Security-as-a-service model for cloud or known as SaaS is another subscription based model just as software-as-a-service model. This concept is relatively new in cloud and two type of emerging service providers are providing the SaaS to the clients. The first type of providers includes those who have an established foothold in market and now because of cloud emergence, moulding their existing service delivery methods to new one, including cloud services. The second type of providers are relatively new information security companies who are providing security only as a cloud service, and are not providing the traditional client/server based security products for applications, hosts or networks.
To understand the reason behind the emergence of SaaS, we have to know three points of impetus, which fuels the growth of this service in cloud. The first reason behind the SaaS emergence is older more than a decade: the unsolicited emails or spam. In late 1990’s, emails were become so popular that most of the organizations were using emails for their business communication.
A large number of ordinary users were also using email services. At that time, most of the email providers were not providing any services to improve the quality of services of emails. Because of this, aggressive marketers targeted any email user as their potential customer and sent a large number of unwanted advertisements. In early, 1999, some companies such as Postini, started services such as junk mail, to improve the email related concerns. Now, both the internet service providers and standalone security companies are providing email filtering services.
The second reason behind the emergence of SaaS is managed security services (MSSs). Today, managed security service providers(MSSPs) are responsible for managing an organizations network security devices, such as intrusion detection system and firewalls. The reason for using MSS is same as for cloud services, reduced the cost through shared resources compared to in-house solutions. The difference MSSPs and CSPs (cloud service providers) is that unlike cloud, the shared resources for MSSPs are personal, not infrastructural. Using cloud services for MSSPs, the parts of an organization’s information security program, can be outsourced offshore, onshore, on-premises, off-premises, and other variations in delivery. Although, in this mode, all the network security is outsourced, it is the responsibility of customer to manage and monitor the MSSP, and the customer decides the security policies to be enforced. The network security devices are monitored by the MSSPs but customer is the owner of these devices including the devices that manage and monitor data flows. One important advantage of using SaaS is that it reduce the associated capital expense of the customer because most of the devices and their management and monitoring are the responsibilities of the SaaS provider.
The third important reason behind the SaaS is to provide security on the endpoint devices directly. It is too difficult to manage the large amount of configuration variable of these devices for the organizational IT department because there is a huge set of different devices working as endpoints. Now, in modern organizations, many of these devices can be mobile so finding out the configuration problems related to these devices and keeping their software up to date is a huge task. One big problem with these mobile devices is lack of sufficient hardware to handle today’s endpoint security suits. Because of these problems and the increase in malware infections, endpoint security is one of the biggest concerns for many organizations. Here comes the concept of cloud as a security service. In this model, the monitoring and management of the data traffic is moved to cloud instead of endpoint devices. For example, according to a research, a paper titled “CloudAV: N-Version Antivirus in the Network Cloud” and available at http://www.eecs.umich.edu/fjgroup/pubs/cloudav-usenix08.pdf, showed that cloud-based antivirus (i.e., anti-malware) provides 35% better detection against recent threats than endpoint-based single engines, and an overall detection rate of 98%. This detection rate is far more better than the detection rate of an endpoint.
Available SaaS Services
There are various SaaS services available to improve the current information security scenario: web content filtering, email filtering, vulnerability management and identity-as-a-service. Some of these services are described below:
SaaS provides email cleansing facilities to phishing mails, spam and malwares attached with emails from an organization’s incoming email stream and then deliver this clean mail with securely to the organization. This approach provides more comprehensive client security because of the use of multiple engines, but also improve the performance of the client devices because now the anti-malwares runs on the cloud instead of consuming the resources of endpoint devices and better anti-malware management. The management of the anti-malware is done centrally through the cloud so it is easy to work with devices with different OS and processer architectures and also solutions from multiple anti-malware venders can be managed more efficiently. The cleansing of the mails over cloud service has corollary benefits such as load reduction on organization’s email servers, reduced bandwidth used by email and the improvements on effectiveness of anti-malware efforts of an organization. Email backups and archiving services are also included in SaaS for email services. For this purpose, a centralized repository is maintained by the cloud provider to index and store the organization’s email and attachments. The organization is allowed to index or search tis repository based on various parameters such as sender, receiver, subject, content and data range etc.
Web Content Filtering
The endpoints are devices of an organization, either they are at home, at organization facilities or on the road, they try to receive data traffic through web. This traffic is diverted to a SaaS provider who is responsible for scanning the traffic for malware threats and thus ensures that only the secure traffic is made available to the end users. The web content policies to block, allow or throttling of the traffic can be enforced by the organization also. SaaS supports URL filtering mechanisms with the examination of HTTP header information, embedded links and page content to better understand the web contents, requested by the endpoint devices. SaaS also scans outbound web traffic for sensitive information such as credit card information, ID numbers that a user can send without proper authorization.
Now it is more difficult to ensure the secure configuration and operation of the devices involved in an organization because of their expanding web presence as well their operations. To ensure that these systems are up to date and can face any challenges, there are some SaaS providers who search these systems for vulnerabilities, if there is a vulnerability then report and remediate that vulnerability and verify the secure operation of the system. This information is also used to monitor the compliance with some regulatory standards such as PCIDSS, ISO 27001 etc.
Figure 1: web content filtering
Identity management-as-a-service (IDaaS) is a relatively new service of SaaS, in comparison to other popular SaaS services such as we content filtering, email filtering and vulnerability management. Because this service is still under constant development so there are some challenges while implementing cloud based identity and access management services such as for CSPs concerns IDaaS providers and development of some sort of collaborative meta system. In addition to this, the IDaaS providers will have to provide other IAM services for cloud users such as provisioning, auditing and authorization.
Figure 2: IDaaS model
In today’s scenario, cloud services are an emerging market which is outpacing the old and traditional service delivery models. The services provided by the SaaS have become quite mature these days. The services like web content filtering and email filtering are available in the market for more than a decade before and their service delivery methods are well developed. Services like IDaaS are new to SaaS and are still under refinement process. Various cloud service providers are providing these services to other organizations using their own specialized clouds.