whitepaper saas

8/4/2019 Whitepaper SaaS

http://slidepdf.com/reader/full/whitepaper-saas 1/11

Security as a Service through

Telcos and Service Providers

White Paper

Enero 2009



Security as a Service through Telcos and Service Providers White Paper

Optenet 2

Abstract 3

Introduction 3 Corporate Security management modes 4

Pros and cons of Security as a Service 7

Virtualization and multihost 8

Challenges of the corporate security 9

Optenet Solutions 11

Table of Contents




Optenet 3

AbstractThis document has the intention to explain the different security management models for

corporate environments, as well as the existence of several forms in which service providers

can provide the security features required by their clients. Lastly, it presents the solutions

which Optenet offers to those suppliers in order to enable them to render security services

by means of a Multihost model with the relevant advantages.

IntroductionDuring these last years we have witnessed the creation and expansion of the software as a

service distribution model, a model for the distribution of software applications different

from all traditional models based on the possession of software by users and which offers

them important advantages.

This distribution model and use of software was initially linked to the corporate applications

which specially included accounts management, clients and suppliers, administration of human and financial resources and human resources management. The message is crystal

clear: to allow the company to concentrate in its business while leaving in expert and reliable

hands the management of Information Technologies (IT).

This model is expanding to other IT services such as those related to security, specially

perimeter security (basically firewalls and intruder detectors and more increasingly these

days anti-spam and anti-virus and content filters among others) and in general, complete

management of threats for the security of corporate information1. Gartner acknowledges

the existence of a market with a considerable growth trend as companies’ technological

responsibles understand that security technologies are mature enough to be available

through outsourcing and that this model avoids the difficulties of finding and retaining

qualified personnel within this area2.

Gartner defines Security as a Service (SAAS) as “the security controls property of and

supplied and managed in a remote manner by one or more providers. The provider supplies

security features on the basis of a series of definitions and security technologies which are

applied in a one-to-many model by means of a contract based on payment according to use

or by means of a subscription according to the measurement of the service use”3.

1 Unified Thread Management , UTM – Gestión unificada de amenazas.

2Bjarne Munch, Andrew Walls. Dataquest Insight: Providers Must Prepare Diligently Before Offering Managed Security Services.

Gartner Dataquest., publicación no. G00157099, 10 de junio de 2008.3

John Pescatore, Kelly M. Kavanagh. Defining the Security-as-a-Service Market. Gartner Research, publicación no. G00153213,

14 de noviembre de 2007.




Optenet 4

This definition stresses not only the nature of the service managed but also the fact that the

service is provided by means of a common platform for a series of users located outside the

company and in a way managed by the supplier. In particular, this implies that the service is

little customized and that management of most part of the service is in hands of the service

provider. Nevertheless, the company is responsible for the definition of policies, of the

assessment of incidents, etc.

Corporate Security management modesSecurity as a Service is a non exclusive corporate security management model. In other

words, a company may choose the specific security services which are to be rendered as a

service while it can manage others in an internal manner and with its own staff. Corporate

security can be provided as follows:

Security as a Service. In this case, there is complete outsourcing: the service is

rendered in a remote manner, managed by the supplier's staff and most important,

it is rendered in a very uniform manner for the group of user companies. It consists

on a “one to many” model, where the service is similar for all users, and needs little

customization or none at all. Some examples of security services marketed in this

way are the following:

o Remote vulnerability assessment.

o Protection against denial-of-service attacks.

o Solutions for the security of e-mail messages including anti-virus and anti-

spam features.

o Security of Web contents, which may include control of access to

inappropriate contents and ant-virus Web.

Security “in-the-cloud” (in supplier) In the case of security, the offers “in the cloud”

are reduced in fact to those done by the Internet provider and therefore its

advantages and disadvantages are similar to those in the SaaS case, with the sole

difference that the offer is limited to the products offered by the supplier.

Managed Security. The security service physically is provided in the client’s network,

or from a centre property of the security service provider. In any of these cases, the

staff of the provider will manage the operation of the service, normally from its

Operation Centre (Security Operations Centre, SOC) and the staff of the company

will only be responsible for the day to day software and hardware maintenance

duties.




Optenet 5

External Hosting. The security feature belongs to the company and is managed by its

staff but the service is rendered in a remote manner. This is quite normal in the

securing of Web servers hosted in one service provider, where security features of

the server (from firewalls to access control) are managed by the company itself.

Internal service. In this case, the company hosts the equipment, contracts the

necessary software licenses (or uses free software), and does the installation,

maintenance and management (rules and policies) with its own staff or with

specialized staff recruited for that purpose. An example of the services normally

managed in this way is the control of identities and of access to resources. In many

cases, the border between the different modes of implementation of security

functions is subtle. For example, let’s suppose that a security service provider

markets an appliance4, i.e., a high performance machine which hosts a server

4This discussion is valid if it refers to a traditional appliance , i.e, physical or if it relates to a virtual appliance , i.e., a virtual

machine with its own operation system and security functions, ready to be executed in a physical server.

Figure 1: Customization according to types of software service.




Optenet 6

providing a specific security service. A company may access that security service in

many different ways:

The company may purchase or lease the appliance and install it in its own network,

and manage it in an internal manner. In that case, we are talking about internal

service.

The company may purchase or lease the appliance and install it in its own network

but can contract a third party to administer the security application. In this case weare talking about managed security. The third party can appoint its own staff within

the company.

The company can use the appliance located in the operations centre of a third party,

different to its Internet access supplier. If the staff of the company manages the

whole service, we are talking about external hosting, whereas if the company relies

on that third party to implement security policies we may be talking about two

different cases. If the client is granted the software license then we are talking about

a managed service and if software is contracted according to use it is Security as a

Service.

The company can use, either partially or totally, the appliance hosted in the Internetaccess supplier. This case is similar to the previous one, except that if the provider

manages the service, it consists either on a service in the provider (marketing by

license) or on Security as a Service (according to consumption).

Services provided in a remote manner (except external hosting) include Security as a Service,

security of the provider and in some cases, managed security and have the important

advantage that it is possible to correlate the events of multiple clients (for example, in the

spam filtering) and to propose solutions which would not be feasible otherwise.

Finally, the response of the service provider to security incidents is limited in the contract

(Service Level Agreement ), and the service 24x7 normally implies service costs which do not

limit the main corporate operations.

To sum up, the characteristics which identify a product as Security as a Service are the

following5:

It is physically distributed and managed outside the organization which uses it.

It belongs to an entity different to the organization which uses it.

It is invoiced according to use or subscription.

Physical and logistic resources are shared by different client organizations (one sole

software instance renders service to multiple hosts).

5Yefim V. Natis. Introducing SaaS-Enabled Application Platforms: Features, Roles and Futures. Gartner RAS Core Research Note

G00150447, 14 de Agosto de 2007.




Optenet 7

This last feature is normally known as “multi-host” or “multi-tenant” and confers

efficiency and profitability to the service. Therefore, it limits a priori the

customization level which can be achieved.

Pros and cons of Security as a ServiceIn comparison with other security services model (specially the internal service), Security as

a Service offers important advantages for the consumer:

Less administrative responsibility – most part of the responsibility is transferred to

the provider.

Less barriers to change suppliers.

Service Level Agreements – these agreements guarantee service levels which, maybe

the company is not able to provide internally.

Horizontal scaling – more use, more cost but always proportional.

Redundancy – guaranteed by the provider.

Less use of the existent infrastructure – as it is not necessary to dedicate servers to

the contracted tasks.

Lower possession costs – the software license is not acquired; the provider acquires

it and the company pays for the use.

There is an additional advantage when the provider of the service is the Internet provider or

has access to great volumes of traffic. An increasing model for security applications is that in

which an operator or Internet service provider provides hosting of the application, installing

software developed by a security products manufacturer. In this model, the role of the

provider of the platform and the one of the application provider match with themanufacturer of the security product. Most security services are overlapped in the network

and the position of the operation is the best to guarantee the network for its clients. This is

emphasized because the position of the operator enables to correlate security events on a

large scale and to limit the scope of the problems such as massive intrusions or denial-of-

service attacks.

Nevertheless, Security as a Service has also its disadvantages:

Less visibility for the resolution of problems - most part of the operation isremote and is in the hands of third parties.

International regulations – some laws may set limits, like those affecting National

Security and encryption in US. (This type of problems is solved through the useof local service providers.)




Optenet 8

We should add to these limitations, those intrinsic to the provider of the service. Theprovider has to guarantee certain levels of service at a reasonable cost and in anincreasing manner; therefore it has to create a complex and delicate business model. Onthe contrary, the provider wins in terms of profitability of its own equipment and staff being able to share everything among different clients.

Virtualization and multihostWhen the applications provider of Software as a Service designs the underlying working

platform, it has two opposite options:

To make use of the virtualization of servers, consists on a series of virtual servers on

the same hardware machine, in a way that each server can service a client in an

isolated manner. In each virtual machine a software instance is installed which

implements the proposed service.

To implement a multihost platform, in which the physical machine supports several

clients with one sole software instance, which implements the service.

Each option has its advantages and disadvantages:

In the case of virtual servers, each client implies one or more virtual servers, which by

default, use certain extra criteria for each virtual machine. In relation to efficiency and

scalability , the multihost option enables optimization of physical resources in a more precise

way, instead of in big groups.

Each virtual server has an effective data isolation capacity, so it is possible to guarantee

security among different clients served by the same physical machine in a relatively easy

manner. In addition, this can be achieved maintaining the correlation capacity of events at a

network level because all clients continue sharing the same physical network. In the case of

the multihost systems, it is necessary to design the application so that a client with badintentions may not access other clients' servers from the same machine, although it is

possible to achieve it using the relevant programming and encrypting techniques.

If one virtual machine renders a service to one sole client, it is possible to install in it the

services exclusively necessary for that specific client and to adapt them to its specific needs

achieving a high level of customization. This level of customization is more difficult to

achieve in the case of multihost systems, as they imply the combination of a license system

(to guarantee that each client access to suitable features) with a highly adaptable user

interface (which admits the dynamic redesign by the clients).

In order to guarantee a good quality of the service and to manage the invoicing of “payment

according to use”, it is crucial to forward operation reports not only at the client’s level but

also at the supplier's level. The multihost platforms incorporate this capacity in a practically

implicit manner.




Optenet 9

In general, we can assert that the multihost model is more complex in the sense that it

requires a closely designed platform but it is clearly more flexible, efficient and scalable.

The customization capacity is the aspect which in praxis governs many of the decisions taken

within the Software as a Service scope. Multihost platforms are adapted to render a similar

service to many clients, a low customization model which has been called “one-to-many”

and that is being kept for small and medium clients and for home users. When it is about

rendering a service to a big corporation with very specific needs, you frequently choose a

model based on virtual machines where you install tremendously customized services, a

model called “one-to-one”. The main challenge that the multihost platforms are facing is to

render high levels of customization which needs a close and flexible design. Obviously, in the

case of corporate security, this aspect is totally fundamental.

Challenges of the corporate securityThe event of Security as a Service implies an important change of perspective. Not only the

security function is important in itself, but also how is it delivered to the client and its cost.

Bearing in mind these points, it is possible to think about the challenges that the securityservice provider has to face with a view to provide his clients with a service of the highest

quality, in the most profitable way for both parties.

Given the abovementioned, the main challenge is to provide the client with remote services,

flexibly managed, highly customized, comprehensive, in a profitable manner, highly scalable

for the supplier and supporting great data bases of users. Now we will study these aspects

one by one:

Customization. Security as a Service is normally understood as a “one to many” service

which implies that one general function (Ex. Antispam) is rendered to several clients in a

standard manner with very little customization. Sometimes it is possible to cover wide users

segments with a minimum configuration for each of them, like in the case of spam mailfiltering. Nevertheless, other services can require greater customization. For example, in the

case of Web contents filtering, it is necessary to establish in detail what , when and of whom

is blocked.

Remote services, flexibly managed. It is possible to dispose of the security function in a

remote manner, so that the administration costs can be reduced. Aspects relating to low

level administration (hardware, support software) are specially important, which have to

remain in the hands of the service, and it is interesting that those high level services

(definition and implementation of policies) can remain in the hands of the company.

Comprehensive solutions (UTM). Although it is possible to have mixed models,

comprehensive security models (firewalls, intrusions detectors, denial-of-service attacks,

email and Web antivirus, antispam, Web contents filtering, etc.) present more profitable

scenarios for the supplier as well as for the client. The client benefits from the multitask




Optenet 10

administration systems (one single interface), less costs related to use and one single figure

in what refers to security. The provider can correlate security events and render higher

quality services, it can market new services such as aggregated offers and escalate its

equipments and staff in a more profitable and uniform way. Currently, very little complete

solutions are offered and most times in a managed manner, using multimanufacturer

software with high costs due to the complexity of the management.

High scalability. Most commonly used solutions based in virtualization, offer scalability

possibilities normally limited to one or two services (Ex. Virtual firewalls). The challenge is to

achieve multiservice horizontal scalability within the own provider, with the capacity to add

resources in a simple way, nearly automatic, following the growth of the clients database.

Technologies which can give support at the scalability level required are those parallelization

technologies which enable to implement one function in a distributed manner without the

need of worrying in each moment about in which server is the processing being done for a

specific client.

Profitable administration. The management of hundreds, thousands of clients leads already

to high costs in terms of hardware, and also in terms of staff. Physical administration can

also be done in a profitable manner with specialized staff but it is extremely complex to

render comprehensive solutions with multimanufacturer hardware, as it is necessary tocount with experts not only in functions but also in the applications used. The challenge is to

provide one sole administration not only for the client but also for the service supplier,

which may escalate its administrative staff in a horizontal way with clients, by means of

training in one sole and comprehensive solution. The combination of parallelization

technologies with a central administration allows maximum scalability, as in practice

software and hardware data are decoupled. In other words, new clients implies new

machines but it is not necessary to decide which machine renders services to which client

(central administration) and it is not necessary to contract or train more staff.

Coverage of great data bases of users. Although it is clear that there are clients of different

sizes (Ex. micropymes vs. multinationals) all of them have different requirements, it is

desirable to grant the necessary flexibility to the solutions in order to satisfy all of them.

Therefore, it is necessary to offer comprehensive solutions which allow maxim de-

centralization of the company’s activity and which hide administration details at will. For big

clients, the solution has to cover multiple headquarters with independent business profiles

regarding localization (ex. The financial department is distributed in several headquarters)

management of virtual private networks, coverage of mobile workers (with policies which

apply independently to the connection site), etc. Such services can be rendered in a specially

profitable manner as security for the supplier. At the same time, administration should be as

flexible as to hide non-required tasks or too complex tasks. As a consequence, interfaces

have to be offered to users of different complexity, to different types of clients but

customizable in all cases. If such coverage is achieved, profitability in the service and

business model are guaranteed.




Optenet 11

To sum up, companies and security providers demand security software systems which:

Propose global security solutions (UTM) in one sole manufacturer.

Achieve an effective decoupling between hardware, software and data, which

enables maximum levels of scalability and flexibility.

Are highly customizable and adaptable to the clients’ needs.

A software or appliance with these features offers the highest development opportunities atthe level of the Internet access supplier, which may present offers to cover, in a unified way,

both the access and the protection. Once located in the access supplier, it can offer coverage

to residential users, micropymes, small and medium companies or great transnational

corporations both autonomously and managed in the case of bigger clients.

Optenet SolutionsEach of the security as a service models offer several advantages and disadvantages either

for the client or for the supplier. Among all SaaS models, the Multihost model is the one withthe most flexible format, as it enables the supplier to perform all maintenance and

administration duties, which implies less operation costs which can be transferred to clients.

The providers of these services will find within the range of Optenet products, solutions

easily scalable with which they can offer their clients state of the art technology in security

services in electronic messaging, security and Web filtering.

OPTENET SA

José Echegaray nº 8. Edificio 3, 1ª Planta, módulo 1.

Parque empresarial Alvia - 28230 Las Rozas. Madrid (SPAIN)

Tel.: +34 902 154 604 Fax: +34 913 575 433

Email: [email protected] Web: www.optenet.com

Optenet is a global IT security company that provides high-performance security solutions to

service providers and large enterprises worldwide. Optenet’s technology protects 75 million end

users around the globe, including the customers of many of the world’s leading ISPs and mobile

operators, as well as employees of global enterprise organizations. The Company is a socially

conscious organization, committed to eliminating illegal content on the Internet, protecting

children and supporting government agencies and non-profit organizations that share the

same goal.

For more information, visit www.optenet.com

Copyright © 2009 Optenet

mailto:[email protected]



http://www.optenet.com/





whitepaper saas

Documents