How modern security is much more than simply installing anti-virus software on your workstations!

■ Security as a Service – what’s that then?

Security as a Service (SaaS) is a licensing model whereby your security product is purchased on a subscription basis, and delivered through a centrally hosted mechanism. Think of it as a cloud-based outsourcing model for security management and you won’t be far wrong. Or, if you prefer, you can go all Tolkien and describe it as "one solution to serve them all" – meaning the same back-end watches over all of your various endpoints, from desktops to servers to mobile devices. The services on offer range from traditional desktop security scanning to fully managed email hosting and website-vulnerability scanning.

■ But isn’t the cloud the Wild West of the IT world? Should we trust our security to it?

Like it or not, the cloud is now accepted as part of the business IT furniture, from the smallest to the biggest of companies. The same is true in the consumer space: we’ve all become used to interacting with cloud services for data storage, email and service delivery such as music and video streaming. As the cloud has become more familiar, it’s matured, to the point where it can be generally trusted to deliver security solutions. Remember, we’re not talking about the security of the cloud itself, merely its suitability as a distribution channel for the services that do the actual work of protecting our data and resources.

■ So what’s really new and different about SaaS?

Traditionally, the security industry has tended to develop in evolutionary steps – even in response to major developments in the threat-scape, from the emergence of distributed denial-of-service (DDoS) through to the rise of targeted, long-term attacks known as "advanced persistent threats". With the speed of delivery offered by the cloud, there’s a real feel of revolutionary change in our defenses at last. By its very nature, the security-services industry will always be largely reactive – attackers launch a new threat, and then security services respond to it – but cloud delivery means the response can be launched more effectively than ever.

■ Isn’t this just a case of following the herd?

It may look like security providers are simply jumping onto the fashionable cloud bandwagon, but there’s more to it than that. The major threat no longer comes from virus infections that can be countered by signature-based standalone products; threats are now mobile and dynamic, so the defenses need to be the same. By moving to a model where both users and threats are diversely distributed, the vendors can do a better job of protecting the former from the latter.

■ So where does this leave traditional, perimeter security measures?

If traditional measures aren’t dead in the water, they’re much less relevant than they used to be.

The average business nowadays has data sitting across a number of networks and devices – plus users bringing in their own devices and using their own cloud services – so traditional network security becomes difficult to enforce. Moving security into the cloud makes it easier to apply to all devices and all traffic.

■ So SaaS is more than just a cloud-based

anti-virus scanner?

You seem to be getting the idea! SaaS is much more flexible than conventional anti-virus, so it can fit the needs of both businesses and consumers. Think of it a pick-and-mix approach, offering the precise protection to meet your needs. For example, as well as protecting against the latest malware threats by ensuring your security database is always up to date, SaaS can simultaneously provide DDoS protection that kicks in with the necessary measures as soon as a potential attack is identified.

■ This is starting to sound expensive...

The subscription fees actually compare quite favorably to managing your security locally – once you factor in the regular product upgrades and the management of those updates, which you no longer need to worry about.

Being able to budget on a per-user basis, with management of real-time updates, can dilute both the cost and complexity of keeping your business secure. It’s easier to deploy additional services, too: DDoS protection, for example, can be provided by way of a budgetable monthly supplement, without the need to roll out new hardware or think about update costs as the threat evolves.