Security as a Service – What’s Inside Counts

Verisign Masters of Internet Infrastructure

This week I’m writing about cloud-based security services, or Security as a Service (SECaaS). What’s great about SECaaS—like SaaS—is that it's delivered as a service with typically no on-premise gear required. In addition, it’s generally pay as you go, and it's elastic. What is not so great about SECaaS is that it can be difficult to figure out if the provider will deliver a secure, reliable and scalable service. This is especially true when you consider the barriers to entry to turn up a service are relatively low. So how do you know you’re going with the right provider? Our recommendation is to first make sure the SECaaS meets the distributed nature of the enterprise. It’s a multi-dimensional analysis covering four dimensions: broad coverage matching the enterprise footprint; regional focus to deliver high performance; localization to match unique language and jurisdictional compliance requirements; and the delivery of Confidentiality, Integrity and Availability (C-I-A) across the other three dimensions. It’s a fairly straightforward process to determine if the providers coverage matches your global footprint. What isn’t easy to figure out is if the provider will meet your C-I-A requirements. Most SECaaS providers stand behind SAS-70 II audits as the gold standard of Confidentiality, Integrity and Availability. The SAS-70 II audit is a testament that the controls in place meet the requirements they were intended to meet and are operating over a period of time (typically six months). Yet SAS-70 merely evaluates provider controls against provider goals. It’s not an objective assessment of the sufficiency of those controls. What’s needed is a look under the SECaaS provider’s hood. To truly assess the provider’s capabilities requires careful analysis of at least the following criteria: physical infrastructure, system architecture, security process layer, and management layer. Only through this type of careful analysis will you really know if the provider is going to meet your objectives.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.