The Pros and Cons of Using SaaS Security Services

Written by the Security Guidance Working Group

In this blog we discuss the benefits and concerns of security services delivered from the cloud. These services, which are typically SaaS or PaaS, aren’t necessarily used exclusively to protect cloud deployments; they are just as likely to help defend traditional on-premises infrastructure.

Security as a Service (SecaaS) providers offer security capabilities as a cloud service. SecaaS includes dedicated SecaaS providers, as well as packaged security features from general cloud computing providers. Security as a Service encompasses a very wide range of possible technologies including: IAM Services, CASBs, Web Security Gateways, Email Security, IDS/IPS, Key Management, and more.

Potential Benefits and Concerns of SecaaS

It is important to understand how SecaaS is different from both on-premises and self-managed security. To do so, consider the potential benefits and consequences.

Benefits

Cloud-computing benefits. The normal potential benefits of cloud computing—such as reduced capital expenses, agility, redundancy, high availability, and resiliency—all apply to SecaaS. As with any other cloud provider, the magnitude of these benefits depends on the pricing, execution, and capabilities of the security provider.

Staffing and expertise. Many organizations struggle to employ, train, and retain security professionals across relevant domains of expertise. This can be exacerbated due to limitations of local markets, high costs for specialists, and balancing day-to-day needs with the high rate of attacker innovation. As such, SecaaS providers bring the benefit of extensive domain knowledge and research that may be unattainable for many organizations that are not solely focused on security or the specific security domain.

Intelligence-sharing. SecaaS providers protect multiple clients simultaneously and have the opportunity to share data intelligence and data across them. For example, finding a malware sample in one client allows the provider to immediately add it to their defensive platform, thus protecting all other customers. Practically speaking this isn’t a magic wand, as the effectiveness will vary across categories, but since intelligence-sharing is built into the service, the potential upside is there.

Deployment flexibility. SecaaS may be better positioned to support evolving workplaces and cloud migrations, since it is itself a cloud-native model delivered using broad network access and elasticity. Services can typically handle more flexible deployment models, such as supporting distributed locations without the complexity of multi-site hardware installations.

Insulation of clients. In some cases, SecaaS can intercept attacks before they hit the organization directly. For example, spam filtering and cloud-based Web Application Firewalls are positioned between the attackers and the organization. They can absorb certain attacks before they ever reach the customer’s assets.

Scaling and cost. The cloud model provides the consumer with a “Pay as You Grow” model, which also helps organizations focus on their core business and lets them leave security concerns to the experts.

Concerns

Lack of visibility. Since services operate at a distance from the customer, they often provide less visibility or data compared to running one’s own operation. The SecaaS provider may not reveal details of how it implements its own security and manages its own environment. Depending on the service and the provider, that may result in a difference in data sources and the level of detail available for things like monitoring and incidents. Some information that the customer may be accustomed to having may look different, have gaps, or not be available at all. The actual evidence and artifacts of compliance, as well as other investigative data, may not meet the customer’s goals. All of this can and should be determined before entering into any agreement.

Regulation differences. Given global regulatory requirements, SecaaS providers may be unable to assure compliance in all jurisdictions that an organization operates in.

Handling of regulated data. Customers will also need assurance that any regulated data potentially vacuumed up as part of routine security scanning or a security incident is handled in accordance with any compliance requirements; this also needs to comply with aforementioned international jurisdictional differences. For example, employee monitoring in Europe is more restrictive than it is in the United States, and even basic security monitoring practices could violate workers’ rights in that region. Likewise, if a SecaaS provider relocates its operations, due to data center migration or load balancing, it may violate regulations that have geographical restrictions in data residence.

Data leakage. As with any cloud computing service or product, there is always the concern of data from one cloud user leaking to another. This risk isn’t unique to SecaaS, but the highly sensitive nature of security data (and other regulated data potentially exposed in security scanning or incidents) does mean that SecaaS providers should be held to the highest standards of multi-tenant isolation and segregation. Security-related data is also likely to be involved in litigation, law enforcement investigations, and other discovery situations. Customers want to ensure their data will not be exposed when these situations involve another client on the service.

Changing providers. Although simply switching SecaaS providers may on the surface seem easier than swapping out on-premises hardware and software, organizations may be concerned about lock-in due to potentially losing access to data, including historical data needed for compliance or investigative support.

Migration to SecaaS. For organizations that have existing security operations and on-premises legacy security control solutions, the migration to SecaaS and the boundary and interface between any in-house IT department and SecaaS providers must be well planned, exercised, and maintained.

Recommendations

1. Before engaging a SecaaS provider, be sure to understand any security-specific requirements for data-handling (and availability), investigative, and compliance support.
2. Pay particular attention to handling of regulated data, like PII.
3. Understand your data retention needs and select a provider that can support data feeds that don’t create a lock-in situation.
4. Ensure that the SecaaS service is compatible with your current and future plans, such as its supported cloud (and on-premises) platforms, the workstation and mobile operating systems it accommodates, and so on.

Interested in learning more? You can learn more about Security as a Service here. We have also released a paper on the Roles and Responsibilities of Third Party Security Services that should be helpful.

Looking for a security provider? CSA maintains a list of trusted cloud providers on the STAR Registry.