SaaS Security as a Solution

By George L. Koroneos
As online threats evolve and get nastier, solution providers and their customers are replacing their local virus detection and elimination software with a service-based model. This approach stops spam and viruses before they ever reach a computer, ensuring a higher level of security and peace of mind.

SaaS moves the responsibility of monitoring and updating the systems to the service provider who can offer additional value-added services, such as predictive support—the ability to spot and defeat potential security risks before they happen.

“Today’s security challenges are really through the Internet and our e-mail systems,” explains Tim McDade, director of technology for the Morris School District in Morristown, N.J. “Those are quick and easy ways for spammers and people who want to do harm to quickly get to massive amounts of people.”

Companies must still be vigilant about security exposures from within an organization, which are traditionally thwarted using firewalls and company policy, but it makes sense to eliminate viruses and spam before it hits the hardware.  

“SaaS is a natural fit for security, more so than other areas of IT, because of the origin of the attacks are from numerous locations around the world, you really have to move into the cloud,” says Richard Collins, Symantec’s (www.symantec.com) vice president of hosted services for Americas. “We’ve seen e-mail become a mission critical application for organizations and needs to be protected as such. If you take [e-mail] down, organizations really struggle.”

Slow to Adopt
So why doesn’t everyone move to a SaaS-based security system? It turns out that SaaS adoption is varied around the world. For example, the U.K. has a considerable market share (in excess of 70 percent of enterprise customers), while other countries are still a step behind.

“Because of the smaller market and the maturity [of technologies] in the U.K., the adoption has been much faster than other regions,” Collins says. “The adoption rate in the U.S. is moving quickly, but only about 25 percent of organizations in the U.S. are now looking as SaaS as a delivery platform, which is up from around 16 percent just over a year ago.”

The big reason seems to be unwillingness for security vendors to move away from the traditional physical software offerings, Collins says. However, companies are now realizing that they can’t keep up with security trends; it’s getting too costly to keep security specialists on staff.

“Managing e-mail infrastructure is a high risk/low reward proposition, and it doesn’t give you any technological advantage as a business—everyone has e-mail,” says Rick Oppedisano, executive director at Azaleos Corporation (www.azaleos.com), a remote infrastructure manager and Symantec reseller. “Back in 2009, IT departments that used to be 15 people are now five people and those people are not being replaced. Those five people have a million things to do and e-mail has to be up 24/7.”

Also, corporations are so used to controlling their data and are worried about giving away hands-on management to a third-party. But Oppedisano ensures that this is not the case. “We do not see any content,” Oppedisano says. “All we see is anonymous server data from that customer’s Exchange server and we can predict its behavior and fix it using that anonymous data.”

Size is Irrelevant
It doesn’t matter whether a company is a small business or a massive corporation, e-mail threats don’t differentiate between the two—small organizations can suffer huge financial exposure from the same threats that large companies face, Collins says.

“For the Channel, those that move towards SaaS faster than not, will benefit,” Collins says. “In the reseller world, you might make five or 10 percent on a perpetual license, selling a SaaS because it’s a reoccurring revenue stream. Just because there is a change in the form factor to the product, doesn’t mean that there’s a change in value, because resellers offer a number of other services and products to customers. It’s a mindset change. Resellers feel like they are going to be cut out of the equation, but it’s actually more beneficial for them to pick up a percentage on a reoccurring revenue stream than a compressed margin on a perpetual license that they will need to compete for again in 12 month’s time.”

Azaleos uses an á la carte selling model where the cost of the hardware and management costs are amortized into one cost per user per month for the life of the contract. “If the customer just wants to have managed Microsoft Exchange and they want to handle their archiving that’s totally fine,” Oppedisano says.

Security at all Cost
“Your e-mail server is where 90 percent of your intellectual property resides,” Oppedisano says. “If someone can get into that and search for archived e-mails and search through your Outlook, you’re in trouble.”

School districts store a wealth of data that just can’t get into the wrong hands. The Morris School district installed AppRiver’s (www.appriver.com) SecureTide to provide off-site security for every e-mail account in the school district. The school district uses a Microsoft Exchange e-mail system, hosted on site, with 750 users. Prior to AppRiver, all spam filtering was done on-premise with a software solution that had to be installed and updated regularly.

“[Running an in-house e-mail security service] was a troublesome to-do,” McDade says. “I started spending a huge portion of my day just dealing with spam and e-mail issues, so I began to look for a new solution to do that for me.”

The hosted application allowed McDade and his team to filter e-mails prior to the data coming anywhere near the district’s systems. With AppRiver, only the legitimate mail makes its way through to the local computers. The service reduces bandwidth that would be taken up by spam e-mails and questionable e-mail can be viewed remotely to determine if it’s actually spam.

“If your company can fit into a multi-tenant hosted environment, you’ve got some pretty generic security requirements and SaaS is a no brainer,” Oppedisano says.

 “However, if you’ve got some compliance issues or fall under PCI, or maybe you have high end intellectual property that’s when you have to look at really specific security solutions like SaaS.”