Freely subscribe to our NEWSLETTER

The term Security-as-a Service was first coined by the marketing folks at McAfee in 2001 to describe their vision of an outsourced approach to the provisioning and management of the full range of anti-X technologies needed to maintain corporate security, via the Internet. From a technical and business perspective, the idea of being able to devolve the responsibility for keeping complex network infrastructures secure and threat–free, to third party specialists, had many attractions, particularly as IT security professionals were both thin on the ground and expensive heads to have on the payroll.

Given that this was also a time when the battle between security vendors and the hacker community was really getting into its stride, and new vulnerabilities were being discovered on a seemingly hourly basis, it is surprising that, eight years later, the industry is still struggling with the concept of cloud-based security. In fact, if anything, the fundamental drivers underpinning the argument for a SaaS approach have strengthened in the intervening years: in 2008 there were over 5000 new vulnerabilities identified in common applications, operating systems and networking components; new PCI regulations and government legislation means that enterprises now face serious consequences if they fail to maintain stringent security standards; and low cost, high-speed internet connectivity is virtually universal.

So the logical question is: why is cloud-based security not more widely adopted as mainstream policy? Clearly there is no one simple answer to this and no doubt resistance to some of the changes in thinking and internal processes needed to implement a SaaS strategy is a significant factor. However, as we face the prospect of a lengthy downturn in the global economy, companies are being forced to take a fresh look at their cost base, including the core IT infrastructure fundamental to their business operation. Constrained economic circumstances are traditionally the time when the advantages of outsourcing are more readily accepted by an organisation.

One very obvious reason for the slow uptake of SaaS is that there are few companies that actually offer the full security package that businesses require. Whilst this can be regarded as one of those circular “chicken-and-egg” arguments, there are some real and fundamental technology issues that have delayed the MSSP sector from seizing the opportunity and making the leap from remote network security management to delivering the full range of hosted security services online.

In particular, security vendors have failed to keep pace with the new multi-gigabyte network speeds needed to power bandwidth-hungry applications such as VoIP and multi-media streaming that many organisations have been quick to embrace, for which users demand consistent and reliable levels of performance.

One of the other big factors that has occurred in the last few years, and is also contributing to the delayed roll-out of SaaS, is the increased sophistication of the threats facing network infrastructures as the hacker community has found new ways to circumvent the latest security technology to deliver their malware payloads. The response by the security industry has been to try to adapt old technology to operate in a modern high-speed environment and to mitigate complex threats that it was never designed for, usually resulting in increased latency and unacceptable degradation of network performance. The latest multi-staged “low and slow” attacks are a specific case in point. Delivered over time in incremental parts, these attacks are virtually undetectable by existing IPS and firewall systems and require a totally new approach to intrusion detection and prevention.

Most of the big global network security vendors have announced products that include the option of 10G connectivity and make claims of high-speed throughput with multiple threat mitigation functionality. In theory they can provide the necessary protection but in practice these ASIC plus CPU based systems are restricted by the limits of their processing architectures and are unable to offer true 10G throughput performance, creating an overall bottleneck in the system and major problems for the users of VoIP and other real-time applications downstream.

As with the threat posed by multi-staged stealth attacks, resolving the issue of throughput performance requires more than just tinkering with existing technology, which in this case has effectively reached the limits of its capability. Syphan is one company that is tackling this problem head on through its innovative use of FPGA-based multi-dimensional parallel processing techniques. Using programmable silicon also means that the technology can be quickly upgraded in situ with new rule sets as and when new threats emerge, and by enabling full packet inspection against multiple rules in parallel, true 10G performance without latency is a practical reality.

With the emergence of these new technologies at a time of economic uncertainty, the roll out of scalable online security services has become a much more attractive proposition for MSSPs and their customers alike. Whilst not everyone welcomes the prospect of scaling back their internal operations, the option for businesses to eliminate their security management and infrastructure costs without compromising their security posture or risking impacting the day-to-day business operation is a likely to be a strong factor in making 2009 the year that the cloud-based security market, envisaged by McAfee, starts to take hold.