• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
contents
Tips and Tactics
2SaaS considerations7Questions to ask your SaaS provider16Outsourcing vulnerabilitymanagement23Security in the cloud
SaaS
Difficult economic times are forcing someorganizations to look at security as a service.We’ll weigh the opportunities and the pitfalls.
BY INFORMATION SECURITY AND SEARCHSECURITY.COM
SPONSORED BY
Evaluating
 
TAKING THESaaS PLUNGE7 QUESTIONS TO ASKYOUR SaaS PROVIDEROUTSOURCING VMSECURITY IN THE CLOUDRESOURCES
2
Some of thesesubscriptionservices watchoverall IP traffic,some scan email,some watch Webcontent.
Tight budgets and regulatorydemands are driving companiesto tap service providers for security.
t may seem
a counterintuitive move,but a growing number of companieshave signed on outside services toprotect their internal networks and data.Vendors such as Veracode, Websense,Qualys, Alert Logic and Google subsidiaryPostini lead in answering this security-as-a-service charge, while incumbent securitypowers such as McAfee and Symantecfigure out how to enter the fray withoutcannibalizing their existing businesses.Some of these subscription serviceswatch overall IP traffic, some scan email,some watch Web content. They all issuealerts and take action in the event of athreat.So what leads a business to trust out-siders with its inside-the-firewall treasures?Constrained IT budgets and burgeoningregulations are prime factors.Scott Smith, senior network engineer forLincoln Property in Dallas, says Lincolnbrought on a service so it wouldn’t have tohire more people to monitor its system andsecurity logs. Before signing on with securityservices provider Alert Logic, the real estatemanagement company didn’t have muchmore than a syslog server and staffers read-ing through tons of logs. “That is a night-mare, and the odds of finding what you’relooking for are slim to none. It was an over-whelming task,” Smith says.And logs read after-the-fact are of little
SaaS
Taking theServices-on-Demand Plunge
BY BARBARA DARROW
I
 
use against ever- and quickly changingsecurity threats.“The things that change most in our worldare security threats. Why invest in an expen-sive [in-house] system when we can useexperts? They read the logs, they provideimmediate alerts. And there is no capitalexpense, but a small monthly fee,” Smithsays.Compliance pressures also are drivingcompanies to bolster security via a subscrip-tion service. Chris Smith, vice president ofmarketing for Alert Logic, cites the PaymentCard Industry Data Security Standard (PCIDSS) as a key motivator. Pushed by themajor credit card companies, these stan-dards dictate what users must do to complyand assess penalties for noncompliance,ranging from $500,000 per instance to aban on processing credit cards.“Unlike some government regulationswhich can be very general, PCI is veryprescriptive,” says Smith. “You must haveantivirus, you must have a firewall andintrusion detection, you must have periodicscans.”Whereas Qualys mostly targets largeenterprise accounts, Alert Logic’s sweetspot is more in midmarket businesses, manyof which see the cost of deploying on-prem-ises personnel and solutions as beyond theirbudget.The PCI penalties demonstrate how secu-rity-as-a-service differs in one respect frombusiness application service offerings likeSalesforce.com or NetSuite. While costanalysis shows that hosted CRM, for exam-ple, can cost more than on-premises CRMafter three or four years, such calculationsdon’t necessarily hold in the security realmfor one good reason: The downsides of abig breach are incalculable.“You can’t run a spreadsheet that will tellyou how much you might lose because youdon’t protect your information,” says AlertLogic’s Smith. One might point to themassive TJX credit card breach as acautionary tale.In some cases, SaaS doubters don’t wanttheir information residing anywhere in thecloud; the outside-the-firewall aspect stillspooks many companies and governmentagencies.“These in-the-cloud providers must haulevent and security data to a central datacenter,” says Andrew Plato, president ofAnitian Enterprise Security, a consulting firmin Beaverton, Ore. “That turns off a lot of
“The things thatchange most inour world aresecurity threats.Why invest inan expensive[in-house] systemwhen we canuse experts?”
Scott Smith, seniornetwork engineer,Lincoln Property
SaaS
Considerations
TAKING THESaaS PLUNGE7 QUESTIONS TO ASKYOUR SaaS PROVIDEROUTSOURCING VMSECURITY IN THE CLOUDRESOURCES
3
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...