By Matt Hines
August 22, 2007
Security technologies delivered via the SaaS (software-as-a-service)
business model may still be in their nascent stage, but some early
adopters are already piecing together multiple offerings to outsource a
significant portion of their IT systems defense infrastructure.
One such company is Imperial Chemical Industries, the massive
London-based maker of paints and chemicals that is in the process of
being acquired by industrial conglomerate Akzo Nobel to the tune of $16
With worldwide business operations and an annual research and
development budget approaching $60 million, the chemicals giant is
spending more effort than ever before in securing its assets and data,
company officials said.
However, utilizing a handful of SaaS applications -- including
vulnerability scanning tools offered by Qualys, e-mail and anti-spam
filtering from MessageLabs, and Web filtering provided by ScanSafe -- IT
executives at ICI claim they are maximizing personnel and budget in a
manner that traditional on-premise security products wouldn't allow.
"We're pushing the envelope in terms of what's out there with security
SaaS, but so far, it's been a fantastic success; SaaS can only be
employed where IT truly benefits from doing something once centrally,
but there are a number of sweet spots where that approach fits today,"
said Paul Simmonds, global information security director at ICI. "Over
time we'll likely see a mix with SaaS being used more heavily where it
can offer benefits of cost and management, just as with general
Having used Qualys' vulnerability scanning services for over five years,
ICI is at the cusp of large enterprises that have begun replacing some
in-house security tools with subscription-based services.
The company is currently considering use of hosted applications binary
code scanning tools offered by Veracode, a relatively new start-up,
under the idea that it can begin integrating multiple SaaS technologies
to offload larger parcels of its security infrastructure to outside
specialists, Simmonds said.
With five years of security SaaS experience under its belt, ICI is
beginning to see the long-term promise of the services offerings,
according to the executive. But the company is also cognizant that
despite the benefits of moving to SaaS services, some elements of its
network and data security must always remain on-site.
"The combination of outsourced vulnerability and binary code analysis
through combining Qualys and Veracode is the type of thing that could be
very significant as it's the kind of work that can truly benefit from
being done once, centrally, in terms of running samples through tests.
There's a huge opportunity there, and this type of scanning is very
complex to do on your own," Simmonds said.
"At the same time, like everything else, you need to be selective in
what you move into the cloud," he said. "Some things are a natural fit,
but others will never work for this model; there's always a danger that
when something like SaaS becomes an industry trend, like security
appliances today, that the market tends to go overboard."
Emerging security tools like NAC systems and endpoint-oriented products,
including data leakage prevention software, are among the types of
technologies the ICI security chief said wouldn't ever likely be
provided via SaaS.
In the meantime Simmonds said that the chemicals behemoth will continue
to seek out new SaaS security alternatives as they come to market.
Philippe Courtot, chief executive of Qualys, is recognized as one of the
chief evangelists of security SaaS in general, just as Salesforce.com
CEO Marc Benioff has become associated with pushing the hosted
applications model into the enterprise software space.
Security SaaS becomes a new business model
However, with 37 Fortune 100 companies among its enterprise customers
and a groundswell of interest from smaller firms driving what he labeled
as rapid growth at the privately-held firm, Courtot claims that security
SaaS is moving quickly from an emerging phenomenon into a
widely-accepted business model.
"When we needed venture funding in 2001, no one wanted to back SaaS for
the enterprise in general, but the time when we needed to evangelize
security SaaS for customers of any size is pretty much over, it's
becoming commonplace," Courtot said. "People don't have technical or
financial resources to deploy traditional on-premise solutions. They're
being told to reduce cost and do a better job of securing their
operations, all of which works in our favor."
As an example of the economies of scale offered by security SaaS
technologies, Courtot said his company recently completed a roll-out of
its services to a global auto manufacturer covering vulnerability
testing for 180 different applications operated in 65 different
countries -- in less than three months. Addressing the same applications
scanning project using on-premise tools would have taken years, he said.
Qualys counts Nissan Motors and DaimlerChrysler among its automotive
"What is driving security SaaS are a few simple reasons: At the low end
of the market, companies don't need IT people to do the work, and at the
high-end, CIOs are being pressured to reduce costs and have fewer
security incidents," Courtot said.
"In the past, you had security people doing the perimeter work, and you
can still build that infrastructure," he said. "But as soon as you move
to protect a company from the inside, to provide defense in depth as is
needed, the degree of difficulty is beyond even the most sophisticated
Other security SaaS advocates point to pricing and delivery advantages
of the model as drivers of continued adoption of the tools.
Veracode CEO Matt Moynahan said that one of the biggest selling points
of his company's binary code analysis service is the fact that customers
only pay for the tests that they run using its hosted testing engine and
that they don't pay for the upgrades to the service that his company is
constantly working on.
"We're trying to blur the line between broken pricing models, a lot of
our rivals price by the number of lines of code they're scanning or
charge per CPU, but we allow companies to simply give us a URL where
their binary code is and we only test that, and it doesn't matter what
type of scan or test is involved, it's all part of the subscription," he
While Veracode, only launched in January 2007, it has signed on several
major customers, including one of the world's largest networking
companies and a large Canadian ISP, said Moynahan. He estimates that the
SaaS model allows the firm to undercut its competitor's prices by
anywhere from 20 to 40 percent.
Longtime security software market leader Symantec has announced that it
has already begun the work to create a SaaS iteration of nearly every
one of its products. Company officials said that as the security giant
goes through the transition it is gathering feedback from existing
customers and trying to gauge the best opportunities for SaaS over the
next several years.
"Any technology evolution like this has its early adopters, and then
once there are enough proof points, people start to adopt them more
broadly, but we're already seeing increased interest from customers of
all sizes," said Chris Schin, director of product management for
Symantec's hosted Symantec Protection Network.
"I don't think that the time is here for certain enterprises, and some
may never embrace SaaS, and for securing and scanning the endpoint,
we'll always likely see tools at the endpoint," he said. "But there will
be a time when I think all enterprises at least consider SaaS for some
operations and that this time may be coming soon; adoption does seem to
be picking up speed as, opposed to some other highly-hyped technologies,
the promise of SaaS appears to be backing up the hype."
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!