The devolution of security

The $44 billion security sector has historically been one of the most successful sectors in the IT industry, a remarkable achievement given its origins as a bolt-on addressing the vulnerabilities, inadequacies and oversights of other technologies – be they core operating systems, run-the-business applications or email.

On paper, the industry’s growth remains substantial, and even appears somewhat insulated from the financial crisis. Gartner pegs it as one of the fastest-rising parts of the software markets in 2009 with a growth rate of more than 11%, despite predicting an overall decline in global IT spending of nearly 4%.

Little if any of that will be channelled towards boosting business efficiency. The three traditional purchasing motivations of threat (from cybercriminals), fear (they’re out to get us) and compliance (they may have got us) are, if not growing, then certainly here to stay, suggesting the industry’s future is rock solid.

In the near term, at least. But the wider picture is less certain. The growing acceptance and adoption of cloud computing, and particularly software-as-a-service (SaaS) where the applications and much of the security challenge are passed to a service provider, represent the greatest challenge to the business model of many security vendors since the sector’s inception.

Baked-in

Gartner predicts that worldwide revenue from cloud services will top $56 billion this year, a 21% increase on last. By 2013, the analyst firm puts that figure at $150 billion with no sign of slowing. Much of that revenue, it says, will come from the replacement of on-premise solutions making cloud services a not-inconsiderable threat to vendors currently heavily reliant on licence-driven business models.

Forrester analyst Liz Herbert describes SaaS applications as having advanced beyond “early market applications in human resources and CRM to become a game changer in the enterprise software market”. Adoption is “continuing to increase [as] it is now relevant for a wide array of applications,” she says.

That interest from analysts is now being shared by end users. At a recent cloud computing forum held in London by recruitment, training and advisory firm TPFL, during an exercise that involved selecting a solution for a theoretical CRM project, 0% of the room opted for an Oracle or SAP product. “We’re too used to being marketed to [by packaged software vendors],”said one IT manager, wondering why he had never heard of Salesforce.com.

But SaaS is not just about CRM and HR; the subscription model has been gaining particular traction in the security arena, with a significant number of end-user surveys conducted in North America, Europe and Asia-Pacific showing increasing interest in purchasing security through an ‘as-a-service’ delivery model, according to Gartner.
Moreover, the analyst firm claims that “overall revenue growth through SaaS
sales in security has been outpacing more traditional software product sales, particularly in areas such as message security and secure web gateway.”

Some security software vendors are certainly trying to follow the growth curve. “Of the total enterprise software market, 6% is [already] delivered by SaaS. When you narrow that down to security or data protection, SaaS is about 12% of the total market,” says James Palmer, SVP of strategy and business development at MessageLabs, the SaaS-based messaging security vendor. That company bought in October 2008 for $695 million by security behemoth Symantec with just that trend in mind.

One reason for this evolution is that security can not only be delivered by the
SaaS model, it complements it.

“There are general reasons why SaaS is attractive: it’s predictable, low cost, you get redundancy, continuity, platform independence… things that basically add up to it being simpler and cheaper,” says Palmer. “[But] that’s true pretty much for all SaaS industries. With messaging security, solving the problem with a SaaS solution is actually the best way of doing it, not just cheaper.”

He explains: “Up to 80% of all email is spam: if you can stop that in the cloud before it gets to the corporate network, then that’s a major improvement for the customer in terms of bandwidth and how much email they have to archive. MessageLabs and many of our competitors never set out to make a SaaS solution, we set out to find the best way to solve a business problem, and it happens to now be called SaaS.”

If SaaS security is rapidly gaining popularity through its potential to not just be an alternative to licensed software but a better model, then this puts even greater pressure on vendors hooked on licence revenues in the security space than other sectors.
Ultimately, that is a challenge SaaS is posing to the entire software industry, but the potential impact on the security sector goes far further.

Service, not security

“Let’s say you’re buying a cloud computing capability: desktop virtualisation,” suggests Art Coviello, CEO of RSA, the security arm of information infrastructure vendor EMC.

“You have a computer on your desktop, perhaps a smart terminal, and you authenticate yourself to the cloud infrastructure which will be a security application in some form. Your virtual desktop will at some level be protected from viruses; security will be built in and delivered for you. It won’t be part of an application that you buy separately,” he illustrates.

The concept of security being built into SaaS infrastructure carries a dramatic implication: it could radically cull the customer base of licence-reliant security vendors and perhaps even trim customers from subscription-reliant security players should SaaS adoption take off as predicted. If organisations begin basing their application layer in the cloud, or indeed their entire computing infrastructure, the industry’s core justification as a ‘add-on’ (a justification that has poured revenue into its coffers) could be under threat.

“Security is going to be bundled into the cloud computing infrastructure, and therefore the current security industry is going to drastically change,” predicts Philippe Courtot, CEO of SaaS-delivered vulnerability auditing firm Qualys and an early convert to cloud computing.

“If [the security industry] continues selling to end users they’re going to lose; they’ll have to [start] selling components to the cloud computing vendors. They’re not going to be able to extract as much margin, and the marketplace will be much more competitive because cloud vendors can switch [their technology out]. Moreover, many cloud vendors like open source, because it’s much more flexible and cheaper than proprietary software.”

Industry impact

At the last two RSA conferences, Coviello raised some eyebrows by declaring that “there will be no security industry in the future.”

“It’s not that security applications are necessarily going to go away, but more and more they are going to be embedded in the infrastructure,” he says.

That means the industry is going to see radical consolidation as software companies seek to integrate security into their products through acquisition and Coviello points to RSA as an example of how the security company of future will have to adapt and ally. “We’re a division of EMC. We build security functionality into EMC’s product line,” he explains.

Such a theme is evident in many recent acquisitions in the security sector. Aside from Symantec’s acquisition of MessageLabs, Google made its move early with the $625 million purchase of messaging security company Postini in mid-2007 – the latter case was a service provider buying a security company; the former a security company buying a service provider.

The upshot is that “there are fewer and fewer stand-alone security companies,” says Coviello. “McAfee and Checkpoint are the only pure play vendors of any size or scale [and] I think they will eventually partner with a bigger infrastructure company the way we did with EMC.

“What I am very confident of is that you won’t see any new companies rise up to take their place.”

Many security companies, sensing the winds of change, have begun investing heavily in a ‘security-as-a-service’ component to their products, although in many cases such as MessageLabs, the hosted service component (actual email provision) remains separate. Palmer, while acknowledging that the company is exploring which aspects of Symantec’s product set it can potentially offer online (such as backup and endpoint protection), is reluctant to suggest messaging security will ever be completely integrated into a hosted service.

“Only a very small percentage of the business community have email hosted in the cloud in the first place,” he says, predicting that as that number increases, “some people will be happy with the cheap and cheerful approach; the embedded email security functionality will be enough for them. But there will be people who want higher-grade email security and there will be nothing to stop them buying ours or our competitors’ email security solutions and using it with hosted email.”

Courtot thinks differently, holding up Google as an example of a company selling a hosted platform with integrated security.

“A lot of people say Google doesn’t understand enterprise mail. But in the future, Google will provide three grades of mail: the mail we know today, free for college students; enterprise grade for $50 per user, very reliable with a lot of functionality built in; and a military grade service which will allow customers to encrypt data at their facility. They can do that very easily, the cost for them is not much.”

Courtot’s point leads to an even bigger one: a cloud computing company like Google has the agility afforded by its infrastructure to quickly offer advanced security features – such as those offered by MessageLabs – as an ‘add-on’ and potentially at a heavy discount to even a subscription-based ‘security-only’ vendor. Certainly a large security incumbent, hooked on licence revenues, will be hard-pressed to adapt its business models and react with similar speed.

“The large security companies are serious about cloud computing,” says Courtot, but adds that what might appear as ‘the cloud’ to the user has to be based somewhere inside a very real, very expensive, high-bandwidth, highly available and ultra-secure data centre.

“[Building this infrastructure] takes much more time and is far more complex than many companies realise. If you want to deliver really sophisticated enterprise applications in the cloud, you have to build the supportive infrastructure and scale it to the size of the planet because you become accessible everywhere. It took Google, Amazon and Saleforce years. At Qualys, we’ve been at it for nine.”

But what impact will a wider adoption of the service model have on the security industry?

MessageLabs’ Palmer expects his company to work with a number of hosted email providers “to embed our service in theirs”.

Skills shift

The embedding of security into the infrastructure – particularly a cloud-based, SaaS infrastructure – has significant ramifications in terms of employment and skills for IT security staff accustomed to defending organisations at the application or even network level.
“For the security professional: if today you resist the movement into the cloud, you will become like a COBOL programmer,” warns Courtot.

“Conversely, if you embrace it, learn what it means and participate in securing the cloud – and not just about security, but compliance, privacy, legal issues – and become the person who will help companies move securely into the cloud, then you have a bright future.”

“It’s a huge opportunity for the security professional, but it’s almost a new job,” he adds. “Those who continue resisting will become obsolete quicker than they think. The movement to the cloud is accelerated by the current financial and economic conditions, which are forcing companies to rethink their business.”

Not everyone believes the future application landscape will be dominated by SaaS and cloud computing. Until certain issues are resolved – particularly those around data and access control and the portability of data stored in the cloud, there remains sound reasons for a company to hold certain types of data close to its chest. But whatever changes SaaS sweeps through the software industry, the security sector is likely to be at the forefront; as with messaging security, the model arguably makes better business sense than many proprietary, locally hosted alternatives.

However, the jury is out on whether it is enough for the incumbent security vendors to simply bring SaaS alternatives to market, or whether the mainstream adoption of these services – complete with their embedded security – will irrevocably reshape the sector’s competitive landscape.

Related Topics