Whitepaper SaaS
Content
White Paper
Security as a Service through Telcos and Service Providers
Enero 2009
Security as a Service through Telcos and Service Providers
White Paper
Table of Contents
Abstract Introduction Corporate Security management modes Pros and cons of Security as a Service Virtualization and multihost Challenges of the corporate security Optenet Solutions 3 3 4 7 8 9 11
Optenet
2
Security as a Service through Telcos and Service Providers
White Paper
Abstract
This document has the intention to explain the different security management models for corporate environments, as well as the existence of several forms in which service providers can provide the security features required by their clients. Lastly, it presents the solutions which Optenet offers to those suppliers in order to enable them to render security services by means of a Multihost model with the relevant advantages.
Introduction
During these last years we have witnessed the creation and expansion of the software as a service distribution model, a model for the distribution of software applications different from all traditional models based on the possession of software by users and which offers them important advantages. This distribution model and use of software was initially linked to the corporate applications which specially included accounts management, clients and suppliers, administration of human and financial resources and human resources management. The message is crystal clear: to allow the company to concentrate in its business while leaving in expert and reliable hands the management of Information Technologies (IT). This model is expanding to other IT services such as those related to security, specially perimeter security (basically firewalls and intruder detectors and more increasingly these days anti-spam and anti-virus and content filters among others) and in general, complete management of threats for the security of corporate information1. Gartner acknowledges the existence of a market with a considerable growth trend as companies’ technological responsibles understand that security technologies are mature enough to be available through outsourcing and that this model avoids the difficulties of finding and retaining qualified personnel within this area2. Gartner defines Security as a Service (SAAS) as “the security controls property of and supplied and managed in a remote manner by one or more providers. The provider supplies security features on the basis of a series of definitions and security technologies which are applied in a one-to-many model by means of a contract based on payment according to use or by means of a subscription according to the measurement of the service use”3.
1 2
Unified Thread Management, UTM – Gestión unificada de amenazas. Bjarne Munch, Andrew Walls. Dataquest Insight: Providers Must Prepare Diligently Before Offering Managed Security Services. Gartner Dataquest., publicación no. G00157099, 10 de junio de 2008. 3 John Pescatore, Kelly M. Kavanagh. Defining the Security-as-a-Service Market. Gartner Research, publicación no. G00153213, 14 de noviembre de 2007.
Optenet
3
Security as a Service through Telcos and Service Providers
White Paper
This definition stresses not only the nature of the service managed but also the fact that the service is provided by means of a common platform for a series of users located outside the company and in a way managed by the supplier. In particular, this implies that the service is little customized and that management of most part of the service is in hands of the service provider. Nevertheless, the company is responsible for the definition of policies, of the assessment of incidents, etc.
Corporate Security management modes
Security as a Service is a non exclusive corporate security management model. In other words, a company may choose the specific security services which are to be rendered as a service while it can manage others in an internal manner and with its own staff. Corporate security can be provided as follows: Security as a Service. In this case, there is complete outsourcing: the service is rendered in a remote manner, managed by the supplier's staff and most important, it is rendered in a very uniform manner for the group of user companies. It consists on a “one to many” model, where the service is similar for all users, and needs little customization or none at all. Some examples of security services marketed in this way are the following: o o o o Remote vulnerability assessment. Protection against denial-of-service attacks. Solutions for the security of e-mail messages including anti-virus and antispam features. Security of Web contents, which may include control of access to inappropriate contents and ant-virus Web.
Security “in-the-cloud” (in supplier) In the case of security, the offers “in the cloud” are reduced in fact to those done by the Internet provider and therefore its advantages and disadvantages are similar to those in the SaaS case, with the sole difference that the offer is limited to the products offered by the supplier. Managed Security. The security service physically is provided in the client’s network, or from a centre property of the security service provider. In any of these cases, the staff of the provider will manage the operation of the service, normally from its Operation Centre (Security Operations Centre, SOC) and the staff of the company will only be responsible for the day to day software and hardware maintenance duties.
Optenet
4
Security as a Service through Telcos and Service Providers
White Paper
Figure 1: Customization according to types of software service.
External Hosting. The security feature belongs to the company and is managed by its staff but the service is rendered in a remote manner. This is quite normal in the securing of Web servers hosted in one service provider, where security features of the server (from firewalls to access control) are managed by the company itself.
Internal service. In this case, the company hosts the equipment, contracts the necessary software licenses (or uses free software), and does the installation, maintenance and management (rules and policies) with its own staff or with specialized staff recruited for that purpose. An example of the services normally managed in this way is the control of identities and of access to resources. In many cases, the border between the different modes of implementation of security functions is subtle. For example, let’s suppose that a security service provider markets an appliance4, i.e., a high performance machine which hosts a server
4
This discussion is valid if it refers to a traditional appliance , i.e, physical or if it relates to a virtual appliance , i.e., a virtual machine with its own operation system and security functions, ready to be executed in a physical server.
Optenet
5
Security as a Service through Telcos and Service Providers
White Paper
providing a specific security service. A company may access that security service in many different ways: The company may purchase or lease the appliance and install it in its own network, and manage it in an internal manner. In that case, we are talking about internal service. The company may purchase or lease the appliance and install it in its own network but can contract a third party to administer the security application. In this case we are talking about managed security. The third party can appoint its own staff within the company. The company can use the appliance located in the operations centre of a third party, different to its Internet access supplier. If the staff of the company manages the whole service, we are talking about external hosting, whereas if the company relies on that third party to implement security policies we may be talking about two different cases. If the client is granted the software license then we are talking about a managed service and if software is contracted according to use it is Security as a Service. The company can use, either partially or totally, the appliance hosted in the Internet access supplier. This case is similar to the previous one, except that if the provider manages the service, it consists either on a service in the provider (marketing by license) or on Security as a Service (according to consumption).
Services provided in a remote manner (except external hosting) include Security as a Service, security of the provider and in some cases, managed security and have the important advantage that it is possible to correlate the events of multiple clients (for example, in the spam filtering) and to propose solutions which would not be feasible otherwise. Finally, the response of the service provider to security incidents is limited in the contract (Service Level Agreement), and the service 24x7 normally implies service costs which do not limit the main corporate operations. To sum up, the characteristics which identify a product as Security as a Service are the following5: It is physically distributed and managed outside the organization which uses it. It belongs to an entity different to the organization which uses it. It is invoiced according to use or subscription. Physical and logistic resources are shared by different client organizations (one sole software instance renders service to multiple hosts).
5
Yefim V. Natis. Introducing SaaS-Enabled Application Platforms: Features, Roles and Futures. Gartner RAS Core Research Note G00150447, 14 de Agosto de 2007.
Optenet
6
Security as a Service through Telcos and Service Providers
White Paper
This last feature is normally known as “multi-host” or “multi-tenant” and confers efficiency and profitability to the service. Therefore, it limits a priori the customization level which can be achieved.
Pros and cons of Security as a Service
In comparison with other security services model (specially the internal service), Security as a Service offers important advantages for the consumer: Less administrative responsibility – most part of the responsibility is transferred to the provider. Less barriers to change suppliers. Service Level Agreements – these agreements guarantee service levels which, maybe the company is not able to provide internally. Horizontal scaling – more use, more cost but always proportional. Redundancy – guaranteed by the provider. Less use of the existent infrastructure – as it is not necessary to dedicate servers to the contracted tasks. Lower possession costs – the software license is not acquired; the provider acquires it and the company pays for the use.
There is an additional advantage when the provider of the service is the Internet provider or has access to great volumes of traffic. An increasing model for security applications is that in which an operator or Internet service provider provides hosting of the application, installing software developed by a security products manufacturer. In this model, the role of the provider of the platform and the one of the application provider match with the manufacturer of the security product. Most security services are overlapped in the network and the position of the operation is the best to guarantee the network for its clients. This is emphasized because the position of the operator enables to correlate security events on a large scale and to limit the scope of the problems such as massive intrusions or denial-ofservice attacks. Nevertheless, Security as a Service has also its disadvantages: Less visibility for the resolution of problems - most part of the operation is remote and is in the hands of third parties. International regulations – some laws may set limits, like those affecting National Security and encryption in US. (This type of problems is solved through the use of local service providers.)
Optenet
7
Security as a Service through Telcos and Service Providers
White Paper
We should add to these limitations, those intrinsic to the provider of the service. The provider has to guarantee certain levels of service at a reasonable cost and in an increasing manner; therefore it has to create a complex and delicate business model. On the contrary, the provider wins in terms of profitability of its own equipment and staff being able to share everything among different clients.
Virtualization and multihost
When the applications provider of Software as a Service designs the underlying working platform, it has two opposite options: To make use of the virtualization of servers, consists on a series of virtual servers on the same hardware machine, in a way that each server can service a client in an isolated manner. In each virtual machine a software instance is installed which implements the proposed service. To implement a multihost platform, in which the physical machine supports several clients with one sole software instance, which implements the service.
Each option has its advantages and disadvantages: In the case of virtual servers, each client implies one or more virtual servers, which by default, use certain extra criteria for each virtual machine. In relation to efficiency and scalability, the multihost option enables optimization of physical resources in a more precise way, instead of in big groups. Each virtual server has an effective data isolation capacity, so it is possible to guarantee security among different clients served by the same physical machine in a relatively easy manner. In addition, this can be achieved maintaining the correlation capacity of events at a network level because all clients continue sharing the same physical network. In the case of the multihost systems, it is necessary to design the application so that a client with bad intentions may not access other clients' servers from the same machine, although it is possible to achieve it using the relevant programming and encrypting techniques. If one virtual machine renders a service to one sole client, it is possible to install in it the services exclusively necessary for that specific client and to adapt them to its specific needs achieving a high level of customization. This level of customization is more difficult to achieve in the case of multihost systems, as they imply the combination of a license system (to guarantee that each client access to suitable features) with a highly adaptable user interface (which admits the dynamic redesign by the clients). In order to guarantee a good quality of the service and to manage the invoicing of “payment according to use”, it is crucial to forward operation reports not only at the client’s level but also at the supplier's level. The multihost platforms incorporate this capacity in a practically implicit manner.
Optenet
8
Security as a Service through Telcos and Service Providers
White Paper
In general, we can assert that the multihost model is more complex in the sense that it requires a closely designed platform but it is clearly more flexible, efficient and scalable. The customization capacity is the aspect which in praxis governs many of the decisions taken within the Software as a Service scope. Multihost platforms are adapted to render a similar service to many clients, a low customization model which has been called “one-to-many” and that is being kept for small and medium clients and for home users. When it is about rendering a service to a big corporation with very specific needs, you frequently choose a model based on virtual machines where you install tremendously customized services, a model called “one-to-one”. The main challenge that the multihost platforms are facing is to render high levels of customization which needs a close and flexible design. Obviously, in the case of corporate security, this aspect is totally fundamental.
Challenges of the corporate security
The event of Security as a Service implies an important change of perspective. Not only the security function is important in itself, but also how is it delivered to the client and its cost. Bearing in mind these points, it is possible to think about the challenges that the security service provider has to face with a view to provide his clients with a service of the highest quality, in the most profitable way for both parties. Given the abovementioned, the main challenge is to provide the client with remote services, flexibly managed, highly customized, comprehensive, in a profitable manner, highly scalable for the supplier and supporting great data bases of users. Now we will study these aspects one by one: Customization. Security as a Service is normally understood as a “one to many” service which implies that one general function (Ex. Antispam) is rendered to several clients in a standard manner with very little customization. Sometimes it is possible to cover wide users segments with a minimum configuration for each of them, like in the case of spam mail filtering. Nevertheless, other services can require greater customization. For example, in the case of Web contents filtering, it is necessary to establish in detail what , when and of whom is blocked. Remote services, flexibly managed. It is possible to dispose of the security function in a remote manner, so that the administration costs can be reduced. Aspects relating to low level administration (hardware, support software) are specially important, which have to remain in the hands of the service, and it is interesting that those high level services (definition and implementation of policies) can remain in the hands of the company. Comprehensive solutions (UTM). Although it is possible to have mixed models, comprehensive security models (firewalls, intrusions detectors, denial-of-service attacks, email and Web antivirus, antispam, Web contents filtering, etc.) present more profitable scenarios for the supplier as well as for the client. The client benefits from the multitask
Optenet
9
Security as a Service through Telcos and Service Providers
White Paper
administration systems (one single interface), less costs related to use and one single figure in what refers to security. The provider can correlate security events and render higher quality services, it can market new services such as aggregated offers and escalate its equipments and staff in a more profitable and uniform way. Currently, very little complete solutions are offered and most times in a managed manner, using multimanufacturer software with high costs due to the complexity of the management. High scalability. Most commonly used solutions based in virtualization, offer scalability possibilities normally limited to one or two services (Ex. Virtual firewalls). The challenge is to achieve multiservice horizontal scalability within the own provider, with the capacity to add resources in a simple way, nearly automatic, following the growth of the clients database. Technologies which can give support at the scalability level required are those parallelization technologies which enable to implement one function in a distributed manner without the need of worrying in each moment about in which server is the processing being done for a specific client. Profitable administration. The management of hundreds, thousands of clients leads already to high costs in terms of hardware, and also in terms of staff. Physical administration can also be done in a profitable manner with specialized staff but it is extremely complex to render comprehensive solutions with multimanufacturer hardware, as it is necessary to count with experts not only in functions but also in the applications used. The challenge is to provide one sole administration not only for the client but also for the service supplier, which may escalate its administrative staff in a horizontal way with clients, by means of training in one sole and comprehensive solution. The combination of parallelization technologies with a central administration allows maximum scalability, as in practice software and hardware data are decoupled. In other words, new clients implies new machines but it is not necessary to decide which machine renders services to which client (central administration) and it is not necessary to contract or train more staff. Coverage of great data bases of users. Although it is clear that there are clients of different sizes (Ex. micropymes vs. multinationals) all of them have different requirements, it is desirable to grant the necessary flexibility to the solutions in order to satisfy all of them. Therefore, it is necessary to offer comprehensive solutions which allow maxim decentralization of the company’s activity and which hide administration details at will. For big clients, the solution has to cover multiple headquarters with independent business profiles regarding localization (ex. The financial department is distributed in several headquarters) management of virtual private networks, coverage of mobile workers (with policies which apply independently to the connection site), etc. Such services can be rendered in a specially profitable manner as security for the supplier. At the same time, administration should be as flexible as to hide non-required tasks or too complex tasks. As a consequence, interfaces have to be offered to users of different complexity, to different types of clients but customizable in all cases. If such coverage is achieved, profitability in the service and business model are guaranteed.
Optenet
10
Security as a Service through Telcos and Service Providers
White Paper
To sum up, companies and security providers demand security software systems which: Propose global security solutions (UTM) in one sole manufacturer. Achieve an effective decoupling between hardware, software and data, which enables maximum levels of scalability and flexibility. Are highly customizable and adaptable to the clients’ needs.
A software or appliance with these features offers the highest development opportunities at the level of the Internet access supplier, which may present offers to cover, in a unified way, both the access and the protection. Once located in the access supplier, it can offer coverage to residential users, micropymes, small and medium companies or great transnational corporations both autonomously and managed in the case of bigger clients.
Optenet Solutions
Each of the security as a service models offer several advantages and disadvantages either for the client or for the supplier. Among all SaaS models, the Multihost model is the one with the most flexible format, as it enables the supplier to perform all maintenance and administration duties, which implies less operation costs which can be transferred to clients. The providers of these services will find within the range of Optenet products, solutions easily scalable with which they can offer their clients state of the art technology in security services in electronic messaging, security and Web filtering.
OPTENET SA José Echegaray nº 8. Edificio 3, 1ª Planta, módulo 1. Parque empresarial Alvia - 28230 Las Rozas. Madrid (SPAIN) Tel.: +34 902 154 604 Fax: +34 913 575 433 Email: [email protected] Web: www.optenet.com Optenet is a global IT security company that provides high-performance security solutions to service providers and large enterprises worldwide. Optenet’s technology protects 75 million end users around the globe, including the customers of many of the world’s leading ISPs and mobile operators, as well as employees of global enterprise organizations. The Company is a socially conscious organization, committed to eliminating illegal content on the Internet, protecting children and supporting government agencies and non-profit organizations that share the same goal. For more information, visit www.optenet.com Copyright © 2009 Optenet
Optenet
11
Security as a Service through Telcos and Service Providers
Enero 2009
Security as a Service through Telcos and Service Providers
White Paper
Table of Contents
Abstract Introduction Corporate Security management modes Pros and cons of Security as a Service Virtualization and multihost Challenges of the corporate security Optenet Solutions 3 3 4 7 8 9 11
Optenet
2
Security as a Service through Telcos and Service Providers
White Paper
Abstract
This document has the intention to explain the different security management models for corporate environments, as well as the existence of several forms in which service providers can provide the security features required by their clients. Lastly, it presents the solutions which Optenet offers to those suppliers in order to enable them to render security services by means of a Multihost model with the relevant advantages.
Introduction
During these last years we have witnessed the creation and expansion of the software as a service distribution model, a model for the distribution of software applications different from all traditional models based on the possession of software by users and which offers them important advantages. This distribution model and use of software was initially linked to the corporate applications which specially included accounts management, clients and suppliers, administration of human and financial resources and human resources management. The message is crystal clear: to allow the company to concentrate in its business while leaving in expert and reliable hands the management of Information Technologies (IT). This model is expanding to other IT services such as those related to security, specially perimeter security (basically firewalls and intruder detectors and more increasingly these days anti-spam and anti-virus and content filters among others) and in general, complete management of threats for the security of corporate information1. Gartner acknowledges the existence of a market with a considerable growth trend as companies’ technological responsibles understand that security technologies are mature enough to be available through outsourcing and that this model avoids the difficulties of finding and retaining qualified personnel within this area2. Gartner defines Security as a Service (SAAS) as “the security controls property of and supplied and managed in a remote manner by one or more providers. The provider supplies security features on the basis of a series of definitions and security technologies which are applied in a one-to-many model by means of a contract based on payment according to use or by means of a subscription according to the measurement of the service use”3.
1 2
Unified Thread Management, UTM – Gestión unificada de amenazas. Bjarne Munch, Andrew Walls. Dataquest Insight: Providers Must Prepare Diligently Before Offering Managed Security Services. Gartner Dataquest., publicación no. G00157099, 10 de junio de 2008. 3 John Pescatore, Kelly M. Kavanagh. Defining the Security-as-a-Service Market. Gartner Research, publicación no. G00153213, 14 de noviembre de 2007.
Optenet
3
Security as a Service through Telcos and Service Providers
White Paper
This definition stresses not only the nature of the service managed but also the fact that the service is provided by means of a common platform for a series of users located outside the company and in a way managed by the supplier. In particular, this implies that the service is little customized and that management of most part of the service is in hands of the service provider. Nevertheless, the company is responsible for the definition of policies, of the assessment of incidents, etc.
Corporate Security management modes
Security as a Service is a non exclusive corporate security management model. In other words, a company may choose the specific security services which are to be rendered as a service while it can manage others in an internal manner and with its own staff. Corporate security can be provided as follows: Security as a Service. In this case, there is complete outsourcing: the service is rendered in a remote manner, managed by the supplier's staff and most important, it is rendered in a very uniform manner for the group of user companies. It consists on a “one to many” model, where the service is similar for all users, and needs little customization or none at all. Some examples of security services marketed in this way are the following: o o o o Remote vulnerability assessment. Protection against denial-of-service attacks. Solutions for the security of e-mail messages including anti-virus and antispam features. Security of Web contents, which may include control of access to inappropriate contents and ant-virus Web.
Security “in-the-cloud” (in supplier) In the case of security, the offers “in the cloud” are reduced in fact to those done by the Internet provider and therefore its advantages and disadvantages are similar to those in the SaaS case, with the sole difference that the offer is limited to the products offered by the supplier. Managed Security. The security service physically is provided in the client’s network, or from a centre property of the security service provider. In any of these cases, the staff of the provider will manage the operation of the service, normally from its Operation Centre (Security Operations Centre, SOC) and the staff of the company will only be responsible for the day to day software and hardware maintenance duties.
Optenet
4
Security as a Service through Telcos and Service Providers
White Paper
Figure 1: Customization according to types of software service.
External Hosting. The security feature belongs to the company and is managed by its staff but the service is rendered in a remote manner. This is quite normal in the securing of Web servers hosted in one service provider, where security features of the server (from firewalls to access control) are managed by the company itself.
Internal service. In this case, the company hosts the equipment, contracts the necessary software licenses (or uses free software), and does the installation, maintenance and management (rules and policies) with its own staff or with specialized staff recruited for that purpose. An example of the services normally managed in this way is the control of identities and of access to resources. In many cases, the border between the different modes of implementation of security functions is subtle. For example, let’s suppose that a security service provider markets an appliance4, i.e., a high performance machine which hosts a server
4
This discussion is valid if it refers to a traditional appliance , i.e, physical or if it relates to a virtual appliance , i.e., a virtual machine with its own operation system and security functions, ready to be executed in a physical server.
Optenet
5
Security as a Service through Telcos and Service Providers
White Paper
providing a specific security service. A company may access that security service in many different ways: The company may purchase or lease the appliance and install it in its own network, and manage it in an internal manner. In that case, we are talking about internal service. The company may purchase or lease the appliance and install it in its own network but can contract a third party to administer the security application. In this case we are talking about managed security. The third party can appoint its own staff within the company. The company can use the appliance located in the operations centre of a third party, different to its Internet access supplier. If the staff of the company manages the whole service, we are talking about external hosting, whereas if the company relies on that third party to implement security policies we may be talking about two different cases. If the client is granted the software license then we are talking about a managed service and if software is contracted according to use it is Security as a Service. The company can use, either partially or totally, the appliance hosted in the Internet access supplier. This case is similar to the previous one, except that if the provider manages the service, it consists either on a service in the provider (marketing by license) or on Security as a Service (according to consumption).
Services provided in a remote manner (except external hosting) include Security as a Service, security of the provider and in some cases, managed security and have the important advantage that it is possible to correlate the events of multiple clients (for example, in the spam filtering) and to propose solutions which would not be feasible otherwise. Finally, the response of the service provider to security incidents is limited in the contract (Service Level Agreement), and the service 24x7 normally implies service costs which do not limit the main corporate operations. To sum up, the characteristics which identify a product as Security as a Service are the following5: It is physically distributed and managed outside the organization which uses it. It belongs to an entity different to the organization which uses it. It is invoiced according to use or subscription. Physical and logistic resources are shared by different client organizations (one sole software instance renders service to multiple hosts).
5
Yefim V. Natis. Introducing SaaS-Enabled Application Platforms: Features, Roles and Futures. Gartner RAS Core Research Note G00150447, 14 de Agosto de 2007.
Optenet
6
Security as a Service through Telcos and Service Providers
White Paper
This last feature is normally known as “multi-host” or “multi-tenant” and confers efficiency and profitability to the service. Therefore, it limits a priori the customization level which can be achieved.
Pros and cons of Security as a Service
In comparison with other security services model (specially the internal service), Security as a Service offers important advantages for the consumer: Less administrative responsibility – most part of the responsibility is transferred to the provider. Less barriers to change suppliers. Service Level Agreements – these agreements guarantee service levels which, maybe the company is not able to provide internally. Horizontal scaling – more use, more cost but always proportional. Redundancy – guaranteed by the provider. Less use of the existent infrastructure – as it is not necessary to dedicate servers to the contracted tasks. Lower possession costs – the software license is not acquired; the provider acquires it and the company pays for the use.
There is an additional advantage when the provider of the service is the Internet provider or has access to great volumes of traffic. An increasing model for security applications is that in which an operator or Internet service provider provides hosting of the application, installing software developed by a security products manufacturer. In this model, the role of the provider of the platform and the one of the application provider match with the manufacturer of the security product. Most security services are overlapped in the network and the position of the operation is the best to guarantee the network for its clients. This is emphasized because the position of the operator enables to correlate security events on a large scale and to limit the scope of the problems such as massive intrusions or denial-ofservice attacks. Nevertheless, Security as a Service has also its disadvantages: Less visibility for the resolution of problems - most part of the operation is remote and is in the hands of third parties. International regulations – some laws may set limits, like those affecting National Security and encryption in US. (This type of problems is solved through the use of local service providers.)
Optenet
7
Security as a Service through Telcos and Service Providers
White Paper
We should add to these limitations, those intrinsic to the provider of the service. The provider has to guarantee certain levels of service at a reasonable cost and in an increasing manner; therefore it has to create a complex and delicate business model. On the contrary, the provider wins in terms of profitability of its own equipment and staff being able to share everything among different clients.
Virtualization and multihost
When the applications provider of Software as a Service designs the underlying working platform, it has two opposite options: To make use of the virtualization of servers, consists on a series of virtual servers on the same hardware machine, in a way that each server can service a client in an isolated manner. In each virtual machine a software instance is installed which implements the proposed service. To implement a multihost platform, in which the physical machine supports several clients with one sole software instance, which implements the service.
Each option has its advantages and disadvantages: In the case of virtual servers, each client implies one or more virtual servers, which by default, use certain extra criteria for each virtual machine. In relation to efficiency and scalability, the multihost option enables optimization of physical resources in a more precise way, instead of in big groups. Each virtual server has an effective data isolation capacity, so it is possible to guarantee security among different clients served by the same physical machine in a relatively easy manner. In addition, this can be achieved maintaining the correlation capacity of events at a network level because all clients continue sharing the same physical network. In the case of the multihost systems, it is necessary to design the application so that a client with bad intentions may not access other clients' servers from the same machine, although it is possible to achieve it using the relevant programming and encrypting techniques. If one virtual machine renders a service to one sole client, it is possible to install in it the services exclusively necessary for that specific client and to adapt them to its specific needs achieving a high level of customization. This level of customization is more difficult to achieve in the case of multihost systems, as they imply the combination of a license system (to guarantee that each client access to suitable features) with a highly adaptable user interface (which admits the dynamic redesign by the clients). In order to guarantee a good quality of the service and to manage the invoicing of “payment according to use”, it is crucial to forward operation reports not only at the client’s level but also at the supplier's level. The multihost platforms incorporate this capacity in a practically implicit manner.
Optenet
8
Security as a Service through Telcos and Service Providers
White Paper
In general, we can assert that the multihost model is more complex in the sense that it requires a closely designed platform but it is clearly more flexible, efficient and scalable. The customization capacity is the aspect which in praxis governs many of the decisions taken within the Software as a Service scope. Multihost platforms are adapted to render a similar service to many clients, a low customization model which has been called “one-to-many” and that is being kept for small and medium clients and for home users. When it is about rendering a service to a big corporation with very specific needs, you frequently choose a model based on virtual machines where you install tremendously customized services, a model called “one-to-one”. The main challenge that the multihost platforms are facing is to render high levels of customization which needs a close and flexible design. Obviously, in the case of corporate security, this aspect is totally fundamental.
Challenges of the corporate security
The event of Security as a Service implies an important change of perspective. Not only the security function is important in itself, but also how is it delivered to the client and its cost. Bearing in mind these points, it is possible to think about the challenges that the security service provider has to face with a view to provide his clients with a service of the highest quality, in the most profitable way for both parties. Given the abovementioned, the main challenge is to provide the client with remote services, flexibly managed, highly customized, comprehensive, in a profitable manner, highly scalable for the supplier and supporting great data bases of users. Now we will study these aspects one by one: Customization. Security as a Service is normally understood as a “one to many” service which implies that one general function (Ex. Antispam) is rendered to several clients in a standard manner with very little customization. Sometimes it is possible to cover wide users segments with a minimum configuration for each of them, like in the case of spam mail filtering. Nevertheless, other services can require greater customization. For example, in the case of Web contents filtering, it is necessary to establish in detail what , when and of whom is blocked. Remote services, flexibly managed. It is possible to dispose of the security function in a remote manner, so that the administration costs can be reduced. Aspects relating to low level administration (hardware, support software) are specially important, which have to remain in the hands of the service, and it is interesting that those high level services (definition and implementation of policies) can remain in the hands of the company. Comprehensive solutions (UTM). Although it is possible to have mixed models, comprehensive security models (firewalls, intrusions detectors, denial-of-service attacks, email and Web antivirus, antispam, Web contents filtering, etc.) present more profitable scenarios for the supplier as well as for the client. The client benefits from the multitask
Optenet
9
Security as a Service through Telcos and Service Providers
White Paper
administration systems (one single interface), less costs related to use and one single figure in what refers to security. The provider can correlate security events and render higher quality services, it can market new services such as aggregated offers and escalate its equipments and staff in a more profitable and uniform way. Currently, very little complete solutions are offered and most times in a managed manner, using multimanufacturer software with high costs due to the complexity of the management. High scalability. Most commonly used solutions based in virtualization, offer scalability possibilities normally limited to one or two services (Ex. Virtual firewalls). The challenge is to achieve multiservice horizontal scalability within the own provider, with the capacity to add resources in a simple way, nearly automatic, following the growth of the clients database. Technologies which can give support at the scalability level required are those parallelization technologies which enable to implement one function in a distributed manner without the need of worrying in each moment about in which server is the processing being done for a specific client. Profitable administration. The management of hundreds, thousands of clients leads already to high costs in terms of hardware, and also in terms of staff. Physical administration can also be done in a profitable manner with specialized staff but it is extremely complex to render comprehensive solutions with multimanufacturer hardware, as it is necessary to count with experts not only in functions but also in the applications used. The challenge is to provide one sole administration not only for the client but also for the service supplier, which may escalate its administrative staff in a horizontal way with clients, by means of training in one sole and comprehensive solution. The combination of parallelization technologies with a central administration allows maximum scalability, as in practice software and hardware data are decoupled. In other words, new clients implies new machines but it is not necessary to decide which machine renders services to which client (central administration) and it is not necessary to contract or train more staff. Coverage of great data bases of users. Although it is clear that there are clients of different sizes (Ex. micropymes vs. multinationals) all of them have different requirements, it is desirable to grant the necessary flexibility to the solutions in order to satisfy all of them. Therefore, it is necessary to offer comprehensive solutions which allow maxim decentralization of the company’s activity and which hide administration details at will. For big clients, the solution has to cover multiple headquarters with independent business profiles regarding localization (ex. The financial department is distributed in several headquarters) management of virtual private networks, coverage of mobile workers (with policies which apply independently to the connection site), etc. Such services can be rendered in a specially profitable manner as security for the supplier. At the same time, administration should be as flexible as to hide non-required tasks or too complex tasks. As a consequence, interfaces have to be offered to users of different complexity, to different types of clients but customizable in all cases. If such coverage is achieved, profitability in the service and business model are guaranteed.
Optenet
10
Security as a Service through Telcos and Service Providers
White Paper
To sum up, companies and security providers demand security software systems which: Propose global security solutions (UTM) in one sole manufacturer. Achieve an effective decoupling between hardware, software and data, which enables maximum levels of scalability and flexibility. Are highly customizable and adaptable to the clients’ needs.
A software or appliance with these features offers the highest development opportunities at the level of the Internet access supplier, which may present offers to cover, in a unified way, both the access and the protection. Once located in the access supplier, it can offer coverage to residential users, micropymes, small and medium companies or great transnational corporations both autonomously and managed in the case of bigger clients.
Optenet Solutions
Each of the security as a service models offer several advantages and disadvantages either for the client or for the supplier. Among all SaaS models, the Multihost model is the one with the most flexible format, as it enables the supplier to perform all maintenance and administration duties, which implies less operation costs which can be transferred to clients. The providers of these services will find within the range of Optenet products, solutions easily scalable with which they can offer their clients state of the art technology in security services in electronic messaging, security and Web filtering.
OPTENET SA José Echegaray nº 8. Edificio 3, 1ª Planta, módulo 1. Parque empresarial Alvia - 28230 Las Rozas. Madrid (SPAIN) Tel.: +34 902 154 604 Fax: +34 913 575 433 Email: [email protected] Web: www.optenet.com Optenet is a global IT security company that provides high-performance security solutions to service providers and large enterprises worldwide. Optenet’s technology protects 75 million end users around the globe, including the customers of many of the world’s leading ISPs and mobile operators, as well as employees of global enterprise organizations. The Company is a socially conscious organization, committed to eliminating illegal content on the Internet, protecting children and supporting government agencies and non-profit organizations that share the same goal. For more information, visit www.optenet.com Copyright © 2009 Optenet
Optenet
11
