Security as a Service insight

/ Security
March 1st, 2012

what is security as a service

I was sent over a few questions from a journalist the other week, generally interested in what was going on within the Security as a Service market. I thought that this may be of interest to a few people:

What forms does Security as a Service take?

Security as a service takes many forms. In effect it’s outsourced management of elements of security, now generally mixed in with a range of hosted/cloud services. The range of security services provided is vast and goes down to a granular level, i.e. from simple SPAM filtering of email, through to cloud-hosted anti-virus, remote automated vulnerability scanning, managed backups, cloud-based DR and business continuity systems, cloud-based 2-factor authentication systems, plus much more.

The services are either delivered directly from the vendor where the reseller takes a commission, or they are delivered from specialist firms who have the in-house skills capable of building, integrating and managing specialist security services for their customers.

Will vendors and customers prefer this options going forward? Why?

It is the preferred route for many vendors as they have to meet the trend and reseller and user demand for cloud/managed services. It’s certainly the case in the SME markets as both the resellers and the end-users often don’t have the skills and/or resources to manage these environments/services correctly.
Paying for security as a service has de-risked many of the decisions that used to float around when choosing a security platform. This has encouraged end-users to consider technologies that would have previously been out of their budget and skill-base.
I’d say that vendors are certainly finding that their products are slightly stickier with the end-user base. In many cases, the vendor is selling directly to the user-base as well as through the channel.

What is driving its adoption?

Lower-end resellers are able to sell services to a customer-base without the higher-level skills traditionally required, i.e. server, networking, and general infrastructure. They then take first line support and back-off anything else to the vendor.
Customers can gain services that previously would have been out of reach due to the costs and skills, i.e. 2-factor authentication and DR solutions. A £100K project five years ago can now be delivered on a £1000 budget with no CapEx.
Marketing and cloud-hype have certainly helped the cause for Security as a Service. For a long while, many business leaders have been scared of IT due to previous large IT project failures. Cloud gives them some peace of mind as they aren’t risking the CapEx.

What options and opportunities are there for resellers to get involved?

Most vendors now give the resellers a cloud platform or license agreement that allows them to build their own platform. I think you’ll see the majority of the run-of-the-mill security services, i.e. AV and SPAM filtering delivered by this model, especially within the SME market. Larger organisations will be slower to adopt as they’ll often have internal resource capable of building / managing their own infrastructures. Many larger organisations will pay for Security as a Service but this will come from more specialist reseller/consulting firms who can integrate and manage the services to a much greater level.

How easy will it be for the traditional box and shrink-wrap type partners to sell Security as a Service?

It’s all fairly easy to sell in essence, and in the first instance. The issues come for the reseller in the box/product-shifting space when problems arise on a technical level. Those resellers who just sell product and services, or have low-level technical support will suffer. They will have no control and often don’t know how to pinpoint issues. We see a fair amount of telecoms and print companies trying to resell IT Services without understanding the ‘bigger picture’. This tarnishes the whole IT service and cloud market.

IT services are not a commodity. You can package them up as much as you like into a product but the underlying complexities will often remain. You get value in IT through proper analysis, intelligent integration and a genuine understanding of business. I’m forever dismayed by organisations turning up at my door trying to get a service they were contracted with another provider to work – and it never will.  IT is getting more complex, not simpler.