Whitepaper SaaS
-
Upload
christine-feingold -
Category
Documents
-
view
222 -
download
0
Transcript of Whitepaper SaaS
8/4/2019 Whitepaper SaaS
http://slidepdf.com/reader/full/whitepaper-saas 1/11
Security as a Service through
Telcos and Service Providers
White Paper
Enero 2009
8/4/2019 Whitepaper SaaS
http://slidepdf.com/reader/full/whitepaper-saas 2/11
Security as a Service through Telcos and Service Providers White Paper
Optenet 2
Abstract 3
Introduction 3 Corporate Security management modes 4
Pros and cons of Security as a Service 7
Virtualization and multihost 8
Challenges of the corporate security 9
Optenet Solutions 11
Table of Contents
8/4/2019 Whitepaper SaaS
http://slidepdf.com/reader/full/whitepaper-saas 3/11
Security as a Service through Telcos and Service Providers White Paper
Optenet 3
AbstractThis document has the intention to explain the different security management models for
corporate environments, as well as the existence of several forms in which service providers
can provide the security features required by their clients. Lastly, it presents the solutions
which Optenet offers to those suppliers in order to enable them to render security services
by means of a Multihost model with the relevant advantages.
IntroductionDuring these last years we have witnessed the creation and expansion of the software as a
service distribution model, a model for the distribution of software applications different
from all traditional models based on the possession of software by users and which offers
them important advantages.
This distribution model and use of software was initially linked to the corporate applications
which specially included accounts management, clients and suppliers, administration of human and financial resources and human resources management. The message is crystal
clear: to allow the company to concentrate in its business while leaving in expert and reliable
hands the management of Information Technologies (IT).
This model is expanding to other IT services such as those related to security, specially
perimeter security (basically firewalls and intruder detectors and more increasingly these
days anti-spam and anti-virus and content filters among others) and in general, complete
management of threats for the security of corporate information1. Gartner acknowledges
the existence of a market with a considerable growth trend as companies’ technological
responsibles understand that security technologies are mature enough to be available
through outsourcing and that this model avoids the difficulties of finding and retaining
qualified personnel within this area2.
Gartner defines Security as a Service (SAAS) as “the security controls property of and
supplied and managed in a remote manner by one or more providers. The provider supplies
security features on the basis of a series of definitions and security technologies which are
applied in a one-to-many model by means of a contract based on payment according to use
or by means of a subscription according to the measurement of the service use”3.
1 Unified Thread Management , UTM – Gestión unificada de amenazas.
2Bjarne Munch, Andrew Walls. Dataquest Insight: Providers Must Prepare Diligently Before Offering Managed Security Services.
Gartner Dataquest., publicación no. G00157099, 10 de junio de 2008.3
John Pescatore, Kelly M. Kavanagh. Defining the Security-as-a-Service Market. Gartner Research, publicación no. G00153213,
14 de noviembre de 2007.
8/4/2019 Whitepaper SaaS
http://slidepdf.com/reader/full/whitepaper-saas 4/11
Security as a Service through Telcos and Service Providers White Paper
Optenet 4
This definition stresses not only the nature of the service managed but also the fact that the
service is provided by means of a common platform for a series of users located outside the
company and in a way managed by the supplier. In particular, this implies that the service is
little customized and that management of most part of the service is in hands of the service
provider. Nevertheless, the company is responsible for the definition of policies, of the
assessment of incidents, etc.
Corporate Security management modesSecurity as a Service is a non exclusive corporate security management model. In other
words, a company may choose the specific security services which are to be rendered as a
service while it can manage others in an internal manner and with its own staff. Corporate
security can be provided as follows:
Security as a Service. In this case, there is complete outsourcing: the service is
rendered in a remote manner, managed by the supplier's staff and most important,
it is rendered in a very uniform manner for the group of user companies. It consists
on a “one to many” model, where the service is similar for all users, and needs little
customization or none at all. Some examples of security services marketed in this
way are the following:
o Remote vulnerability assessment.
o Protection against denial-of-service attacks.
o Solutions for the security of e-mail messages including anti-virus and anti-
spam features.
o Security of Web contents, which may include control of access to
inappropriate contents and ant-virus Web.
Security “in-the-cloud” (in supplier) In the case of security, the offers “in the cloud”
are reduced in fact to those done by the Internet provider and therefore its
advantages and disadvantages are similar to those in the SaaS case, with the sole
difference that the offer is limited to the products offered by the supplier.
Managed Security. The security service physically is provided in the client’s network,
or from a centre property of the security service provider. In any of these cases, the
staff of the provider will manage the operation of the service, normally from its
Operation Centre (Security Operations Centre, SOC) and the staff of the company
will only be responsible for the day to day software and hardware maintenance
duties.
8/4/2019 Whitepaper SaaS
http://slidepdf.com/reader/full/whitepaper-saas 5/11
Security as a Service through Telcos and Service Providers White Paper
Optenet 5
External Hosting. The security feature belongs to the company and is managed by its
staff but the service is rendered in a remote manner. This is quite normal in the
securing of Web servers hosted in one service provider, where security features of
the server (from firewalls to access control) are managed by the company itself.
Internal service. In this case, the company hosts the equipment, contracts the
necessary software licenses (or uses free software), and does the installation,
maintenance and management (rules and policies) with its own staff or with
specialized staff recruited for that purpose. An example of the services normally
managed in this way is the control of identities and of access to resources. In many
cases, the border between the different modes of implementation of security
functions is subtle. For example, let’s suppose that a security service provider
markets an appliance4, i.e., a high performance machine which hosts a server
4This discussion is valid if it refers to a traditional appliance , i.e, physical or if it relates to a virtual appliance , i.e., a virtual
machine with its own operation system and security functions, ready to be executed in a physical server.
Figure 1: Customization according to types of software service.
8/4/2019 Whitepaper SaaS
http://slidepdf.com/reader/full/whitepaper-saas 6/11
Security as a Service through Telcos and Service Providers White Paper
Optenet 6
providing a specific security service. A company may access that security service in
many different ways:
The company may purchase or lease the appliance and install it in its own network,
and manage it in an internal manner. In that case, we are talking about internal
service.
The company may purchase or lease the appliance and install it in its own network
but can contract a third party to administer the security application. In this case weare talking about managed security. The third party can appoint its own staff within
the company.
The company can use the appliance located in the operations centre of a third party,
different to its Internet access supplier. If the staff of the company manages the
whole service, we are talking about external hosting, whereas if the company relies
on that third party to implement security policies we may be talking about two
different cases. If the client is granted the software license then we are talking about
a managed service and if software is contracted according to use it is Security as a
Service.
The company can use, either partially or totally, the appliance hosted in the Internetaccess supplier. This case is similar to the previous one, except that if the provider
manages the service, it consists either on a service in the provider (marketing by
license) or on Security as a Service (according to consumption).
Services provided in a remote manner (except external hosting) include Security as a Service,
security of the provider and in some cases, managed security and have the important
advantage that it is possible to correlate the events of multiple clients (for example, in the
spam filtering) and to propose solutions which would not be feasible otherwise.
Finally, the response of the service provider to security incidents is limited in the contract
(Service Level Agreement ), and the service 24x7 normally implies service costs which do not
limit the main corporate operations.
To sum up, the characteristics which identify a product as Security as a Service are the
following5:
It is physically distributed and managed outside the organization which uses it.
It belongs to an entity different to the organization which uses it.
It is invoiced according to use or subscription.
Physical and logistic resources are shared by different client organizations (one sole
software instance renders service to multiple hosts).
5Yefim V. Natis. Introducing SaaS-Enabled Application Platforms: Features, Roles and Futures. Gartner RAS Core Research Note
G00150447, 14 de Agosto de 2007.
8/4/2019 Whitepaper SaaS
http://slidepdf.com/reader/full/whitepaper-saas 7/11
Security as a Service through Telcos and Service Providers White Paper
Optenet 7
This last feature is normally known as “multi-host” or “multi-tenant” and confers
efficiency and profitability to the service. Therefore, it limits a priori the
customization level which can be achieved.
Pros and cons of Security as a ServiceIn comparison with other security services model (specially the internal service), Security as
a Service offers important advantages for the consumer:
Less administrative responsibility – most part of the responsibility is transferred to
the provider.
Less barriers to change suppliers.
Service Level Agreements – these agreements guarantee service levels which, maybe
the company is not able to provide internally.
Horizontal scaling – more use, more cost but always proportional.
Redundancy – guaranteed by the provider.
Less use of the existent infrastructure – as it is not necessary to dedicate servers to
the contracted tasks.
Lower possession costs – the software license is not acquired; the provider acquires
it and the company pays for the use.
There is an additional advantage when the provider of the service is the Internet provider or
has access to great volumes of traffic. An increasing model for security applications is that in
which an operator or Internet service provider provides hosting of the application, installing
software developed by a security products manufacturer. In this model, the role of the
provider of the platform and the one of the application provider match with themanufacturer of the security product. Most security services are overlapped in the network
and the position of the operation is the best to guarantee the network for its clients. This is
emphasized because the position of the operator enables to correlate security events on a
large scale and to limit the scope of the problems such as massive intrusions or denial-of-
service attacks.
Nevertheless, Security as a Service has also its disadvantages:
Less visibility for the resolution of problems - most part of the operation isremote and is in the hands of third parties.
International regulations – some laws may set limits, like those affecting National
Security and encryption in US. (This type of problems is solved through the useof local service providers.)
8/4/2019 Whitepaper SaaS
http://slidepdf.com/reader/full/whitepaper-saas 8/11
Security as a Service through Telcos and Service Providers White Paper
Optenet 8
We should add to these limitations, those intrinsic to the provider of the service. Theprovider has to guarantee certain levels of service at a reasonable cost and in anincreasing manner; therefore it has to create a complex and delicate business model. Onthe contrary, the provider wins in terms of profitability of its own equipment and staff being able to share everything among different clients.
Virtualization and multihostWhen the applications provider of Software as a Service designs the underlying working
platform, it has two opposite options:
To make use of the virtualization of servers, consists on a series of virtual servers on
the same hardware machine, in a way that each server can service a client in an
isolated manner. In each virtual machine a software instance is installed which
implements the proposed service.
To implement a multihost platform, in which the physical machine supports several
clients with one sole software instance, which implements the service.
Each option has its advantages and disadvantages:
In the case of virtual servers, each client implies one or more virtual servers, which by
default, use certain extra criteria for each virtual machine. In relation to efficiency and
scalability , the multihost option enables optimization of physical resources in a more precise
way, instead of in big groups.
Each virtual server has an effective data isolation capacity, so it is possible to guarantee
security among different clients served by the same physical machine in a relatively easy
manner. In addition, this can be achieved maintaining the correlation capacity of events at a
network level because all clients continue sharing the same physical network. In the case of
the multihost systems, it is necessary to design the application so that a client with badintentions may not access other clients' servers from the same machine, although it is
possible to achieve it using the relevant programming and encrypting techniques.
If one virtual machine renders a service to one sole client, it is possible to install in it the
services exclusively necessary for that specific client and to adapt them to its specific needs
achieving a high level of customization. This level of customization is more difficult to
achieve in the case of multihost systems, as they imply the combination of a license system
(to guarantee that each client access to suitable features) with a highly adaptable user
interface (which admits the dynamic redesign by the clients).
In order to guarantee a good quality of the service and to manage the invoicing of “payment
according to use”, it is crucial to forward operation reports not only at the client’s level but
also at the supplier's level. The multihost platforms incorporate this capacity in a practically
implicit manner.
8/4/2019 Whitepaper SaaS
http://slidepdf.com/reader/full/whitepaper-saas 9/11
Security as a Service through Telcos and Service Providers White Paper
Optenet 9
In general, we can assert that the multihost model is more complex in the sense that it
requires a closely designed platform but it is clearly more flexible, efficient and scalable.
The customization capacity is the aspect which in praxis governs many of the decisions taken
within the Software as a Service scope. Multihost platforms are adapted to render a similar
service to many clients, a low customization model which has been called “one-to-many”
and that is being kept for small and medium clients and for home users. When it is about
rendering a service to a big corporation with very specific needs, you frequently choose a
model based on virtual machines where you install tremendously customized services, a
model called “one-to-one”. The main challenge that the multihost platforms are facing is to
render high levels of customization which needs a close and flexible design. Obviously, in the
case of corporate security, this aspect is totally fundamental.
Challenges of the corporate securityThe event of Security as a Service implies an important change of perspective. Not only the
security function is important in itself, but also how is it delivered to the client and its cost.
Bearing in mind these points, it is possible to think about the challenges that the securityservice provider has to face with a view to provide his clients with a service of the highest
quality, in the most profitable way for both parties.
Given the abovementioned, the main challenge is to provide the client with remote services,
flexibly managed, highly customized, comprehensive, in a profitable manner, highly scalable
for the supplier and supporting great data bases of users. Now we will study these aspects
one by one:
Customization. Security as a Service is normally understood as a “one to many” service
which implies that one general function (Ex. Antispam) is rendered to several clients in a
standard manner with very little customization. Sometimes it is possible to cover wide users
segments with a minimum configuration for each of them, like in the case of spam mailfiltering. Nevertheless, other services can require greater customization. For example, in the
case of Web contents filtering, it is necessary to establish in detail what , when and of whom
is blocked.
Remote services, flexibly managed. It is possible to dispose of the security function in a
remote manner, so that the administration costs can be reduced. Aspects relating to low
level administration (hardware, support software) are specially important, which have to
remain in the hands of the service, and it is interesting that those high level services
(definition and implementation of policies) can remain in the hands of the company.
Comprehensive solutions (UTM). Although it is possible to have mixed models,
comprehensive security models (firewalls, intrusions detectors, denial-of-service attacks,
email and Web antivirus, antispam, Web contents filtering, etc.) present more profitable
scenarios for the supplier as well as for the client. The client benefits from the multitask
8/4/2019 Whitepaper SaaS
http://slidepdf.com/reader/full/whitepaper-saas 10/11
Security as a Service through Telcos and Service Providers White Paper
Optenet 10
administration systems (one single interface), less costs related to use and one single figure
in what refers to security. The provider can correlate security events and render higher
quality services, it can market new services such as aggregated offers and escalate its
equipments and staff in a more profitable and uniform way. Currently, very little complete
solutions are offered and most times in a managed manner, using multimanufacturer
software with high costs due to the complexity of the management.
High scalability. Most commonly used solutions based in virtualization, offer scalability
possibilities normally limited to one or two services (Ex. Virtual firewalls). The challenge is to
achieve multiservice horizontal scalability within the own provider, with the capacity to add
resources in a simple way, nearly automatic, following the growth of the clients database.
Technologies which can give support at the scalability level required are those parallelization
technologies which enable to implement one function in a distributed manner without the
need of worrying in each moment about in which server is the processing being done for a
specific client.
Profitable administration. The management of hundreds, thousands of clients leads already
to high costs in terms of hardware, and also in terms of staff. Physical administration can
also be done in a profitable manner with specialized staff but it is extremely complex to
render comprehensive solutions with multimanufacturer hardware, as it is necessary tocount with experts not only in functions but also in the applications used. The challenge is to
provide one sole administration not only for the client but also for the service supplier,
which may escalate its administrative staff in a horizontal way with clients, by means of
training in one sole and comprehensive solution. The combination of parallelization
technologies with a central administration allows maximum scalability, as in practice
software and hardware data are decoupled. In other words, new clients implies new
machines but it is not necessary to decide which machine renders services to which client
(central administration) and it is not necessary to contract or train more staff.
Coverage of great data bases of users. Although it is clear that there are clients of different
sizes (Ex. micropymes vs. multinationals) all of them have different requirements, it is
desirable to grant the necessary flexibility to the solutions in order to satisfy all of them.
Therefore, it is necessary to offer comprehensive solutions which allow maxim de-
centralization of the company’s activity and which hide administration details at will. For big
clients, the solution has to cover multiple headquarters with independent business profiles
regarding localization (ex. The financial department is distributed in several headquarters)
management of virtual private networks, coverage of mobile workers (with policies which
apply independently to the connection site), etc. Such services can be rendered in a specially
profitable manner as security for the supplier. At the same time, administration should be as
flexible as to hide non-required tasks or too complex tasks. As a consequence, interfaces
have to be offered to users of different complexity, to different types of clients but
customizable in all cases. If such coverage is achieved, profitability in the service and
business model are guaranteed.
8/4/2019 Whitepaper SaaS
http://slidepdf.com/reader/full/whitepaper-saas 11/11
Security as a Service through Telcos and Service Providers White Paper
Optenet 11
To sum up, companies and security providers demand security software systems which:
Propose global security solutions (UTM) in one sole manufacturer.
Achieve an effective decoupling between hardware, software and data, which
enables maximum levels of scalability and flexibility.
Are highly customizable and adaptable to the clients’ needs.
A software or appliance with these features offers the highest development opportunities atthe level of the Internet access supplier, which may present offers to cover, in a unified way,
both the access and the protection. Once located in the access supplier, it can offer coverage
to residential users, micropymes, small and medium companies or great transnational
corporations both autonomously and managed in the case of bigger clients.
Optenet SolutionsEach of the security as a service models offer several advantages and disadvantages either
for the client or for the supplier. Among all SaaS models, the Multihost model is the one withthe most flexible format, as it enables the supplier to perform all maintenance and
administration duties, which implies less operation costs which can be transferred to clients.
The providers of these services will find within the range of Optenet products, solutions
easily scalable with which they can offer their clients state of the art technology in security
services in electronic messaging, security and Web filtering.
OPTENET SA
José Echegaray nº 8. Edificio 3, 1ª Planta, módulo 1.
Parque empresarial Alvia - 28230 Las Rozas. Madrid (SPAIN)
Tel.: +34 902 154 604 Fax: +34 913 575 433
Email: [email protected] Web: www.optenet.com
Optenet is a global IT security company that provides high-performance security solutions to
service providers and large enterprises worldwide. Optenet’s technology protects 75 million end
users around the globe, including the customers of many of the world’s leading ISPs and mobile
operators, as well as employees of global enterprise organizations. The Company is a socially
conscious organization, committed to eliminating illegal content on the Internet, protecting
children and supporting government agencies and non-profit organizations that share the
same goal.
For more information, visit www.optenet.com
Copyright © 2009 Optenet