Shared computing services have come full circle. What was once known as “time sharing” was necessary due to the high cost of computing. As mini-computers took over, traditional software companies began to offer their applications over the Internet as Application Service Providers. This gave way to Software as a Service, Managed Service Providers, and now Cloud Computing. The names have changed, but the business case has remained constant; a vendor provides management of computers and software so that its customers can focus on their core businesses. For the customer, the result is a lower capital cost, accelerated time to value, and predictable operating expenses.
The model makes sense. If a central organization can manage their specialized software and the required hardware, their customers’ lives are simplified. We’ve seen successful models across markets, including Salesforce.com, DemandWare, NetSuite and Ultimate Software. Security offerings trailed the market, though are catching up; Veracode and Qualys provide cloud security services exclusively.
The argument against using third parties for security has focused around control. Some organizations believe that having the tools reside on premise and operated by full time employees provides the most reliable model. More importantly, they don’t want their security information (often vulnerabilities in unpatched infrastructure or applications) “in the cloud."
In most cases, a stronger argument is to leverage the resources and expertise of a trusted partner/vendor. Security resources are scarce in every organization. Learning to use a security tool properly, whether in configuring it or analyzing the results, requires specialized skills. Recently, this has driven the market for web application penetration testing by scores of security service vendors. A good managed service model will provide 24x7 monitoring and timely alerts. Just as important, it can provide the appropriate contextual and actionable information for internal teams.
If running the software yourself is impractical and outsourcing the responsibility is undesirable, a third model is emerging; on premise hosting of the software/hardware. In this model, the vendor supplies and manages the hardware and software to the application level, while the customer runs the application itself. All management and results remain with the customer, but IT responsibilities remain with the vendor. This "best of both worlds" approach allows organizations with available security bandwidth to manage their own security software without burdening IT with supporting another application. Up front capital expenses are minimized and concerns about third-parties accessing sensitive data are eliminated.
