Joining the service?

The downturn might be increasing the uptake of hosted services. But do money saving motives outweigh fears over hosted security? Which headache is worse; the worry of offloading security work, or the bother of carrying it out in-house? Julian Pletts finds out if security as a service is really a viable option.
Joining the service?
About 12 months ago we launched something called the LMS service which is the Log management service. - Jeff Ogden, senior consulting, Symantec.
By Julian Pletts
Wed 07 Oct 2009 04:00 AM

The downturn might be increasing the uptake of hosted services. But do money saving motives outweigh fears over hosted security? Which headache is worse; the worry of offloading security work, or the bother of carrying it out in-house? Julian Pletts finds out if security as a service is really a viable option.

As part of a rounded discussion to discern whether or not security as a service has found its legs in the Middle East region it is first important to define what we mean by security as a service.

There seems to be a level of confusion in the market as to exactly what constitutes security as a service. There is the strict end of the spectrum suggesting that security as a service is directly correlated to its closely related cousin software as a service. That is to say that it is security services that are hosted by a third party entirely, and this is generally related to SPAM filtering and anti-virus scanning and similar software services.

Then there are others in the market that will say managed services - often offered by systems integrators in this market - fall into the category of security services. This is when an end-user gives up most, if not all, control of its security posture to a systems integrator or vendor. These services though are normally carried out on-site.

Alright, it is perhaps fair to say that this is a rather simplistic assessment of what we actually mean when we look at security as a service, but it will help in the evaluation of how far enterprises and the SMB sector have been willing to hand over responsibility for chunks of their network security to a third party. Though lip service will be paid to the managed security services aspect of security in this article, it will be the former aspect, delivering security applications as an internet-based service,  on which we will focus.

In this category the breadth of vendors and indeed the offerings on the market have exploded in recent years. A great deal of the major networking vendors have been looking to capitalise on the possibility of this market - names such as Trend Micro, Symantec, EMC and McAfee.

"We are looking at how every product that we offer, how can we make all of it software as a service to try and reduce the need for on-premise products and how we can move have that into the cloud," proclaimed James Walker, product marketing manager for the specific software as a service division of Trend Micro.

So what are the key security as a service products that are available in the Middle East market? If we take Trend Micro as an example, the security services that it has currently converted and, or, designed for hosting include hosted email services, such as anti-virus and anti-SPAM solutions, and anti-malware and file reputation services.

Symantec has also been busy looking at how services that they traditionally market as onsite or managed services can now be hosted and backed up by its own experts and support teams.

Jeff Ogden senior consulting at Symantec comments that the last 12 months has seen some notable security as a service launches from the security powerhouse.

"About 12 months ago we launched something called the LMS service which is the Log management service and we usually have services for that. That is the collection of all the log data from the customer's environment for review and analysis," explained Ogden regarding one of the services the vendor has been promoting.

"We also have the deep site threat management services which are the most comprehensive database of threats and utilities, attacks, underground economy information. And this week we will be launching a service which is basically a deep-dive analysis for customers that get some issues and threats and don't know how to deal with them. It will mean that they get someone to help them work that through," added Ogden. "We have that and we also deliver a couple of other broad services as well, Botnet tracking, network shutdown, etc".

The vendor is keen to point out that a great deal of the services that they offer can either be backed-up by their own experts or that those resources can be remotely deployed for organisations that may not have the expertise as part of their in-house IT team. This, it can be assumed, would be a very attractive prospect being as the region is still suffering from the side effects of the financial crisis which demanded shaving resources that might have been employed securing networks.There are also non-traditional companies making up solid ground in the security as a service arena. One good example of such a vendor is multinational search engine goliath Google, which in the Middle East works closely with distribution agent FVC, to further market presence.

"Seeing the opportunities in the software as a service and security as a service market we went out and partnered with Postini, whom we have been doing business with for over two and half years now and they were brought out by Google," explained Guru Prasad, general manager for Networking at FVC.

"As part of this partnership we offer customers email and web security, a completely hosted as a service. Also on top of that is other services such as DLP encryption services which are completely hosted," he added.

As FVC has dived headlong into the security as a service market through some very strategic partnerships, the distributor also feels that the market, though slightly behind others, is catching up fast.

"Compared to the rest of the world there is a lag in the use, but we have seen in the last year or so that the uptake has been tremendous, compared to last year in terms of the uptake of the of email and web security business, as well as the collaboration of wholesale applications," suggested Prasad. "We have seen a few enterprise that are using the services but we are really seeing the mid-market very quickly and the uptake here has been far quicker compared to the enterprise."

There are some very compelling reasons to opting for hosted services when it comes to security provisions. Vendors that offer security as a service will of course revel in the fact that the financial crisis will invariably lead end-users to consider outsourcing. It is perhaps the foremost or most compelling reason companies might consider managed services.

As an aside though it must also be pointed out that the amount of malicious attacks have risen drastically since the onset of the financial crisis, though it is not clear whether that will increase or decrease the attractiveness of hosted security services.

Miguel El-Khoury, integrated networking and site services at Gulf Business Machines, a systems integrator that works closely with IBM and Cisco in the Middle East, observes a rapid uptake in security services over the last few years.

"Four or five years ago, it was debated over and most of the customers would like to have security managed in-house. However, not just because of the crisis but also products that the vendors have built into these hosted and managed solutions, have really made customers reconsider it," said Khoury.

The financial incentive to invest in security as a service runs deeper than merely cutting costs during the financial crisis. Ahmed Abdella, regional manager, Middle East, North & West Africa at RSA, the security arm of EMC, says the ability to control and predict security expenditure is leading end-users down the hosted path.

"Some of the advantages for investing in managed services is predictability - the predictability of the cost and how often you are going to have to pay for it and more importantly the predictability of the service levels. They will know what service level they will be getting and at what price," said Abdella.

As we have also already seen outsourcing might mean you get a higher level of security as businesses, particularly on the low end of the scale, are unlikely to have the expertise on-board to fully-secure the network. End-users commenting on the subject say that not only is not having the relevant skill-sets on board an important factor, security as a service also frees up resources to focus on other aspects of network management and IT.

Further positives to investing in hosted security include benefitting from the vendors' financial power to invest in R&D and in identifying threats very early on in their lifecycle, guaranteed services if a strong SLA is agreed upon and security that is always-on and can be constantly monitored.FVC points out one final benefit that makes the list and a rather in-direct one brought about by bandwidth savings when utilising a hosted SPAM filter: "All of the SPAM is actually hosted at the provider and thereby, if you look at stats almost 60% to 70% of all communications we receive today is actually SPAM, so one of our customers actually saved over US$190,000 a year just in bandwidth savings which was almost the cost of the solution in the first place, so the ROI is clear and evident," said FVC's Parag.

Despite all of these potential paybacks to hosted security services and the level of uptake vendors are upholding, there is still a resistance to it at the end-user level in the Middle East. Madhav Rao, group IT manager for the Dubai-based EMKE group, is hesitant.

"One should be extremely careful on this selection technology and channel partners on this," he warned. "Security on demand is a new approach globally. This region requires good understanding in terms of trust and confidence. The private and corporate and the banking industry are further ahead in its adoption rate than government organisations. The current economic slowdown will, to some extent, ramp-up the adoption rate."

It must be noted that the EMKE group is in a good position to comment on the adoption of security services as they have invested in hosted services operating around its e-mail systems. Rao's view seems to echo that of most enterprises in the Middle East on this subject, that of willingness to consider on-demand security but of extreme caution to actually investing in it. Many a vendor seems to think that a great deal of the trepidation surrounding adopting such services stems from a lack of education. It is however, vendors themselves that should shoulder the responsibility for carrying this out.

The main point to consider that will alleviate most worry when handing over portions of your security to a vendor or partner is, before you sign on the dotted line, make sure that you get solid, binding and relevant service level agreements in place.

Now this seems like common sense but in talking to vendors it became clear that there are different levels of agreements and commitments that you can tie vendors down to. For instance only one of vendors canvassed mentioned the fact service level agreements can be customised to suit the demands of end-users.

"A lot of our customers are looking for customised security level agreements and in those particular situations we can offer SOM and that is where we can be current with a customers and offer more customised level of service and a customised service," said Symantec's Ogden.

SLAs are an essential of security as a service and what every end-users must be looking for. This is a sentiment mirrored by EMKE Group's Madhav.

"Vendors have to educate customers on solution specific workshops and guaranteed five 9's of SLAs. They also need to build trust and confidence around outsourcing security and the fact that it can outweigh cost and management over in-house options," stressed Madhav.Regarding SLAs, Abdella at RSA, suggested that some companies might be willing to accept less stringent levels of agreements, at a lower cost: "It depends on the level of service that the customer is looking for and when it comes to security no one expects less than 24/7 security service. Obviously, the more strict the SLA's the higher the cost of the service."

This is something that the end-user should bear in mind and ensure that they get the best balance between cost and the consistency of service. Abdella also offered up some advice that he feels will help CIOs make the choice of vendor.

"You can start with the size of the organisation and their ability to invest in R&D, how mature they are, how mature their solution is and how they make sure that the solution that they are providing is always up to date. A smaller security vendor might not have the ability to offer the broader services that we are able to offer," warned Abdella.

There remains a common concern of CIOs and IT managers that rears its head when considering outsourcing - the quality and availability of local support for the services. One IT manager, based in Saudi Arabia said that when researching hosted security services, they were unable to find vendors that offered local services in the Kingdom, a problem compounded by the fact that there was no locally based channel support there.

So what are companies doing to convince end-users that support around hosted services goes beyond just remote assistance? Whilst many vendors will have in-region and even in-country resources in the Middle East, one answer is the use of distribution or agent partners, such as FVC, to ensure that if something goes wrong, there is someone on the ground to answer the call.

"Being local we are able to provide support through our host of channel partners and also there is a 24/7 availability support desk from Google and ScanSafe," said FVC's Prasad. "But we are generally the first level of support with our channel and then it is vendor support."

In the future hosted services are going to be prevalent in this part of the world. In fact one spokesperson was so adamant that security as a services is the path that the market is going to take that he even stated major partner vendors had to get on board or risk being left behind.

"I don't have the full road map of Cisco, or Juniper or whatever, but I think that if they don't move fast their security offering will make no sense," warned GBM's Khoury. "Let me just give you an example; the customers that I am talking to, they are full-house Cisco, and now on the email, they have gone out of that, because Cisco have the add-on port - a vendor-product solution. Today the Cisco line has a problem because they don't have hosted solutions."

Security as a service is a rapidly evolving market with future provisions that will have to consider the implications of cloud computing and virtualisation to a greater extent than they do today. It is also clear that the financial crisis has been encouraging end-users that would not have done so before, to look at security as a service.

This is not to say that they should jump headlong into tie-ups before properly considering the consequences. There are many services to choose from and with strong SLAs, the mobile phone number of the vendor's local support team leader, remote expert backing and benefiting vendor R&A, the end-user might just find that their enterprise network is more fortified than it has ever been before.

Diminishing resources

There is a case to be made that increased uptake in hosted services in the region, be it security or any other IT-based service, will mean the amount of jobs available and the quality of local IT resources will be reduced. Will home-grown IT talent be driven out of the area as the popularity of the hosted model increases? FVC's Guru Prasad thinks not:

"It will have a positive affect in that the improvement of IT resources and of IT strategy is going to be far more developed when non-essential services are hosted outside of the region. Obviously, there is never going to be a time when it is all outsourced and there is still going to be a lot of work on developing IT strategy. We have seen a lot of the IT resources being deployed today in IT management and maintenance as opposed to enhancing the use of IP in increasing IT and productivity.

In one customer what happened was when those IT resources where no longer working on the management of the IT systems, they were not fired, they were then tasked to enhance security and IT across the company, so they found bigger roles, and much better roles to get into which was also more strategic to the organisition. I think the impact will be more positive."

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.