Hosted security services are increasingly seen as a viable option for security management, thanks in part to their ability to reduce the strain on the security organization. With a Software-as-a-Service (SaaS) approach, enterprises can offload much of the responsibility for maintaining security technology to service providers, introduce new features and functions seamlessly and handle configuration and management from virtually anywhere.
If this sounds like management nirvana, security pros may want to step back a bit and consider the full ramifications of adopting a SaaS model for security technology. In this tip, we'll explore why more may be involved than meets the eye, and how to assess and manage the effects that a security SaaS transition will have on an IT infrastructure and management processes.
SaaS evaluation: Managing the transition
The advantages of security SaaS can be many, but, as with any new approach to management, they may come at a cost. Understanding the impact of moving to a service-based model, knowing how to recognize a successful service option and leveraging the advantages of new and emerging approaches are just a few of the ways prospective customers can make the most of the SaaS option:
- Understand the impact of service adoption, both initially and ongoing. In order to understand how the service will impact normal business processes, have the provider walk your team through the normal process of service adoption and use before making a commitment. If the service looks promising, probe the initial adoption process in detail, from start to finish. Verify the provider's description with reference customers if possible, and ask them if adoption turned out as expected. If not, or if the provider does not describe actions to take if the adoption fails to go as planned, take a hard look at where the adoption could go wrong and what the organization's response would be. Ask the provider -- and reference customers if possible -- how the provider handles changes to the service to keep it up to date. When maintenance requires service interruption, terms such as acceptable advance notice should be defined in the SaaS service-level agreement (SLA ).
- Know how to measure the advantages. It's difficult to make a case for a significant change to any management strategy without understanding its impact. Once the service is adopted, how will you know if you have benefited? Understanding the total cost of maintaining security management on-premises is one way to approach this. Weigh the costs of the service against the total impact of acquiring, maintaining and training to useusers on the on-premises security technology. Bear in mind that this measurement should be ongoing. Keeping security technology on-site also means in-house security pros must stay up-to-date with the latest threats -- or regulatory requirements -- in order to maintain the effectiveness of on-premises tools. The extent to which a service provider can do this for you is often one of the SaaS model's biggest advantages.
- Look at vendor stability in a new light. As is almost always the case when choosing a supplier, the vendor's stability going forward is a factor to consider. The decision sometimes involves making tradeoffs. Although customers would prefer a stable supplier with a proven track record, innovative (and often venture-backed) technologies often arise because they meet a need not served by more established vendors. This may be particularly true in security, where the threat landscape can be fast-paced. Also, customers should not forget that new or emerging providers may be more highly motivated than established contenders to make improvements for individual customers in order to win -- and keep -- their business. This raises a particular advantage of the SaaS option: When the service provider makes a change that benefits one customer, all customers may benefit. It could, however, also have a negative impact when changes take away or diminish valuable capabilities. Here again, interviewing reference customers can help in the decision-making process, providing insight into the provider's attitude toward delivering service improvements, as well as how the provider responds when service changes have negative consequences for some.
SaaS evaluation: Don't underestimate complexities
Some security functions, like messaging security and filtration services, for example, may seem readily outsourced, but even these aren't without complexities. While the external nature of message- filtration services makes them easy to adopt, they can become a critical dependency if they are a single point of failure for all inbound messages.
Considering this scenario while keeping the above-noted best practices in mind, enterprises should probe service providers on how they deal with service outages to limit such risks. They should also consider that, with message security and filtration, each user of the service requires his or her own account. These accounts must be created, maintained, moved, changed and deleted, just like any other user account in the organization. It's important to ascertain from the service provider whether these accounts can be synchronized with existing accounts, and if so, the extent to which synchronization requires additional effort on the part of the enterprise's IT support team. If synchronization is not an option, customers will not only need to make sure that users arebe comfortable with accessing a separate account just for the service, but also understand the impact on support resources when accounts must be created, modified or deleted.
Consider also the sensitive information often handled in email and message systems. What role, if any, does the provider play in keeping this information secure or in responding to an e-discovery demand? Customers should keep in mind that they, and not their service providers, may be ultimately responsible for their own legal or regulatory obligations. If customers have specific responsibilities to secure message data or to be prepared for an e-discovery scenario, it's essential to ask service providers if they will be able to support a timely and compliant response for producing messages or assure the security of messages in transit. Specifics should be defined in a SaaS service level agreement (SLA) if possible. If providers cannot support specific requirements, it's best to learn this before signing an SLA. If information is sensitive enough, enterprises may want to consider how best to secure data in transit regardless of the service provider, with tools such as data loss prevention (DLP) that can help secure important information before it leaves the business.
Another issue arises when taking into account the criticality of service availability to the business. With hosted vulnerability assessment, a service outage does not impact the availability of IT services on which the business depends. While this makes adoption easier, it must be remembered that vulnerability assessments themselves can sometimes disrupt business-critical availability or performance. In this case, a phased approach to adoption can minimize these risks. Initial stages can be used to develop familiarity with services and their eaffect on business systems. Subsequent phases can measure the impact on less critical resources, and initial tests on critical resources can be controlled by restricting trials to scheduled maintenance windows, for example, until such time as the organization is confident in its ability to direct the assessments.
As the scope of hosted security services continues to expand, customers and providers will need to hammer out a balance between reliability and cost that minimizes the impact of adoption. In general, these guidelines can help prospective customers gain a more thorough understanding of how the service is to be used, who will use it, and where the boundaries of expectations lie between the customer and the provider — all key to making the most of the security SaaS opportunity.
About the author:
Scott Crawford is a research director at Enterprise Management Associates. Crawford, CISSP, ISSAP, and ISSMP, has more than 15 years of experience in information technologies. Before EMA, he was the first information security officer for the International Data Centre of the Comprehensive Nuclear-Test-Ban Treaty Organization (CTBTO) at the UN's third headquarters in Vienna, Austria.