Security: No Hardware. No Products. All Software and Service

JohnAdams-chosen-security.jpgWhen you think of security, what do you think about? Some hardware appliance such as a firewall or router. Maybe you think about installing security software on each computer. These components are security, but an increasing number of vendors are selling more security solutions as a service.
In this interview, John Adams, CTO of Chosen Security gives us a better understand of what security as a service means and more importantly what it means for you.
What is SaaS security?
Software as a Service (SaaS) Security is simply a security capability delivered as a service instead of a product. As an example, ChosenSecurity’s QuickStart certificate service delivers certificates using a service that can be accessed by any Web browser; this is an alternative to setting up a product such as the Microsoft Certificate Authority. Another example is Message Labs who offer capabilities such as anti spam filtering and email encryption as a service.
Is it for every business or should some businesses use traditional appliance/software security?
Any business can use SaaS security. For the most part, SaaS can be deployed more quickly and will have lower costs than deploying products, particularly for smaller deployments. This cost benefit is reduced for larger deployments, and may disappear altogether for very large deployments. The SaaS approach is generally less flexible than a product approach, so it may be easier to integrate a product into a complex environment than a service. A good deployment strategy would be to start out with the SaaS approach to gain experience with thesecurity capability and then migrate to a product if the service is too limiting or too expensive.

Can ones entire network be secured via the cloud or should certain parts have premise based security?
Smaller organizations may choose to outsource all of their security due to lack of expertise or resources. Most large organizations, particularly ones with security expertise, will elect to provide that capability themselves. Since the primary benefits of the SaaS approach are lower cost and speed of implementation, most organizations will use the SaaS approach when they are trying to introduce a new capability or reduce the cost of an existing one.
How should one choose a SaaS securities vendor-there are so many, from the household names such as Symantec and McCaffee, to TrendMicro, St. Bernard and more?
This is a challenging task, but the first step is to be clear about what security capabilities you want to deploy. This can range from something you already do in house but would like to outsource, to something you would like to try for the first time. The task of sorting through the vendors will be a lot simpler if you are clear on what you are trying to accomplish. If you are trying to achieve that clarity, you will be better off hiring a consultant, or doing an internal project first to identify your requirements. Once you have clearly identified a requirement, for example email security, it is much simpler to identify the relevant vendors. Once that has been done, the choice usually comes down to price, featuresand the quality of references.
What are your thoughts on having antivirus on each desktop computer in addition to SaaS security, or is this redundant?
One of the classic strategies in security is the concept of defense in depth. The idea is to have multiple defenses so that if one is defeated there are others to back them up. This is the reason people often use multiple antivirus products, since one will often catch malware that the other will miss. So it definitely makes sense to have desktop protection in addition to network and email protection. The more places you scan for malware the better. It also makes sense to use multiple antivirus vendors. Most antivirus software are sold as SaaS today, since the automatic updates are so important. I doubt if many customers are buying it as a product and doing the updates themselves.