True Security-as-a-Service

Security-as-a-Service is the one of the latest additions to marketing material for most all security vendors. Seems today anything from access management, web filtering, endpoint security, and everything in between, is now offered as-a-service. What does that actually mean though? The as-a-service delivery model was first popularized by software vendors that saw an opportunity to save themselves, and their customers, time and money by offering their products online. For example, instead of having to purchase hardware to host their customer relationship management (CRM) solution, customers could simply select one of the many CRM Software-as-a-Service (SaaS) providers and within a few days have their sales team working in the product from any web browser.  Over time this model has been adopted by many different software providers, including those that provide security and compliance products. In fact, many analysts attribute the future growth in IT spending to be tied to Software-as-a-Service solutions.

Security-as-a-Service is an offshoot of the Software-as-a-Service craze. Spend a few minutes on the Internet and you can find dozens of companies, many with well-known brands, which offer their security solutions “as-a-service”. But before you throw out your servers, shut down your SOC and cut your IT staff, make sure to read the fine print. In reality many of these vendors that claim Security-as-a-Service are really only offering their software from the cloud. That’s it. You are still responsible for everything else, just as if you had installed the software on premises. If you looking for True Security-as-a-Service make sure to ask the following questions:

1.  What do you mean by Security-as-a-Service? You’ve heard the idiom “a rose by any other name still smells as sweet”, well that is not the case when it comes to security-as-a-service. You need to make sure you and your prospective solution provider are talking about the same thing when it comes to security-as-a-service. You will be surprised at the number of different definitions you get.

2.  Who manages the solution, you or me? If you get a vague response to the first question this one will separate the wheat from the chaff. If the vendor expects you to manage the solution from initial implementation to ongoing maintenance, they are not offering Security-as-a-Service. You will still need to have staff on hand to make sure the solutions is operational and working as expected, again just as if you had implemented it onsite.

3.  Who provides the security content, you or me? This is another direct question that will give you clear indications as to what you might be signing up for if you chose this provider. Security content (signatures, whitelists, IP reputation, etc.) gives a security solution the ability to whittle down the thousands, or even millions, of events into the few critical items that need to be investigated. Creating, maintaining, and deploying this content is a full time job. If your vendor doesn’t provide this service, guess what, they do not provide Security-as-a-Service.

4.  Who will monitor the solution, you or me? Ultimately any security solution aimed to provide protection for your applications, networks, and computing infrastructure needs to be monitored. All day. Every day. When an issue arises, someone needs to investigate the issue and, if necessary, determine what needs to be done to remediate the issue. True Security-as-a-Service providers will take care of the 24×7 monitoring and provide remediation recommendations. Anyone who cannot offer this service is providing Software-as-a-Service, and nothing more.

The “as-a-service” delivery model has revolutionized the IT landscape, eliminating many of the costs associated with purchasing software solutions. When it comes to Security-as-a-Service, eliminating the hardware costs associated with the product is only part of the desired results. When deciding to partner with a Security-as-a-Service provider what organizations really want is to offload the costs and effort associated with 24×7 monitoring of their environment. Make sure you choose your partner wisely.