Security as a service

Security as a service

Security as a service refers to the practice of delivering traditional security applications as an Internet-based service, on-demand, to consumers and businesses. It is an example of the everything as a service trend and shares many of the common characteristics, whereby security applications are delivered as a service using the Internet as the delivery mechanism. In the consumer market, the most common of these are the “anti-“ suite, including anti-virus, anti-spam and anti-spyware.

In the enterprise market, Security as a Service refers to the delivery of second-tier infrastructure components, such as log management and asset tracking, in a service-oriented fashion, also leveraging the Internet as the delivery and access mechanism.

History

The term ‘Security as a Service’ was first used in the consumer market in the year 2001. McAfee filed a controversial patent for delivering security software as a service over the Web in August 2001. [http://www.theregister.co.uk/2001/08/07/mcafee_files_patents_for_security// The Register: McAfee files patents for security as a service ]

This managed web security service is known as the Secure Web Gateway (SWG). The SWG service works on the internet level by redirecting an organization’s web traffic through a datacenter for policy application and cleaning. [Gartner, Inc. “Pros and Cons of SaaS Secure Web Gateway Solutions” by Peter Firstbrook, April 16, 2007] [Gartner, Inc. “Magic Quadrant for Secure Web Gateway, 2007” by Peter Firstbrook, Lawrence Orans and Arabella Hallawell, June 4, 2007]

Vendors in the SMB market who deliver “Security as a Service solutions include McAfee, Watchfire, and Jamcracker. In the enterprise market, vendors who provide security as a service solutions include Internet Security Systems, Grove Group, MessageLabs, Panda Software, Qualys, ScanSafe and Vigilar.

Key characteristics

Certain aspects of security are uniquely designed to be optimized for delivery as a Web-based service. These include:
* offerings that require constant updating to combat new threats, such as anti-virus and anti-spyware software for consumers
* offerings that require a high level of expertise, often not found in-house, and which can be conducted remotely. These include ongoing maintenance, scanning, patch management and troubleshooting of security devices.
* offerings that manage time and resource-intensive tasks, which may be cheaper to outsource and offshore, delivering results and findings via a Web-based solution. These include tasks such as log management, asset management and authentication management.

Security as a service applications are generally priced on a per-user basis on the consumer side, and a per-device basis on the enterprise side. Pricing may also depend on bandwidth and storage requirements. SaaS costs to the buyer and revenue streams to the vendor are therefore lower initially than traditional software license fees, but are also recurring, and therefore viewed as more predictable, much like maintenance fees for licensed software. In addition, because the functionality is delivered as a service, rather than a device or piece of software, fees fall under operating expenses, rather than capital expenditures, for most customers.

Managed security services

Unlike previous generations of Managed Security Services, security-as-a-service does not require the customer to give up complete control over their security posture. Instead, internal administrators can control their security policies, upgrade systems, etc. via a web-based interface. Internal administrators maintain control of their security policies and can change them without calling an outsourced provider, but at the same time gain useful information regarding a devices status and history (uptime, current and past patch levels, outstanding support issues) and other device-centric information on demand via a web interface.

Best practices

Telling users what to do, when to do and how to do after a product purchasing is the code of conduct that ensures a correct and secure product consuming. One of the most effective ways of conveying those messages is to rely on the product release notes that is kept most current with due diligence, in addition to providing a product manual. Good examples are given by software manufacturing, which often provides product updating and paches cite web
last = IBM
first =
authorlink =
coauthors =
title = Flash BIOS Update - IBM System x3455 (Type 7984, 7986)
work =
publisher =
date =
url = https://www-304.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-65692&brandind=5000008
format =
doi =
accessdate = March 25
accessyear = 2008
] , cite web
last = BMC Software
first =
authorlink =
coauthors =
title = LOADPLUS® for DB2: Release Notes - Revised
work =
publisher =
date =
url = http://documents.bmc.com/supportu/documents/30/76/63076/Output/09186a33800dcb0b.htm
format =
doi =
accessdate = March 25
accessyear = 2008
] . To protect vendor's rights and being responsible for after-sale services, the availability of sensitive and critical service information and downloads can only be restricted to those of the members and dealers who hold registrational identification details, or those of the customers who have either the product serial or receipt numbers cite web
last = John Wiley & Sons
first =
authorlink =
coauthors =
title = Access Article
work =
publisher =
date = 2006
url = http://www3.interscience.wiley.com/user/accessdenied?ID=112635143&Act=2138&Code=4719&Page=/cgi-bin/booktext/112635143/BOOKPDFSTART
format =
accessdate = March 26
accessyear = 2008
] , cite web
last = Asustek Computer Inc
first =
authorlink =
coauthors =
title = ASUS MEMBER AREA
work =
publisher =
date =
url = http://member.asus.com/login.aspx
format =
doi =
accessdate = March 26
accessyear = 2008
] , cite web
last = UStec
first =
authorlink =
coauthors =
title = Dealers
work =
publisher =
date =
url = http://www.ustecnet.com/ustec_dealerlogin.htm
format =
doi =
accessdate = March 26
accessyear = 2008
] . Some of vendor's are even more prudent and provide their services only to those of customers who get their products registered with service ID, and have created their technical support accounts after purchasing cite web
last = Intel Corporation
first =
authorlink =
coauthors =
title = Software Products
work =
publisher =
date =
url = http://www.intel.com/support/performancetools/sb/CS-022492.htm
format =
doi =
accessdate = March 26
accessyear = 2008
] , cite web
last = Dell
first =
authorlink =
coauthors =
title = Drivers & Downloads
work =
publisher =
date =
url = http://supportapj.dell.com/support/downloads/index.aspx?c=hk&l=en&s=lca
format =
doi =
accessdate = March 26
accessyear = 2008
] . Although in the mean time, it's quite difficult to find the vendor's system that is ISO/IEC 15408 certified by an ISO/IEC 27001 acrreditated organization, the scheme has been developed and need time to be implemented with a wide coverage.

References

ee also

* Everything as a service
* Information security
* Network Security Services
* Service Oriented Architecture


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • Security-as-a-Service — Sécurité informatique externalisée La securité informatique externalisée (ou Security as a service en anglais) est une technique qui vise à offrir une solution de sécurité informatique externalisée via le Web et non plus en interne. Ce concept,… …   Wikipédia en Français

  • Security-as-a-service — Sécurité informatique externalisée La securité informatique externalisée (ou Security as a service en anglais) est une technique qui vise à offrir une solution de sécurité informatique externalisée via le Web et non plus en interne. Ce concept,… …   Wikipédia en Français

  • Security as a service — Sécurité informatique externalisée La securité informatique externalisée (ou Security as a service en anglais) est une technique qui vise à offrir une solution de sécurité informatique externalisée via le Web et non plus en interne. Ce concept,… …   Wikipédia en Français

  • Security as a service — Este artículo o sección necesita referencias que aparezcan en una publicación acreditada, como revistas especializadas, monografías, prensa diaria o páginas de Internet fidedignas. Puedes añadirlas así o avisar …   Wikipedia Español

  • Danish Security and Intelligence Service — The Danish Security and Intelligence Service Politiets Efterretningstjeneste Logo of The Danish Security and Intelligence Service (PET) Agency overview Formed 1939 …   Wikipedia

  • Local Security Authority Subsystem Service — Диалог «Завершение работы» Windows XP, появляющийся при завершении процесса LSASS LSASS  часть операционной системы, отвечающей за авторизацию локальных пользователей отдельного компьютера (сокр. от Local Security Authority Subsystem… …   Википедия

  • Local Security Authority Subsystem Service — (LSASS), is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.… …   Wikipedia

  • Canadian Security and Intelligence Service — noun The security agency for Canada, covering domestic and foreign intelligence Syn: CSIS See Also: security service, intelligence service, security, intelligence, service …   Wiktionary

  • Local Security Authority Subsystem Service — lsass.exe (Local Security Authority Subsystem) est un exécutable qui est nécessaire pour le bon fonctionnement de Windows. Il assure l identification des utilisateurs (utilisateurs du domaine ou utilisateurs locaux). Pour Windows 2000 et les… …   Wikipédia en Français

  • Security on demand — Sécurité informatique externalisée La securité informatique externalisée (ou Security as a service en anglais) est une technique qui vise à offrir une solution de sécurité informatique externalisée via le Web et non plus en interne. Ce concept,… …   Wikipédia en Français

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”