In-the-cloud security: Dreamy or dangerous?

According to John Pescatore, a Gartner security expert who keeps tabs on in-the-cloud security services, the basic thing about them — be they for e-mail, denial-of-service (DoS) protection, vulnerability scanning or Web filtering — is that they're an alternative to the do-it-yourself approach in buying software or equipment.

There are strong reasons to ascend into the cloud by buying a service — but also times to stay in the more earthly domain with your own stuff.

To start, it's worth thinking about enterprise in-the-cloud security services as two basic types, Pescatore suggests. The first is bandwidth-based, such as carrier- or ISP-based DoS protection and response.

"AT&T, for example, can do this better and more cheaply than you can, plus they're filtering out attacks further upstream than you can using their bandwidth," Pescatore says. The alternative would be buying anti-DoS equipment from a firm such as Arbor Networks and setting up protection on your own.

The second in-the-cloud type is what Gartner prefers to call"security as a service," which is "totally divorced from a bandwidth service," Pescatore says. Using an antispam service, for example, involves redirecting the MX record to the service provider but doesn't entail specific bandwidth services tied to one single carrier.

This genre includes e-mail spam and antivirus filtering; vulnerability scanning; and Web filtering. What it doesn't include, by and large, is either DLP content monitoring and filtering or identity access and management, which are tightly coupled to internal business changes.

Using security-as-a service in the cloud makes a lot of sense to protect mobile laptops or provide protection for widely distributed branch offices, Pescatore says."For the very large global corporations, this is attractive," he says.

However, most companies will probably find it as easy and cost-effective to continue to guard internal operations by deploying their own security gear to filter spam, viruses and restrict Web access.

There are potential risks to filtering services. You might not want to transmit sensitive business transactions through this kind of third-party service. And, there's always a chance the service might go out of business.

All of these in-the-cloud services are still fairly new, seeing a growth spurt only in the past three years, Pescatore says, with MessageLabs, Microsoft, Google's Postini and Websense to be counted among the vendors. Gartner estimates that in-the-cloud e-mail security services don't account for more than 20 percent of the total e-mail security market but will jump to 35 percent by year-end and 70 percent by 2013.

According to research firm IDC, last year the market for e-mail security software was $1.38 billion, and appliances another $692.2 million. In-the-cloud services, which IDC calls hosted services, were $454 million. Software and appliances are expected to continue steady growth (see chart), and hosted services will jump to $638 million this year and $1.39 billion by 2011.

This kind of expansion of in-the-cloud services encourages the Jericho Forum, an organization of about 60 corporations which has been actively pushing for innovative e-commerce security that reaches outside the traditional corporate boundary of the perimeter.

"Web filtering in the cloud has only taken off in the last 16 months," says Paul Simmonds, a member of the Jericho Forum board."There are many more in-the-cloud services today than there were a few years ago." Simmonds said the"disappearing perimeter" in corporate networks is making in-the-cloud security services an appealing option that many businesses are exploring today.