A security company like Perimeter eSecurity has to either partner with telecom companies (which it does), or convince direct customers to route all their Internet traffic first to Perimeter and then back to their enterprise (which it also does). Telecom companies, on the other hand, need only to get permission from existing customers to filter the traffic that they’re already handling anyway. Rather than evaluating a brand-new contract, the CIO, and perhaps CSO, are just looking at making changes to a service-level agreement and pricing for bandwidth.

Although not everything can be handled at the network level, AT&T currently offers several services in the cloud. First, there’s the network-based firewall, which can be accessed and configured through a Web portal and eliminates the need for a perimeter-based firewall. Second, there’s defense against DoS attacks. With this setup, when a customer’s Web traffic reaches a certain threshold, AT&T diverts the traffic to scrubbers that filter out the bad traffic and direct the good to the company’s website. Third, there’s e-mail security, where AT&T uses third-party software to filter out viruses and spam—typically at least 80 percent of a company’s inbound e-mail traffic. A similar Web security service screens incoming Web and instant-message traffic for malware. Finally, a family of services called Internet Protect notifies customers of unusual Internet activity—the junk on the screens at AT&T’s network operations center—and makes recommendations. For instance, if technicians see early indications of a new worm, they may suggest that a customer temporarily block traffic to the affected port.

Right now, most of AT&T’s security customers still favor handling things the old-fashioned way, by turning over the management of what’s known in industry lingo as customer premises equipment (CPE), such as firewalls. One customer CSO spoke with didn’t even seem aware that AT&T is cheerleading the in-the-cloud model, and AT&T says that only about 10 percent of its devices are handled in the cloud. But that’s changing.

For instance, the company says that the number of virtual firewalls it manages has been growing at a compounded rate of 65 percent to 75 percent annually over the past three years and has already passed the halfway point. “The shift is starting to happen pretty rapidly,” says Stan Quintana, vice president of AT&T Security Services. He projects that five years from now, the ratio of in-the-cloud devices to CPE will almost have flipped, with a full 80 percent of services handled virtually. Even before the announcement that it would acquire Cybertrust, competitor Verizon was saying that its managed security service offerings were growing at a fast clip of about 67 percent a year, with two in-the-cloud services similar to AT&T’s offerings proving to be especially popular. While the Cybertrust acquisition doesn’t add to Verizon’s in-the-cloud offerings, a spokesperson says, it might give the company more options for adding cloud-based functions later on.