.K., about 20 percent of the enterprises are already using some form of SaaS security services, and we see similar adoption in other parts of Europe and Asia. In the U.S., it's a little slower, at about 15 percent. But SaaS is very much the 'in' form factor now." Indeed, the demand for SaaS services appears to be driving both large security vendors and startups to launch new service offerings. In addition to Symantec, McAfee, RSA, and Trend Micro now all offer a wide range of SaaS services, including antivirus, antispam, encryption, archiving, backup, and Web security. Smaller service providers, such as Webroot and AppRiver, have also emerged to offer some or all of these capabilities, creating a dizzying array of offerings to choose from.

"At any given time, we're tracking about 50 players that are in our space in some way, and those are only the most serious contenders," Palmer says. "In addition to the larger players, there are many local competitors that do well in some geographies, particularly in the non-English-speaking countries."

The nature of SaaS service offerings is also changing, the executives say. Where once enterprises were willing to purchase services for a single problem -- say, email antivirus capabilities -- most enterprises today are looking for a provider that offers a variety of services with one throat to choke.

"[Enterprises] start out looking for some help with one problem, like email security, and then they add [instant messaging] security, archiving, and encryption fairly quickly," Palmer says. "They don't wait 12 months anymore before they're willing to outsource another security component. They trust SaaS enough now to move more quickly."

The economy has also caused enterprises to change their attitudes about SaaS, the executives say. Today's businesses are looking for ways to reduce capital expenditures, stretch security staff resources, and make costs more predictable -- all elements that work in SaaS's favor.

"Eighteen months ago, price would have been one of the lowest priorities for customers in evaluating SaaS offerings," Palmer says. "Now I'd say it's up at the top."

The threat also has changed, Tuvey says. "Twenty-three percent of the billion or so threats we blocked in 2008 were threats that were not picked up by traditional, signature-based, on-premises software tools," he says. "With so many zero-day threats out there, a cloud-based offerings is much more effective."

So with a skyrocketing market and a plethora of players, how can enterprises -- particularly small businesses, which generally don't have security skills on-staff -- choose the right provider? For many, the answer is to outsource that decision, too -- to a value-added reseller of SaaS services.

"I would say we do about 50 percent of our business through direct channels, and 50 percent indirect," Palmer says. "Interestingly, it's sort of the reverse of most other channel models -- the resellers come more into play in the large enterprise, where the need is for more commodity services, and we do more direct sales in small businesses, where there's a need to work more directly with the customer to deliver what they need."

ScanSafe's sells its services through many of the largest Internet service providers, including AT&T and Sprint. The company's market share in SaaS-based Web security services is "10 times our nearest competitor," Tuvey says, quoting from an IDC study. MessageLabs also claims huge market share, holding 60 percent of the email security market to Google/Postini's 20 percent and Microsoft's 10 percent, Palmer says.

But these discrete market segments may soon become obsolete, the executives concede, as each provider dips into the other's business. MessageLabs, which made its name in the email space, now does about 20 percent of its business in Web security, Palmer says. And ScanSafe, which cut its teeth on Web security, now offers a full range of email security services. Most of the companies that have built their businesses on premises-based security software now have SaaS offerings, as well.

But Tuvey says users should think twice before buying SaaS services from a vendor that comes from software roots. "Is there a successful company that can do both [SaaS and software]?" he wonders. "I think it will be difficult. SaaS and traditional software have very different customer support models. Software companies are concerned about cannibalizing their software sales. It's hard to do both. It will be interesting in the future to see how it evolves."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.