in Resources

Demystifying Security as a Service (SECaaS): An Analyst‘s Perspective

**TLDR:** As cyberthreats grow exponentially, I strongly recommend SECaaS to supplement internal security, not replace it entirely. Take an incremental approach adopting controls that solve immediate gaps without over-outsourcing.

I spend my days advising CISOs on building robust security programs. Many mid-sized firms struggle with limited budgets and skill shortage amidst ever-growing threats. Outsourcing to SECaaS seems alluring but brings additional risks.

Through this guide, I aim to provide an objective expert assessment of SECaaS – illuminating less obvious challenges that get glossed over initially.

So let‘s get started!

What is Security as a Service?

Think of SECaaS as renting rather than building security protection. Just like using Slack for communications or Salesforce for CRM, you leverage external providers to safeguard critical business systems and data.

SECaaS model

Forrester defines SECaaS as outsourcing security management to mitigate risk at reduced costs. Rather than large CAPEX investments in security infrastructure and tools managed in-house, it shifts spending to predictable OPEX subsription fees.

Think enterprise-level protection without the headaches of integrating disparate vendors, upgrading outdated systems, and hiring scarce security talent.

However, as promising as it sounds initially, SECaaS comes with notable downsides. Let‘s dig deeper…

Types of Security as a Service

SECaaS serves as an umbrella term for varied solutions centering on data, applications, infrastructure and network security:

SECaaS types

Cloud Security Posture Management

  • What: Continuously scans cloud environments to reveal risks from faulty configurations, storage exposures, identity gaps, suspicious user activities etc.

  • Key Benefits

    • Identifies weak spots before attackers exploit them
    • Automates assessment of complex cloud estates
    • Faster remediation guided by actionable insights

  • Watchouts

    • Entry-level CSPM lacks holistic visibility and mainly flags basic gaps
    • Fine-tuning rulesets and thresholds essential to minimize false positives
    • Skills still needed to contextualize findings and prioritize fixes

Cloud Workload Protection Platforms

  • What: Deliver integrated security safeguards tailored to protect cloud workloads spanning serverless, containers, VMs etc. Capabilities like vulnerability assessment, micro-segmentation, anomaly detection provided via single window

  • Key Benefits

    • Uniform protection regardless of workload type or cloud provider
    • Rich analytics into vulnerabilities, lateral movement risks etc.
    • Tight integration enables rapid response and containment

  • Watchouts

    • Significant network performance impact possible after full-scale rollout
    • Providers interpret vulnerabilities differently – ratings/severity levels might clash with internal tools
    • Orchestrating changes across environments requires thoughtful change management

Cloud Access Security Broker

  • What: Proxy-based security stack monitoring access to cloud applications especially SaaS apps. Enforces policies related to authentication methods, device posture, anomalous behavior, data exfiltration etc.

  • Key Benefits

    • Granular control over high-risk user activities
    • Session management limits breach impact
    • DLP and malware scanning fortify data protection

  • Watchouts

    • Users often find overbearing controls productivity killers
    • Extensive logging and reporting essential for value – insights useless otherwise
    • Rigid policies that impede work might encourage shadow IT

Network Security

  • What: Cloud-delivered protections for on-premise and cloud-based networks spanning, next-gen firewalls, intrusion detection/prevention, VPNs etc

  • Key Benefits

    • Always updated to latest cyberthreat intelligence
    • tap provider‘s threat visibility across global client base
    • Add capacity seamlessly during peak loads

  • Watchouts

    • Complete visibility into data flows often unavailable
    • Meeting specialized needs difficult via multi-tenant platform
    • Separate channels required for sensitive control traffic

Clearly, SECaaS comes in different flavors catering to diverse security priorities. Let‘s analyze the pros and cons further…

Key Benefits of Adopting Security as a Service

Many compelling factors drive SECaaS adoption including:

Significant Cost Savings

Migrating fully to Zscaler’s SECaaS platform reduces security costs by 50% to 70% according to a Forrester’s TEI study. Ditching expensive hardware, software, maintenance fees and complex integrations add up. Table 1 summarizes areas of cost optimization:

SECaaS Cost Saving

Instant Protection, Faster Innovation

Waiting months for new firewall deployment while facing growing threats is terrifying. SECaaS brings instant guardrails across endpoints and cloud apps allowing precious time to boost detections.

Most providers rapidly roll out new defenses like deception technology, user behavior analytics by distributing across their customer bases quicker unlike delayed in-house updates.

Improved Security Posture

59% organizations confirm strengthened security after adopting Zscaler’s SECaaS as per Forrester. Round the clock vigilance, prompt threat intel updates and superior mitigation abilities explain improvements.

Unifying policies centrally also eliminates gaps from configuration drifts plaguing distributed security tools.

Key Tradeoffs and Considerations

Despite compelling benefits, using SECaaS extensively also introduces additional risks around visibility, control and reliability:

Vendor Lock-In Hazards

Migrating fully to SECaaS creates over-dependence on vendors. Custom software agents, proprietary interfaces and non-interoperable data formats prevent easy transitions between services. Know exit challenges upfront before excessive commitment to any vendor.

Questionable Reliability Claims

Cloud-dependent SECaaS means outages interrupting protection. In 2021, Azure AD and Okta each suffered multi-hour disruptions showing cloud reliability still hit/miss. On average, providers promise 99.95% uptimes which still means 90 minutes downtime/month.

Compliance Uncertainty

Regulated industries like healthcare and banking often forbid external systems accessing sensitive data. Vet provider infrastructure and personnel management controls before allowing data processing.

One-Size Fits None

Default security templates rarely match specialized needs. Although essential controls omitted initially get added over time through custom development, compromised protection remains a reality for anomalous use cases.

Clearly pros and cons exist. Adopting SECaaS requires careful evaluation of tradeoffs.

So what‘s the best way forward?

Talking to numerous CISOs and observing cybersecurity landscapes closely has convinced me taking an incremental approach works best.

I recommend a 3-phase maturity process:

SECaaS Roadmap

Phase 1: Tactical Adoption

Start by plugging immediate security gaps through cloud-based controls like SWG, CSPM etc. rather than completely shutting down sandboxed data centers.

Phase 2: Strategic Growth

Once comfortable delegating selective functions to providers, strategically transition more controls like WAF, DNS security aligned with business priorities.

Phase 3: Complete Outsourcing

After rigorous due diligence, shift entire security ecosystem to SECaaS across cloud, endpoints and network. Retain oversight responsibilities internally despite leveraging external capabilities.

Jumping prematurely into Phase 3 without solid guardrails risks dangerous business disruptions from severe vendor lock-ins. Proceed gradually as internal skillset and processes mature in parallel.

Evaluating Top Security as a Service Providers

Finally, with many SECaaS providers promising effective protection, selecting the best platform feels daunting. I advise using an evaluation framework (see Table 2) assessing different elements:

Evaluating SECaaS Providers

Here‘s my take on 5 leading platforms:

Zscaler – Comprehensive Cloud-Based Security

With one of the longest track records in SASE space, Zscaler offers the widest range of security services including sandboxing, DLP, CASB etc. Truly platform-based approach

Perimeter 81 – Zero Trust Network as a Service

Perimeter 81 focuses on secure network/application access for hybrid environments via zero trust architecture. Extremely reliable with great customer support

Cloudflare One – Fastest Global Network

Cloudflare One leverages extensive global backbone to provide fast, reliable network-based security. Natively integrated with Cloudflare proxy service.

Symantec Web Security Service – Robust Cloud Proxy Security

Longest running proxy-based security successfully protecting organizations as traffic moves between users, applications and websites.

McAfee MVISION – Unified Cloud SECaaS

Converged Cloud Security Platform from McAfee stitches together Cloud Access Security Broker (CASB), Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA).

Evaluate vendors thoroughly using a framework capturing security efficacy, flexibility, hidden costs etc. beyond simplistic feature comparison.

Final Thoughts

The threat landscape will only intensify with rising IoT and cloud adoption. Although SECaaS promises effective security and lower TCO, concealed pitfalls exist!

Avoid overly relying on external providers. Take an incremental approach interweaving in-house and cloud-based controls for resilience. Finally, don‘t forget fundamental security hygiene – your last line of defense!

Stay safe out there folks!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.