Patch/Configuration Management, Vulnerability Management

Hot or not: Software as a service

SaaS is no longer just about CRM — more security vendors are revamping their applications to be delivered as services over the web. SaaS is coming to the security market in a big way. And this trend promises to save organizations time and some of what they spend on security gear, and free more resources to actually secure systems.

The web-based delivery of enterprise software, Software-as-a-Service, or SaaS, has made a significant impact on how enterprise applications are built, deployed, maintained, and used. This trend also will have a significant impact on how security managers and administrators use many of the tools they rely upon to defend their infrastructure.

While the initial areas of SaaS success was seen with CRM applications, most notably from companies like and RightNow Technologies, demand for SaaS software is spreading to nearly every type of application — from such cornerstones as desktop productivity suites, as seen with Google's offering such applications from within a browser, to niche transportation management systems. The transformation from traditional packaged software to SaaS will not leave security applications untouched. In fact, the revolution is underway, and in some cases SaaS and on demand security software delivery has been in place for years.

SaaS and on demand delivery of these applications reduces the complexity of managing security software; with no software or infrastructure to deploy, or time-consuming upgrades to contend with, security managers save time and can focus more energy on keeping their infrastructure secure, and less on managing the tools to get there.

While the fact that there is no software to deploy or manage is certainly one of the most compelling benefits of SaaS, it's certainly not the only one. SaaS provides a more streamlined way for security vendors to maintain their software and provide the vulnerability signature updates — and when the software service is updated, all customers reap the benefits concurrently and instantaneously upon its release.

Another benefit is budgetary. Because SaaS and on demand solutions are typically sold as subscriptions, there's no need for substantial upfront financial investment. This is a significant shift; historically, once an organization has invested heavily in a departmental, or enterprise-wide, traditional packaged security software application, it owns it outright, whether it ends up fitting their long-term security needs or not. In this model, the software buyer assumes most (to nearly all) of the risk in the transaction. The historical rule of thumb is that an additional three to five times the value of the software's price tag must be spent on customization/integration, annual maintenance fees, training, and other efforts. A software acquisition of $50,000 really comes much closer to $200,000, or more, when all costs are considered. Once it's installed and running, most businesses are stuck for years if they've made a bad selection. With SaaS, those additional costs are flattened. With software delivered as a service, the costs to switch to another provider are minimal. There's no forklift upgrade, or another large investment required; it's just a matter of switching software subscription providers.

In addition, many security problems that plague today's business technology systems — such as patches and software misconfiguration issues — are solved through SaaS. Too many businesses lack the resources required to continuously conduct vulnerability scans to ensure that their networks and applications are secure, let alone deploy timely patches. This creates a risky environment and a high probability of attacks and compromise. However, SaaS providers must build applications that are both readily available and secure. And all security patches the vendor deploys are instantly available to its customer base. The onus of maintaining a secure application is largely transferred from the software user to the software service provider.

If you think all of this sounds a lot like the old Application Service Provider, ASP, software delivery model, you're partially right. But there are a number of crucial differences between now and way back in 2000. One of the most fundamental reasons why SaaS is better poised for growth today is that the internet is more mature and reliable. The standards now are in place to make it much easier to develop SaaS applications that are on a par with traditional enterprise applications. Today, we have development tools such as Ajax (Asynchronous JavaScript and XML), which enable the limitations of the browser to be bypassed and provide for the development of applications in which there is no noticeable difference between the Ajax user interface and the enterprise user interfaces of today. Also, for years, SaaS naysayers pointed to the difficulty of integrating SaaS applications with existing commercial software. Web services and XML standards have solved this. These development and integration issues no longer are problems. And in the coming months and years, we will see more software companies build applications from the ground up for SaaS delivery, rather than the old ASP-style applications that were little more than standard enterprise applications with an HTML front-end.

So brace yourself for a wave of SaaS security solutions during the rest of this year, and throughout the near future. While the SaaS movement has been underway for seven years, only recently have all of the foundational pillars been put into place to allow SaaS to soar throughout the market and increasingly displace traditional software deployments. Organizations that use this model will save time testing, piloting, integrating, deploying, and managing their security tools — and much more time using them.

-Amol Sarwate, director of Qualys' vulnerability research lab

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.