Security as a service: 5 key considerations for IT Ops teams

The security-as-a-service (SECaaS) model, where key information security functions are delivered as a hosted service, is gaining popularity, in the same way that cloud services offerings for general IT did a few years ago.

For security groups, the new model offers an opportunity to offload functions that have become too costly, too complex, or much too under-staffed to manage internally. But as with other cloud-hosted services, SECaaS comes with its own caveats and cautions, especially for organizations in regulated industries.

A study that 451 Research conducted earlier this year on behalf of OPAQ Networks, found interest in SECaaS to be especially strong among midsize companies. Key areas of interest included data loss prevention, network access control, and encryption. Other cloud security services of high interest include threat management, URL filtering, and SSL decryption.

About 70% of the 301 executives surveyed by 451 Research said they preferred the hosted security model over on-premises security—with 90% saying they were considering moving to SECaaS in the next 12 months.

Is your organization considering SECaaS? Here are five key considerations from top experts.

State of Security Operations 2018

1. Know how to vet your vendors

Make sure you know what questions to ask of any vendor that you want to use as a managed security service provider, says Jim Reavis, co-founder and CEO of the Cloud Security Alliance (CSA). That means finding out what types of security certifications the vendor has and how it addresses compliance with standards such as GDPR, HIPAA, and PCI.

When vetting a vendor, make sure to ask about its processes for protecting data—particularly PII—through the entire lifecycle, from creation to deletion. Verify the maturity of its encryption and key management capabilities and inquire about how it handles identity management, identity federation, and multi-factor authentication.

Make sure it can provide comprehensive logfile information for your service and check whether that information can be manipulated by other services. The CSA's recommended questionnaire for SECaaS providers lists 295 questions in total. "It is important to start with a view to being comprehensive, then eliminating questions that may not be relevant, based upon the particular service," Reavis says.

Look for a vendor with specialized experience in your industry, said Garrett Bekker, an analyst at 451 Research. Having a provider that is familiar with how your business operates and how you make money can make the transition to a managed security model easier.

2. Assign responsibilities clearly

SECaaS allows organizations to offload the handling of security functions but not the responsibility for it. You are still primarily accountable for your organization's security posture and its failures, so a shared responsibility model is critical to ensuring the success of your SECaaS engagement. 

When considering SECaaS, you need to have a clear understanding of who is responsible for securing what, advises ISACA in this whitepaper. Have a clear idea of who has access to your data and what data they have access to, and know where audit logs, user credentials, and other important data are stored and how the data can be accessed.

Your contract should clearly specify how data ownership is determined, what the obligations are to protect the data, and how those obligations will be enforced, ISACA has noted. Before signing up, identify if there will be any gaps in the security vendor's coverage and determine how those gaps will be addressed.

3. Know what to outsource

Managed security service providers can deliver a wide and expanding range of capabilities, but recognize that there are some capabilities you are likely better off keeping in-house, says John Pescatore, director of emerging security trends at the SANS Institute.

Any security function that is wrapped around an internal business condition or peculiarity, for instance, is something you don't want to outsource. "For example, things like protecting SAP traffic is very business-dependent," he says. What is going on in your network might be an attack or it could be normal traffic, and the service provider may not be in the best position to determine that in a crunch.

Similarly, security functions such as SIEM and user and entity behavior analytics (UEBA) can be tough for a third party to handle without having a very good understanding of what's normal for your network and endpoints. Large organizations need to be careful even about migrating functions such as network and web application firewall management to the cloud if they have thousands of rules around the technologies, as many enterprises do, Pescatore says.

4. Have a strategy for managing risk

Outsourcing security to a third party comes with a certain amount of risk regardless of the precautions you take to minimize it. So, in evaluating the value provided by a SECaaS model, you also need to have a thorough understanding of all the business risks associated with using that model and decide how you want to manage it, ISACA says. Common strategies include accepting the risk; mitigating it through some form of physical, administrative, or technical control; avoiding practices that elevate risk; or transferring risk to a third party such as an insurer.

"Risk threshold levels in selecting and implementing a SECaaS solution should be evaluated and approved against enterprise-acceptable risk and tolerance levels," ISACA says.

5. Be prepared for a learning curve

Organizations that go the SECaaS route can get blindsided by the changes if they are not prepared for them. Having security delivered as a service represents a major architectural change that, among other things, could affect your other, existing IT controls and practices.

"The biggest drawback reported to me is the learning curve enterprises have in dealing with new security services," Reavis says. "Some SECaaS provides a familiar service in a new form factor, such as application firewalls, whereas some SECaaS asks you to rethink security in more fundamental ways, such as how DevOps changes the paradigm of patch management."

The MSSP-model evolves

"SECaaS providers are cloud providers and need to be held to the same standards," says Reavis of the Cloud Security Alliance.

The SECaaS vendor is a real-time part of the customer's enterprise and therefore needs to be vetted as carefully as you would any technology you use internally, he says. "Organizational governance, adherence to technical standards, comprehensive APIs, and clear SLAs are among the most important factors" when signing up for security as a service, he says.

The SECaaS model is somewhat different from the managed security services provider (MSSP) model that numerous vendors have offered for years. The biggest difference is that, with SECaaS, security functions are delivered completely as a cloud service. Organizations for the most part do not need to have any on-premises equipment for the particular capability for which they have signed up, says SANS Institute's Pescatore.

In many cases, the customer's traffic is routed through the cloud security service provider's cloud, though with some services, such as penetration testing and vulnerability scanning, that routing is not necessary. All security functions are provided from the SECaaS provider's environment instead of simply being managed from there, as was the case with typical MSSP engagements a few years ago, Pescatore notes.

DDoS mitigation and antivirus protection were among the first security functions to be delivered entirely from the cloud. Currently, almost every security function for protecting organizations against threats, helping them to detect issues, and responding to them is available via the cloud. Examples include intrusion prevention and management, firewall management, authentication and identity management, data loss prevention, managed detection and response, encryption and key management, URL filtering, and SIEM.

Gartner expects the cloud-based security services market to grow from $5.9 billion in 2017 to $9 billion in 2020. Driving the market in that direction are many of the same factors that drove IT to the cloud a few years ago: cost, complexity, and staffing pressures.

Security organizations are under tremendous strain from increasing security threats and having to manage a constantly growing portfolio of security tools and services for dealing with them. For such organizations, SECaaS offers the same benefits that other cloud services do, including a way to reduce capital equipment costs, to pay based on use, and to get security services quickly, at scale, and on demand.

451 Research's Bekker said most organizations are dealing with more tools than they can manage amid a chronic shortage of skilled people.

"There's been a massive proliferation of vendors. There's too much stuff to manage and not enough people to do it. SECaaS has become a mathematical necessity."
Garrett Bekker

Mike Perrow, former managing editor at TechBeacon, contributed to this report.