Why are Companies in the EU Adopting More and More Cloud-Based Security Solutions? François GRATIOLET, Qualys Inc., CSO EMEA
2
Agenda What is the cloud business value? What about the SecaaS? Why companies are increasingly adopting cloud-based security solutions? Key takeaways How to increase transparency? 3
What is the Cloud Business Value? Continuous Security Built Private Clouds SaaS PaaS/IaaS into the Infrastructure Security Delivered as a Service Zero Days Fishing Web Applications Security as a Services Targeted Attacks Attack Kits Internet Mobile Threats Social Networking The soft belly of Cloud Computing Net Devices Replacing Corporate Desktops Data Centric Security Model 4
What About the SecaaS? Security controls that are owned, delivered and managed remotely by one or more providers. The provider delivers the security function based on a share set of security technology and data definitions that are consumed in a one-to-many model by all contracted customers anytime on a pay-for-use basis, or as a subscription based on metrics Security as a Service refers to the provision of security applications and services via the cloud either to cloudbased infrastructure and software or from the cloud to the customers on-premise systems SecaaS or Security as a Service or cloud-based security services 5 Taxonomy of IT security services
What About the SecaaS? An emerging market Services in many forms which have caused market confusion and complicated the selection process for end users Fuzzy and closed frontiers between sub segments and markets Pure players, new entrants, defense and historical players to come Collaboration and competition A star and growing market A very attractive EU market which was estimated to $1.5 billion in 2011 Gartner predicts that cloud-based security service us will grow to $4.2 billion in 2016 with a 23,4% CAGR 6 Main market segments IAM services, Secure Web Gateway, Secure Email Gateway, SIEM Distributed-denial-of-service protection Security intelligence, Vulnerability Assessment
What About the SecaaS? Segments annual growth rates 7
Why Companies are Increasingly Adopting SecaaS? 8
Why Companies are Increasingly Business Drivers Adoption of the cloud in order to enhance IT business value at utility, transformation and innovation levels Focusing on their core business, using security specialists Risk management at the governance level Flexibility and agility Addressing global presence and smooth deployment needs Do more with less Adopting SecaaS? Addressing increasing compliance requirements to standards (e.g. PCI-DSS for merchants) and EU regulations (e.g. EU data privacy and breach notification legislations) 9
10 Why Companies are Increasingly Adopting SecaaS? Security Drivers CISO becoming more strategic has to excel in innovation, technology, stewardship, and operational efficiencies War of talents and scarcity of security expertise on the market Accessing to more advanced security services Easy integration and complementary of SecaaS solutions Anticipating more, and reacting efficiently and quickly to new cyber threats and vulnerabilties Focus on analyzing security information and making decisions, not implementing the services Better enforcement of security policy, governance and processes Automatic and transparent security updates and patches Availability of new features and services without deploying software agents/updates
Why Companies are Increasingly Cost Drivers Reduction of operational cost and maintenance Only OPEX budgets, no CAPEX budgets required Lower switching costs Adopting SecaaS? 11 2010 Forrester study «The Total Economic Impact of QualysGuard» (Net Present Value computing)
12 Key Takeaways Cloud services can improve security Cloud-based security solutions can be more robust, effective and cheaper than traditional enterprise software solutions. It s a matter of managing risks vs rewards Security is increasingly being seen as a driver rather than an inhibitor (2011 Cloud Computing Outlook Survey by Cloud.com ) Some issues and challenges remain Service management and governance Liability, contracting and SLA terms and conditions Right to audit the provider Data location and transfer Auditing and security certifications (ISO 2700x, SSAE-16) Need for further standards development in order to increase trust and transparency Some SecaaS solutions are on the way Web Application Firewalls (WAF), cloud-based log management solutions
How to Increase Transparency? SIEM The ability to make security event information from the cloud service available for the organization to process in existing enterprise Security Information Event Management (SIEM) systems. Identity Management The ability to allow an organization to manage the identities of the individuals within the organization that use the cloud service, which is also known as Federated Identity Management (FIM) 13 Third party risk management As more organizations depend upon third parties for critical and important business processes the need for a formal third party risk management program has become more important. Service Organization Control (SOC) reports Shared Assessments Standard Information Gathering (SIG) ISO 27001 certifications Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) Cloud Security Alliance Cloud Controls Matrix
Qualys at a Glance QualysGuard Cloud Platform & Suite of Integrated Solutions 6,500 + Customers 100 + Countries $99M LTM Revenues * 14 The 12 months ended June 30 st 2013
Cloud Oriented Architecture VMware ESX and ESXi Perimeter Scanners IaaS/PaaS Scanners Physical Scanners Hypervisor Browser Plugins Virtual Scanners Mobile Agents 15
Integrated Security & Compliance Solution Continuous Asset Discovery Network Threat Protection Web Application Security Governance Risk & Compliance QualysGuard Cloud Platform 16
QualysGuard Private Virtual Cloud Platform Extends the reach of Qualys by enabling MSSPs, large enterprises, government or military agencies to deploy the QualysGuard Cloud platform in their own data centers. Remotely managed by Qualys Planning fully disconnected version for military/federal SOC 24x7x365 Monitoring and Support Daily Vulnerability Feeds Bi-quarterly Platform Updates VMware ESX and ESXi VCE Implementation 17
18 Qualys Cloud Deployment Model
Thank You fgratiolet@qualys.com