Security delivered from the Cloud through a Software-as-a-Service model can act as a supplement to on premise security software and form part of an effective hybrid model. By Prashant L Rao
Delivering security through a Software-as-a-Service (SaaS) model has certain advantages including ease of deployment, simpler management and the fact that signatures and the like are always up to date. Adoption of this concept is picking up gradually, particularly in scenarios where a company has branches at numerous locations and doesn’t want to deal with the complexity of deploying on premise security software at each and every location preferring the simplicity of the Security SaaS model.
“From the Indian context, we have seen a spike in adoption. According to Zinnov, the Cloud market in India is worth about $50-60 mn. The adoption of Security-as-a-Service in India is about the same as in the rest of the world. Security, as part of the overall market, tends to be about 5%. From a growth perspective, it is growing five times faster than on premise as per Gartner and IDC,” said Smitha Murthy, Head of Product Management, McAfee India. The security vendor manages over five million endpoints around the world through its own data centers. It also has data centers hosted by its partners.
“Gartner expects the market to grow fast, especially managed security services that are expected to double,” said Baburaj Varma, Technical Head, Trend Micro, India & SAARC.
“Adoption of security services is growing in India. Cloud security is cannibalizing the on-premise market,” felt Rishikesh Kamat, Sr. Product Manager – Infrastructure Management & Managed Security Services, Netmagic Solutions.
“People don’t want the headache of dealing with security themselves so putting it on the Cloud helps do away with that. India is still conservative and mostly an on premise market. Going forward, slowly, it will shift to the Cloud. It’s not that popular in India at this point,” said Mohit Puri, Country Head, WatchGuard, India & SAARC.
What’s popular
The popular security services are endpoint protection, e-mail security and secure Web gateways. Not coincidentally these are usually the most popular solutions from an on premise perspective as well.
“E-mail security (anti-spam, anti-virus, archival) is the most popular,” said Jyoti Prakash, Country Sales Manager, India & SAARC Region, Symantec.cloud.
According to Netmagic, secure Web gateway and e-mail anti-spam/anti-virus through the Cloud were the most popular security SaaS offerings. “It’s a $25 mn market that’s projected to grow 20% YoY for the next three years,” commented Kamat.
“Across the world, and in India, our most popular SaaS offering is the endpoint solution,” said Murthy from McAfee.
Netmagic offers end user protection (Secure Web gateway), e-mail, availability (DDOS), intrusion detection, security assessment (penetration testing) and IAM. “The first three-four are more popular. Almost every organization needs these services and most of them have deployed these on premise and know the value of the same. The later ones haven’t found adoption on premise in the Indian market,” added Kamat.
Who’s using it
Contrary to popular opinion that the public Cloud will be an SMB play, some vendors felt that large enterprises had been quicker off the bat than SMBs when it comes to consuming security services.“Large enterprise adoption of the public Cloud has been better than that of SMBs. They need a huge IT resource team to manage security software/appliances for multi-location deployments. They would need data centers and manpower to manage the same. Cloud-based security gives the flexibility to these companies to roll out IT security policies in a jiffy. With a central console they gain a holistic view across the enterprise,” said Symantec’s Prakash.
When it came to industry verticals, his feeling was that IT/ITES would move much faster as the business model was akin to their existing business models. “Manufacturing/automotive where the IT team is thin and it’s hard to build an in-house IT resource to deploy security across the organization would be the other vertical to watch,” he added. Others felt that it was relevant to both segments for different reasons. “Cloud security addresses different pain points for SMBs (low economies of scale) and enterprises (inefficient control over IT infrastructure, sprawl etc). The lack of skilled security people is a common problem,” said Kamat of Netmagic.
Still others argued that SMBs were indeed the target market for security services although enterprises would also adopt them in time. “The target market is SMBs. You will see enterprises start to adopt these services in the coming years through managed security service providers. India is still picking up when it comes to the Cloud,” said Trend Micro’s Varma. Talking of the value proposition for various categories of organizations, he said, “SMBs find the OPEX model to be an attractive one. From a service provider’s perspective, it can reach out to tier 2-3 cities as location becomes irrelevant with the Cloud. The need exists in enterprises but they have global policies and licenses of on-premise software that have already been purchased. Despite that, there is interest even in the enterprise segment.”
Then there’s the hybrid model which combines the benefits of on premise software with Cloud-based security delivery. “As enterprises grow, the number of remote workers that they have also grows. They have security policies for people working on campus but the policies aren’t necessarily applied to road warriors. We offer a hybrid solution for the large enterprise. For people who come in to work, they can use an ePolicy Orchestrator (ePO)-based solution. For people who connect remotely, with SaaS, so long as those machines are connected to the Net, the policies and protection get updated right away. We created a plugin between ePO and our SaaS management console where all of this information can be consolidated into one view,” said McAfee’s Murthy.
Real-time protection
The most obvious benefit of security delivered via the SaaS model is the real-time nature of the security setup. There’s no more waiting for signatures to be updated across the extended organization.
“It’s all about faster protection as the updation occurs in real time. No provider can update the signatures fast enough to deliver it to each and every endpoint worldwide in real time. By keeping the signatures in the Cloud, the endpoint solutions refer to that. The threats are blocked at the source before they reach the customer. In the case of spam, you are saving a lot of bandwidth. The customer doesn’t need to worry about CPU requirements for filtering out spam and malware,” commented Varma, Trend Micro.
WatchGuard’s Puri said that the RoI was going to be better as the TCO of Cloud security was lower.
“Today you have third party data centers and SaaS. At the same time, road warriors, customers and partners all have access to an enterprise’s apps. The organizational perimeter is virtual and omnipresent. With on premise solutions, it becomes difficult to figure out where to put the controls. The Cloud, however, is omnipresent and can protect the virtual organizational perimeter. There’s in built redundancy in the Cloud resulting in high uptime. A Cloud-based secure Web gateway, protects all Web access from or to the customer organization,” said Netmagic’s Kamat outlining some of the benefits of a Cloud-based security solution.
Then there’s the fact that CIOs can pretty much sign off on the dotted line and stop worrying about achieving their security goals as the burden rests with the Cloud service provider. “In a three year timeframe, the Cloud justifies the investment in terms of TCO and RoI. With an on premise investment, the ownership and onus lies with the customer. In the Cloud, the delivery onus is on the vendor. In terms of upgrading the security posture, the Cloud has an advantage,” said Prakash, Symantec.
Psychological concerns remain
What’s holding back adoption is pretty much the same as what’s stopping CIOs from adopting public Cloud solutions in general. There are doubts and concerns about handing over the keys and worries about how secure the Cloud is only get worse when the Cloud service in question pertains to security.
“It’s basically a matter of perception. Companies offering managed security services have strong SLAs,” said Puri of WatchGuard.“People have psychological concerns. Typical concerns are on the lines of ‘Everything’s in the Cloud, I can’t see anything’ or ‘how will you protect my data?’. BFSI customers ask ‘how can I ensure that you won’t use information about our Web usage and sell it to marketing agencies?’. For more complex solutions like log analysis and correlation, standardizing and productizing these will become more difficult. Customer expectation mismatch might come up as an issue,” commented Netmagic’s Kamat.
A hybrid model
While the vendors were confident that the adoption of Cloud security services would pick up over time, they also felt that there was no question of wholly doing away with on premise solutions. The consensus was that a hybrid model was the way ahead.
“Five to eight years down the line there will be higher penetration of SaaS in the large enterprise by virtue of cost and lack of IT staff,” predicted McAfee’s Murthy.
“While there will be a significant shift towards Cloud-based security there are certain aspects of security that can never be delivered from the Cloud,” said Kamat of Netmagic. First you need to identify the data. If it’s in transit you can protect it in the Cloud. If it’s at rest on a laptop or in the company data center, you will always need an on premise solution.
“Certain probes into the local organization signal into the Cloud that takes the necessary action for any incident. The probe could be from an agent or host-based IDS, appliance,” he added.“There will still be a lot of systems on premise. Advanced Persistent Threats (APT) are targeted at specific organizations. You have to have security measures on premise that look at threats that are inside out. The future is hybrid—a mix of on premise and Cloud,” concluded Trend Micro’s Varma.