Security From The Cloud
“Make us safer on a shoestring” was the message Paul Petrenko received from elected officials of the village of Hoffman Estates, Ill., in the days after Sept. 11, 2001.
As facilities manager for the suburban Chicago village, Petrenko shared the officials’ concerns about securing water treatment plants, equipment storage areas and other village property.
The challenge was how to increase security with a thin budget, minimal information technology support and virtually no security staff.
“At the time, there wasn’t a whole lot of technology out there to satisfy our requirements,” Petrenko said. Many of the facilities to secure had no data or telecom lines, yet had to integrate with systems at city hall and fire and police stations.
In the end, Petrenko did not buy long-term software licenses, install hardware servers or dig trenches for telecommunication lines to remote sites. Instead, the village has subscribed to an access control solution from Brivo Systems of Bethesda, Md., for the last seven years. It’s a completely Internet-based solution encompassing facilities spread across 21 square miles. It also is an example of a growing trend by enterprises, governments and other agencies to migrate applications to a completely Web-based environment -- to the network “cloud,” to use IT-speak. Such cloud-based applications are called Software as a Service.
“The cost of traditional access control systems would’ve been beyond our budget and capabilities,” Petrenko said. “We saved an incredible amount of money.”
Ideal For Small Businesses
“SaaS gives small companies resources they might not otherwise have,” said Peter Wilenius, vice president of marketing for Ottawa, Ontario-based March Networks. He noted SaaS gives companies access to rich, current feature sets, without capital expenditures or long deployment schedules. “All these benefits are really setting up growth and acceptance of SaaS in our industry,” Wilenius said.
SaaS is already popular among enterprises for a growing array of business applications, from sales force and customer management to payroll and financial management. Larger enterprises are looking at SaaS to cut costs. By the end of 2009, 76 percent of U.S. organizations will use at least one SaaS-delivered application for business use, according to the research firm IDC.
But SaaS has lagged in security spaces, with the exceptions of messaging or e-mail and Web security, where many established and new vendors compete. On the physical and converged security side, offerings are fewer, mainly because IP-based physical security systems are relatively new.
Still, SaaS offers the promise of helping security teams add business value while increasing security and doing it cost effectively. Simultaneously, SaaS computing brings its own security challenges, mainly in identity management and access control.
Low Capital Expense
Many software solutions offer Web browser interfaces as an easy way for users to access software and data on an in-house server, sometimes on a corporate intranet. While the SaaS model includes the Web browser, it goes further by putting all the application infrastructure and software on the Internet itself.
When a user swipes an access card at a Hoffman Estates facility, the card reader queries a remote Internet-based Brivo server, which contains all of the village’s credential and access policy data. The functionality is not so different from other access control systems. What is key for Petrenko is the village’s only initial capital investments included card readers and wireless network nodes at village locations lacking telecom links. Another huge benefit he cited is that Brivo owns all the hardware, manages all the upgrades and takes responsibility for troubleshooting.
“I just don’t have the staff to manage the system,” Petrenko said, noting that the village IT staff was worried about being responsible for any physical security. Brivo’s SaaS-based delivery takes the burden off the IT staff -- they have no server or software to manage -- while giving Petrenko easy Web-based access for monitoring access control.
Big reductions in capital expenses, plus eliminating the longterm commitments implicit in installing software and servers inhouse, give SaaS an attractive total cost of ownership story. In a study of SaaS-based single site access control management systems versus server-based systems, Brivo Systems found the SaaS systems on average cost users 76 percent less to operate over five years. Those savings mainly came from eliminating upfront costs of servers, annual maintenance and support fees, ongoing power and cooling costs, data backup and recovery, and other onsite IT costs.
Full Features
While eliminating big capital outlays, SaaS-based solutions are not stripped down versions of server-based software but offer rich features and functions that just happen to originate in a network cloud. Some security vendors, including Brivo, March Networks and Quantum Secure of San Jose, Calif., offer solutions in both enterprise- based and SaaS-based models. The main difference is in where the client feels most comfortable locating the software.
Quantum Secure’s SAFE, which integrates data in corporate identity databases and physical security systems for converged identity management and access control as well as compliance and event management, achieves those features whether it’s deployed as a SaaS or as an enterprise application.
While selling SAFE as an enterprise-server-based solution to such customers as Toronto Airport, Ajay Jain, CEO at Quantum Secure, explained the company engineered its solution to easily port to a SaaS model. “We realized in order to be competitive over the next 10 years, we’d need to be Web-based,” Jain said.
UPS Security of Orange City, Calif., delivers SAFE as a SaaS for its customers, which include large office buildings, officecampuses, industrial parks and gated communities that may have multiple access control systems to manage. By deploying
SAFE in its SaaS mode, UPS Security gives all its clients Web-based control of their access systems, including user provisioning and credentialing, without requiring them to install any software or computer systems, assuming the client has existing Internet access.
With the SaaS model, Jain said, “you disengage yourself from hardware dependency.” Other vendors pointed out this means users are much freer to choose and move among SaaS providers than they are traditional vendors.
Room To Grow
Enterprise security leaders intrigued by SaaS savings may be disappointed to find that outside of mass messaging, e-mail and Web filtering applications, there is not yet a wide selection of cloud-based security applications. SaaS adoption for converged security in particular is far behind that of business applications.
That’s partly because of physical security’s relatively slow move to the Internet Protocol for its systems. Another difficulty is security has an “irreducible physical component,” said Steve Van Till, president and CEO of Brivo. He pointed out securing doors requires readers and surveillance calls for cameras; this hardware won’t disappear even if the software that runs it sits in the cloud.
The need for physical components also can extend to SaaS for network security, said Chris Smith, vice president of marketing for Houston-based Alert Logic.
The company provides SaaS-based threat detection, vulnerability assessment and log management. For intrusion detection, Smith said the company found it necessary to build an appliance to sit on client switches to collect data. Beyond that bit of what he called “dumb plumbing,” Alert Logic processes all data in the cloud to check for anomalies.
Not all applications make sense for SaaS delivery, vendors say. “You can take any application to the cloud, but there’s a spectrum of value you can add, and some apps are on the lower end,” said Smith at Alert Logic. “The cloud is all about taking infrastructure off the client.” SaaS-delivered e-mail, messaging and
Web security applications are gaining popularity because they keep backhauled traffic and intensive processing off the enterprise network, yet increase and extend its security.
“A company still wants to be between its users and the Internet, even when they’re mobile,” said Paul Judge, chief technology officer for Atlanta-based Purewire Inc., which offers SaaS Web filtering to stop users from visiting or downloading content from untrustworthy or malware-infected Web sites. “The cloud gives you that ability to see between your users and an application.”
SaaS-based network vulnerability assessment, such as that offered by Alert Logic and Qualys of Redwood Shores, Calif., also is effective because viewing an enterprise network from the cloud is akin to how a hacker or other potential attacker will see it. “In the past, companies would try to simulate an outsider’s perspective,” Judge said. “SaaS gives you a more realistic view.”
Connecting SaaS Clouds
While reducing costs and increasing security, SaaS security applications also can help enterprises of all sizes do business more effectively, sometimes by integrating with other SaaS applications. Brivo Systems works with three health club member management system vendors, all with SaaS models, to deliver 24/7 access control to independent health clubs via the Internet. Keeping longer hours helps the clubs compete with big national chains, and SaaS integration delivered that benefit without requiring the clubs to invest in more personnel or in systems beyond a door control panel, Van Till said.
SaaS also gives smaller firms technology once available only to the largestenterprises. March Networks has designed a hosted loss prevention application for smaller retailers who need such sophistication but can’t afford the systems or personnel to manage an on-premises server.
SaaS security applications also provide data that goes beyond security users. Alert Logic sees customers using log data to spot application and productivity issues before they become bigger problems.
Still, cost is the biggest driver right now for SaaS, according to analysts, users and vendors. The percentage of U.S. firms that plan to spend at least 25 percent of their IT budgets on SaaS applications will increase from 23 percent in 2008 to nearly 45 percent in 2010, according to IDC.
Jain sees physical security evolving to centralized applications in a network cloud, reducing local personnel needed for monitoring and maintaining systems. That’s an emerging reality for Hoffman Estates, which uses SaaS software for a range of facilities management tasks, including HVAC control for village buildings.
“We’ve had to think a lot smarter about how to globally manage the village,” Petrenko said. He said the SaaS model essentially enables him to use software in lieu of personnel. “SaaS is an evolution in thinking,” he said. “It’s the only way to manage information in this day and age.”
This article originally appeared in the April 2009 issue of Network-Centric Security.
About the Author
Sharon J. Watson is a freelance journalist based in Sugar Land, Texas.