Security and risk leaders responsible for content security face an imposing challenge. Enterprises need to secure
an increasingly extended front, yet content security budgets are not increasing.
The SaaS model provides a great transitional tool to reach an organization’s cloud goals.
Despite the growing threats, Forrester Research’s recent Forrsights Security Survey found 66% of enterprises will spend roughly the same amount on content security in 2012 as in 2011. Additionally, they allocate only 6% of the IT security budget to content security, which is the lowest of any spending category. Ultimately, more needs to be accomplished with fewer resources.
The Software as a Service (SaaS) model is an attractive alternative for enterprises that need content security, but that have time and staff constraints and are hesitant to commit large capital payouts. SaaS content security provides the traditional benefits associated with a cloud-based service, such as turning capital expenditures (capex) into operational expenses (opex), rapid deployment, availability and scalability. Given its benefits, SaaS-based content security has seen significant adoption. Forrester expects this trend to continue into 2012 and beyond.
4 paths to SaaS content security
While not all organizations are ready for SaaS, Forrester still recommends putting SaaS on the content security road map today. An organization could deploy at any time, but it must prepare. Organizations have four options from which to choose:
- Remain with on-premises products until hardware is end-of-life (EOL) and the cloud matures.
The traditional model is a good fit for organizations with business requirements that the cloud cannot address today and for organizations with cultural opposition to cloud-based services. As an organization plans for these services, consider SaaS email content-filtering adoption first. According to Forrester’s interviews, clients with successful email security experiences are more inclined to consider Web adoption. As mobile Web content security becomes more mature, consider augmenting the on-premises hardware with services from the cloud to protect mobile and remote workers.
- Choose a hybrid model that leverages both SaaS and existing investments with an eventual transition to a SaaS-only model.
The hybrid model provides flexibility to organizations and is similar to riding a bicycle with training wheels. Once ready for a cloud-only model, an organization can remove the training wheels and off it goes. The hybrid model provides a short-term option to maximize current content security investments. Any new investments in content security can leverage the cloud until an organization migrates completely away from on-premise solutions.
- Go with a hybrid model to utilize SaaS capabilities as well as traditional on-premise features.
Many organizations want the ability to leverage traditional on-premise features with SaaS functionality. The hybrid model provides the flexibility to use content caching or stream splitting at large corporate sites with the ability to leverage the SaaS model for the remote and mobile workforce. The hybrid model appeals to risk-averse organizations with concerns about placing data in the cloud. For example, an organization can leverage SaaS for inbound content filtering and use on-premise technology for archiving, DLP and encryption. This model is of particular interest to health care and financial services firms. However, be wary of vendors pushing the hybrid model for the hybrid model's sake. An organization needs to ensure it has a business justification for a hybrid implementation. If not, consider moving exclusively to the cloud.
- Completely move to the cloud.
If an organization has not yet deployed robust content security systems or existing investments are EOL within a short period, it should move to the cloud now. The use cases for the Web/SaaS model are the strongest when a workforce is geographically distributed or mobile. Retail firms with large numbers of branch offices and sales organizations should consider adopting this model. The email SaaS model is a strong fit for clients focusing on inbound email filtering.
Three best practices for a smooth cloud transition
The economies of scale leveraged from a multi-tenant model ultimately results in a more efficient and cost-effective content security implementation for organizations. To make a successful transition to the cloud, Forrester recommends three best practices for security and risk professionals:
- Involve legal, risk and compliance counterparts early and often.
Be sure to include legal, risk and compliance counterparts to review privacy and data protection requirements. Also, work closely with the legal team, along with the sourcing and vendor management roles, to understand and negotiate service-level agreements and create a SaaS business continuity plan.
- Perform a feature gap analysis.
Identify the necessary features and use cases in an organization’s current content security solution and compare them with the SaaS provider's capabilities. Determine if any of the missing features are absolutely necessary. Do the overall benefits of the SaaS option outweigh the missing features? Understand the SaaS provider's road map, seek alternatives, submit enhancement requests, and build feature requests into contractual obligations.
- Protect mobile device users.
Although mobile content security is in its infancy, the need to protect mobile users is growing. Enterprise patch management was also immature when Code Red and Slammer struck in the early 2000s. Learn from the past and ensure mobile device safety today.
Make the best business decision
Regardless of when an organization decides to transition to cloud-based security, preparations must be made. The SaaS model provides a great transitional tool to reach an organization’s cloud goals. An enterprise should analyze the options provided and ensure it makes the best business decision for its individual options. The SaaS model provides plenty of flexibility regardless of the path chosen.
About the author:
Rick Holland is a senior analyst at Forrester Research, where he serves security & risk professionals. Learn more about the upcoming Forrester Security Forum, May 24-25, 2012, in Las Vegas.