There is a sea change underway in the managed security services marketplace. This change is from a premises-based model to a cloud-based one. The traditional managed security services model works like this. An organization that does not have the resources or desire to manage its own security devices will contract with a managed security services provider (MSSP) to do it for them. Taking the firewall as an example, the MSSP places a firewall at the customer premises, configures and manages it remotely for the customer in exhange for a monthly fee. The customer does not have to purchase any hardware or software, perform any maintenance, or manage it in any way. They may receive periodic reports or may be contacted in the event of a fault, but for the most part they are happy knowing this part of their network security is being managed for them.
There are several problems with this type of premises-based service:
To address these issues, MSSPs have begun moving their security services into the cloud. This means that there is no need to place any hardware at the customer site. Turn-up is usually quick and painless which is a positive for the customer as well. An early example of a cloud-based security service is email anti-virus and anti-spam. Several vendors, such as Postini, route customer email through their network where it is scanned and cleaned before being routed to the customer. This same model is being used by companies such as ScanSafe who proxy their customers’ web traffic through their networks and perform AV scanning, URL filtering, anti-phishing and other security services on behalf of their customers.
But most of these companies have been focused on a single service such as anti-spam or anti-virus. And now ISPs have begun to realize that they can provide these services as well. In fact, many of the largest ISPs on the planet also provide premises-based security services and they see a huge market for cloud-based services. If they are already providing Internet services to a customer, why not also protect their traffic? Need a firewall, we can do that. Need IDS, we got that. URL filtering? No problem. For the customer it is seemless. And for the ISP it is additional revenue with little additional cost. This transition is already underway. Expect to see more and more cloud-based security services being offered from ISPs in the very near future.