Cloud Coverage

Local governments strengthen their security posture using security SaaS.

With threats to e-mail and web security ever looming, wary government IT officials are turning to the cloud for help.

There they're tapping into a growing selection of security technology offered in a hosted services model -- in cloud computing lingo, as Software as a Service, or SaaS. E-mail and web filtering are common security SaaS options (available from providers such as M86 Security, McAfee, Symantec, Trend Micro, Webroot Software and Websense), as are vulnerability assessment and management.

"Security SaaS is part of an overall trend of looking to third-party providers of capability as a service in one way or another," says Scott Crawford, managing research director of security and risk management for Enterprise Management Associates (EMA). "Organizations see it as a means of outsourcing capabilities that are either too expensive or difficult to maintain."

For example, in a recent survey of more than 200 organizations worldwide, EMA found that 27 percent of enterprise-scale and 44 percent of smaller organizations do not have the resources they need to manage web application security. Facing these and other security challenges led 43 percent of respondents to security SaaS, with more than half (57 percent) of those organizations saying they'd increase their use over the 12 months following the survey.

A Toe in the Water

The IT team in Dane County, Wis., for example, turned to a security SaaS offering to protect against evolving spam threats that its aged physical appliance was letting slip through, says Steve Jones, senior systems administrator for the county. "That appliance wasn't catching spam that uses embedded web links pointing to malware sites or places we just don't want people going to, period," he explains.

After evaluating its options, the IT team decided to give Trend Micro's InterScan Messaging Security Virtual Appliance a try. In a hybrid security SaaS model, Trend Micro delivers an on-premises virtual appliance with in-the-cloud spam and malware filtering to block threats in real time before they hit the county's network.  

So far, so good, Jones says.

With the previous setup, Dane County's physical e-mail filter was contending with some 70,000 to 100,000 e-mails daily. "Our appliance was doing a whole lot of processing," Jones says.

"Now, with the hybrid SaaS model, because the e-mail hits Trend Micro servers in the cloud first, we've seen our volume reduced to about 27,000 messages a day. Needless to say, that's a substantial drop in what's making it to our local appliance, which then catches even more," Jones says. "We definitely feel more secure with the extra layer of protection provided in the cloud."

That said, the county isn't quite ready to move beyond hybrid SaaS e-mail security -- at least not yet, Jones says. "We're not ready to throw everything into the cloud. This is us really just dipping our toes in with this hybrid SaaS model."

The Big Plunge

IT security professionals in Montgomery County, Md., have approached SaaS security with a different mindset.

"A couple of years ago, as we looked at budget pressures combined with the amount of resources my team was spending on administering software, we realized that we had to do something to make our lives easier. That made us go out and look at SaaS security," says Keith Young, security official with the county's Department of Technology Services, in Rockville.

Since that time, the security team has migrated most of the services it provides for the county's 10,000 employees to the SaaS model, Young says. This includes log correlation and security information management; intrusion detection; vulnerability management; PCI scans; URL filtering and blocking; and computer forensics, which is handled partially in the cloud, he adds.

The additional cost Montgomery County, Md., incurred moving from on-premises to SaaS security. In one case, the SaaS security cost $60,000 a year less than what the county had been paying in yearly maintenance fees for the product it replaced, says Keith Young, security official with the county.

Young declines to name the county's SaaS security providers, citing county policy, but says the security team selected best-of-breed offerings that provide protection capabilities and feature sets similar to the on-premises products they replaced.  However, the county has realized several improvements, he adds.

"The major differences are system availability -- in that we had been getting approximately two nines of system availability before, and now we're getting four nines because that's built into the services vendors -- and interoperability. For instance, our log correlation provider accepts feeds from our vulnerability management provider through standard exchange methods of data sharing," Young says.

These are on top of the reduced management and maintenance chores for his team, which means senior security staff can focus on providing enhanced services rather than on systems administration, he adds.

For Young, SaaS security is but the tip of the iceberg.

Ultimately, he says, he'd like the county overall to embrace the cloud computing services model for improved efficiencies. Toward that end, for example, Young says his team has begun experimenting with using consumer-oriented handheld clients in conjunction with commodity cloud-based offerings for core services and applications such as e-mail and team collaboration.

Successful SaaS Security

Three characteristics of SaaS security make it a sensible choice, says Scott Crawford, security analyst with Enterprise Management Associates:

  • The security capability is readily externalized. In the case of SaaS e-mail security, for example, the in-the-cloud filter is simply one more hop the traffic passes through on its way into an organization.
  • The security capability has little or no impact on critical dependencies for business IT services; what impact it has, the organization can effectively mitigate.
       "There's no critical dependency on vulnerability assessment, for example," says Crawford. "Services will run regardless. This is a little less clear-cut for messaging security because most organizations have dependence on e-mail like little else. However, there are strategies for dealing with that, like failing over to an alternative service, parallelism, distributing across multiple data centers and so on."
  • The cost, complexity or overall burden of management is seen as problematic. SaaS security provides a way to shift that burden somewhere else, move the capital investment in security toward the operational side, and ease the challenges associated with acquiring and maintaining in-house technology and expertise.
      "Attracting and retaining truly qualified security expertise is not always easy or trivial," he says. "In a sense, hosted technologies are a way to implement this expertise in ‘centers of excellence,' if you will, which also illustrates how hosted security technologies are often extensions of a managed security services provider." 
Mar 03 2011