The growing prominence of the cloud has ushered in the era of “as-a-service” solutions. According to a report by the IMARC Group, the “anything-as-a-service” market is set to reach $344.3 billion in value by 2024 with a CAGR of 24 percent (forecast period: 2019-2024).
One of the biggest portions of this market is security-as-a-service (SECaaS). A separate study by Markets and Markets projects that SECaaS will grow to a $26.4 billion market by 2025, which is more than double its estimated value of $11.1 billion in 2020. This significant growth is attributed to the high cost of managing on-prem security solutions and the ever-increasing demand for cloud-centric security services. Also, stringent data security regulations are regarded as a major growth driver.
The question, though, is whether or not security-as-a-service solutions provide adequate protection. Are they as good as conventional cybersecurity with on-premise equipment and software operated by an in-house security team? Are there risks or weaknesses to be mindful of?
What SECaaS provides
Security-as-a-service solutions can provide virtually all of what conventional security solutions deliver. A paper presented at the 2017 International Conference on Web Information Systems Engineering lists ten categories of security services it offers. These are as follows:
- Identity and Access Management (IAM)
- Data Loss Prevention (DLP)
- Web Security (WS)
- Email Security (ES)
- Security Assessment (SA)
- Intrusion Management (IM)
- Security Information and Event Management (SIEM)
- Network Security
- Business Continuity and Disaster Recovery
These are essentially the top security concerns of organizations that maintain their own cybersecurity team and assets or those that employ third-party solution providers. However, the 2017 paper’s conclusion that more work is needed to define more SECaaS business applications, particularly when it comes to creating a “model to test in both simulated and real environments.”
Fast forward to 2021 and a few security firms can now prove that indeed SECaaS can be a reliable and effective security posture. The security-as-a-service platform even covers attack simulations through different approaches of automated breach and attack simulations (BAS).
The best security-as-a-service solutions on the market can be used to efficiently test the effectiveness of existing security controls. They can automatically generate recommendations on how to address weaknesses or vulnerabilities and deal with an extensive range of attack vectors. They are useful in detecting immediate threats, managing an organization’s security posture, evaluating security products, automating purple team procedures and security assurance, and checking for compliance with security regulations, among others.
Moreover, many SECaaS platforms take advantage of the MITRE ATT&CK framework, which enables the systematic detection and prevention of the latest cyber threats based on the most up-to-date threat intelligence worldwide.
Compared to conventional security solutions. SECaaS delivers greater cost-efficiency as it does not involve expenses for additional software, equipment, and personnel. Everything is cloud-based, so there is no need to hire more security experts and spend on the hardware and software they need. The organization only needs login credentials to access the security services on the cloud.
Another benefit of SECaaS is the unification and centralization of an organization’s security posture. It can be used to manage all of the security controls and coordinate threat detection and response. This results in consistent and dependable protection. It also means faster user provisioning and maintenance-free operations. There are no software to update and no in-house hardware to troubleshoot.
Moreover, adopting a security-as-a-service solution helps address the problem of security alert fatigue. It is not uncommon for companies to get thousands of security alerts and notifications in a day. Not every security alert merits an urgent response, and not all of them even represent real threats. Through SECaaS, especially those that employ advanced AI threat detection algorithms, spotting and ranking critical alerts becomes easier.
“While the systems in place as part of corporate IT infrastructure are efficient at detecting and reporting intrusion attempts, 52 percent turn out to be false positives and 64 percent are redundant,” writes former CIO and cybersecurity journalist Scott Koegler in a piece for Security Intelligence. “At some point, this constant review and evaluation lead to alert fatigue, making it likely that one or more serious intrusions will be missed,” Koegler adds.
The security-as-a-service model makes cybersecurity dramatically easier, less costly, more organized, and better informed. With all these benefits, having a genuinely dependable security posture is no longer a pipe dream for most organizations with limited resources and cybersecurity expertise.
SECaaS is far from flawless, though. It has its set of challenges. In particular, it can create opportunities for resourceful and inventive cybercriminals to succeed with their attacks. These chances for security breaches can happen at the sending connection point, receive connection point, sending point for return, and the receiving point for the return.
Since SECaaS systems are cloud-based, internet connectivity is a crucial factor. Intermittent or unreliable web connection can impair the operation of the system. It can present vulnerabilities during the across-the-net-round-trip of security service requests.
To make sure that all possible opportunities for interception or corruption are plugged, it is important for the SECaaS provider and the client organization to coordinate closely. This may sound ironic considering that one of the supposed advantages of security-as-a-service solutions is the hassle-free operation of the system and the clients’ peace of mind in relying on the technical expertise and reliability of an experienced third-party security provider.
Still, these do not mean that SECaaS is unreliable or unstable. As IT security journalist Davey Winder notes, “the rise of cloud-based security is an indication of how trustworthy cloud computing has now become.” It has been years since cloud-based security providers started offering their services. So far, there have been no serious allegations of infirmity or defects in the cyber protection they provide.
Advantages outweighing the risks
The “as-a-service” model of establishing and maintaining a security posture is like the outsourcing of an organization’s cybersecurity. It entails the relegation of security functions to a third-party entity and implied trust in the competence and capability of the security provider. It is understandable to be skeptical about this setup, but the experiences of many companies that turned to SECaaS solutions can serve as proof of reliability. Of note, not SECaaS provider has been embroiled in a scandal of security failure. Security-as-a-service is not for everyone and it is still undergoing more developments to improve its effectiveness and efficiency. However, the growth projections in the SECaaS market indicate the increasing trust in the system. For now, the benefits overwhelm the risks and doubts over the dependability of SECaaS.