saas secures in uncertain times -...

SaaS SecureS in uncertain timeSSoftware-as-a-Service Improves Web and

Email Security in Tough Times

Contents

SaaS improves Web and email Security in tough times . . . . . . . . . . . . . . . . . . . . . . . . . 1

Understanding Today’s Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Inside SaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

SaaS and Security: A Natural Fit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Cutting-Edge Tools and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

SaaS marks the next Step in the Journey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Getting the most From SaaS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

about Webroot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

SaaS Secures in Uncertain Times

SaaS Improves Web and Email Security in Tough Times The software-as-a-service model can help you stay ahead of Web and email threats without breaking the bank on infrastructure and management.

There are three truisms about a tight economy that every IT manager knows: You have to

support more projects with fewer people and tighter budgets; approvals for infrastructure

build-outs are scarce; and it’s your job to ensure employee productivity remains high .

These may seem like Herculean tasks, especially when you’re dealing with ever-increasing

threats to your Web and email networks, but IT executives and industry experts say success

can be found by moving to a software-as-a-service (SaaS) delivery model . “Spending is

going to be affected by this economic slowdown, so organizations need to rethink how

they manage noncore, yet critical, tasks such as Web and email security,” says Brian Burke,

program director for security products at Framingham, Mass .-based research firm IDC .

Recently, enterprises of all sizes have turned to gateway appliances to block spam, scan for

viruses, and perform URL and content filtering . But performing these tasks on the network

can be costly in terms of hardware, software, bandwidth and administration . For instance,

a boost in spam oftentimes results in the need for additional appliances and licenses,

increased email server capacity, expanded storage space, a hike in bandwidth, and

dedicated man-hours to deploy and manage these infrastructure build-outs .

These expenses are hard to fathom in today’s fiscally challenged environment . “Organizations are definitely experiencing

appliance fatigue . The number of boxes they have to manage is overwhelming, and the costs continue to add up,” Burke says .

To combat this problem and free up valuable resources, companies are starting to use Web and email security SaaS to handle

threats before they hit the network . This approach not only helps to save time and money, but it actually improves protection

by defeating today’s highly complex and dynamic threats in the cloud, in real time .

Understanding Today’s Vulnerabilities While IT budgets may be shrinking, there is definitely no shortage of attacks IT professionals

face in regard to Web and email . Burke says the link between the two is becoming

indistinguishable, thanks to the use of Web 2 .0 technologies such as social networking,

Wikis and blogs in the workplace . He adds that spam is also on the rise, accounting for

more than 80% of all enterprise email, and the number one threat to email security is now

embedded URL links within these messages .

These statistics make it easy to understand how vital a comprehensive Web and email

security plan is to an organization . In fact, Burke predicts that Web and email security are

so intertwined that in the near future IT teams will address them in a unified manner .

Until then, trying to stay on top of these threats on-premise in terms of infrastructure and

knowledge is a costly and exhausting endeavor for many enterprises . “A lot of email servers

and appliances are faltering because they can’t keep up with the volume they’re expected

to handle,” Burke says . And with new viruses and malicious Web sites popping up with abandon, IT organizations have had to

become security gurus, chasing down signatures piecemeal, pushing out updated policies, and adding to URL blacklists, all

while being careful not to hamper user productivity with application downtime and false positives .

In addition, many organizations are beholden to data retention laws, so any messages that make their way onto the network —

even spam — must be stored for a certain length of time . The result: an incredible waste of storage resources .

Spending is going to be affected by this

economic slowdown, so organizations need

to rethink how they manage noncore, yet critical, tasks such as Web and

email security.

– Brian Burke, Program Director for

Security Products, IDC

A lot of email servers and appliances are

faltering because they can’t keep up

with the volume they’re expected

to handle.

– Brian Burke, Program Director for

Security Products, IDC

1


Inside SaaS Before we look at how SaaS specifically addresses Web and email security challenges such as those discussed above,

let’s look at how SaaS is beneficial in general .

With SaaS, an application is hosted and delivered over the Internet by a provider,

negating the need for on-premise hardware, software or dedicated personnel .

Rather than continually paying for hardware, software and maintenance licenses,

you pay a fixed price on a per-user basis that provides everything you require,

including all support and maintenance . This enables you to dynamically add or

subtract users based on your growth, paying only for what you need, when you

need it . Also, because SaaS is essentially a subscription, companies can count

application usage as an operating expense as opposed to a complicated — and

depreciating — capital expenditure . In fact, one esearch firm found that a SaaS

solution can reduce the annual application cost per user from $100 to $60 versus

a traditional appliance-based solution .

SaaS also offers companies leverage vs . on-premise solutions because they are based on service-level agreements . This key

differentiator means that companies have a contract with the service provider to guarantee optimal performance and reliability .

SaaS applications generally offer similar functionality as their on-premise counterparts, but with a distinct benefit . As soon

as the provider develops new features, customers can take immediate advantage of them without having to spend time

downloading and testing code to ensure proper network integration . In addition, SaaS is controlled through a team’s Web-based

console so IT can easily set and manage company use policies for all users .

SaaS and Security: A Natural Fit Where the SaaS model really hits home is with Web and email security because it provides IT teams a way to stop threats

before they clog — or take down — the network . All vulnerabilities are dealt with in the cloud .

To understand the economic ramifications, consider this real-world example . At Dallas

County Community College District (DCCCD) in Mesquite, Texas, the email network supports

inbound and outbound messages for more than 65,000 mailboxes . Of the almost 3 million

messages DCCCD received each day, more than 95% were spam, exposing the district to

worms, bots and other vulnerabilities that threatened the network and user productivity .

To manage that spam explosion on-premise, DCCCD would have had to add more staff,

appliances, bandwidth and other infrastructure .

Instead, DCCCD switched over to Webroot E-Mail Security SaaS, which was “as easy as

changing a record in our domain name server to redirect to Webroot,” says Steve Glick,

Associate District Director for Information Technology at DCCCD . “There’s no question this

has taken a significant load off the network in terms of server capacity, bandwidth and

storage space .”

Webroot E-Mail Security SaaS has also alleviated the burden on Glick’s network support

specialist, who was tasked with supporting the security appliances and their surrounding

infrastructure . Now, instead of having to beef up staff, Glick has been able to redeploy the network support specialist to other,

more strategic projects . “Web and email security SaaS are particularly helpful for IT organizations that lack dedicated security

personnel,” Burke says . “Because security is their primary focus and they are watching for threats across a broad spectrum,

SaaS providers like Webroot are better equipped to detect new vulnerabilities and ensure your on-site and mobile workers are

thoroughly protected .”

There’s no question [Webroot E-Mail

Security SaaS] has taken a significant

load off the network in terms of server

capacity, bandwidth and storage space.

– Steve Glick,

Associate Director for Information Technology, DCCCD

$100

$80

$60

$40

$20

$0Appliance SaaS

2


Cutting-Edge Tools and Services Webroot uses a combination of multiple best-of-breed antivirus and anti-spam engines as well as its own anti-spyware tool,

Webroot Spy Sweeper®, and an automated threat research system to keep its Webroot Web Security SaaS and Webroot

E-Mail Security SaaS services cutting edge . Users are also protected by zero-hour heuristic filters that guard against new and

unknown virus variants and keep false positives low . And because traffic is filtered through Webroot data centers, distributed

denial-of-service attacks can be neutralized before they reach corporate mail servers .

Using the multivendor approach for anti-virus engines also allows Webroot to offer a high-quality, inexpensive SaaS solution

without compromising security . Companies can cost-efficiently guarantee that their corporate acceptable usage policies

regarding Web sites and content are enforced for on-site and remote workers . In fact, Webroot Web Security SaaS can apply

proactive notification of company Internet use policy to search engine results, indicating whether a site can be accessed,

potentially contains malware, or is blocked .

That’s one of the attractions for Adam Edwards, partner at London-based Cumberland Ellis

Law Firm LLP, who has to ensure that his users are protected from inappropriate content

while complying with the firm’s Internet use policies, best practice and the law . “Email

and Web are at the core of everything we do here, and we have a certain level of paranoia

about our clients’ privacy and security . We have to make sure that we maintain absolute

confidentiality and properly secure our clients’ data, a part of which includes ensuring that

we are not attacked or compromised by malicious code via the Web,” Edwards says .

Edwards relies on Webroot Web Security SaaS and Webroot E-Mail Security SaaS to ensure

that preconfigured corporate policies are being adhered to without hampering employee

productivity . He uses the Web-based console to track and mitigate false positives and

to make sure that employees can access the spam quarantine . But it’s not only policy

enforcement that Edwards enjoys about Webroot Web Security SaaS and Webroot E-Mail

Security SaaS . He’s also a fan of the inherent disaster recovery feature, which has saved him

the cost of installing a more fault-tolerant system on or off-site .

For instance, the law firm recently suffered a Microsoft Exchange Server outage, but users

were still able to access their email via the Webroot service . “If we had to maintain an off-site

mirrored Exchange Server ourselves, it would be a costly technical feat . This way, we always

have the previous month’s worth of email at the ready wherever in the world our employees

are,” Edwards says . The biggest cost benefit of the Webroot SaaS offerings is the security expertise the company brings to the

table at a significantly lower TCO . “From a practical standpoint, there’s no way with only one full-time IT manager supporting 80

users that we can fully master every aspect of security in-house,” Edwards says . “Web and email security require 24/7 attention,

and since that is Webroot’s business, they have a much greater chance of recognizing and blocking threats than we ever could .”

Because security is their primary focus

and they are watching for threats across

a broad spectrum, SaaS providers like Webroot are better equipped to detect

new vulnerabilities and ensure your on-site

and mobile workers are thoroughly protected.

– Brian Burke,

Program Director for Security Products, IDC

3


SaaS Marks the Next Step in the JourneyIn an uncertain economy, businesses of all sizes are struggling to find new ways to survive. The same is true for information technology teams, which are being forced to reevaluate how they deploy and manage applications across the enterprise. Webroot GM, SVP, Don Beck recently discussed this difficult environment with Technology Editor Sandra Gittlen and explained how IT teams can cost-effectively tackle one of the most difficult challenges, Web and email security, with software as a service (SaaS).

Q: How has application management, particularly in the areas of Web and email security, changed for it in the past few years? A: The bar has constantly been raised for how IT deploys and runs existing applications . There is tremendous pressure to cut costs and drive out redundancies throughout their current systems as well as to find efficiencies in implementing new applications . Many organizations have been burned by applications that were too complex to deploy and manage .

Q: How does the economy compound this struggle? A: I’m not sure most IT managers have experienced this type of recessionary climate before and, unfortunately, many are going to be subject to disproportionate cuts in terms of staffing and budget . Companies will be thinking only about what directly brings money in the door — such as new sales applications — and expect other areas to be severely scaled back or delayed . In addition, they will expect what has become the base of services that IT provides, such as email and Web security, to become utilities and be provided at the lowest possible cost .

Q: How can software as a service lessen this burden? A: Let’s start with the primary benefit of SaaS — it’s far easier to deploy and manage because there is zero to minimal implementation of hardware and software needed within an organization . This eliminates many of the costs associated with a typical security project . For instance, if you are trying to secure Web and email access at remote sites, you no longer have to send out a staff member to install and manage an appliance or other infrastructure . Also, the length of your deployment will be dramatically shortened because there is nothing to install and no interaction with the network or desktop to worry about .

Too often, we hear about IT teams that tried to roll out an on-premise solution only to find it was more complex than they planned, needing more bodies, more time and more money . With SaaS, you can trial the application and see firsthand what the deployment cycle entails . Often-times, you can have your application up and running enterprise-wide within a few hours, freeing your staff and budget for other, more strategic purposes .

SaaS solutions in the security space are also far more effective than their on-premise counterparts . With an on-premise solution, customers are stuck with the single antivirus tool and signature recognition software their vendor uses . Conversely, Webroot uses a multivendor approach, including five different antivirus engines, to block malicious code from getting inside your organization .

Q: Have you noticed that overall organizations are more accepting of SaaS solutions than they were even a year ago? A: Definitely . It’s skyrocketing in areas such as CRM and payroll . Email security is already well past the early adopter phase and we expect Web security to experience the same growth over the next few months . And while there is still more education that has to be done about SaaS, organizations are starting to realize they don’t want viruses, spam and other threats to come onto their network so they are seeing the value of dealing with those vulnerabilities in the cloud .

Q: Who typically holds the decision-making power regarding SaaS within an organization? A: When it comes to email and Web security, that’s clearly the domain of IT . They take the lead and specify what they want, to make sure there are clean pipes to and from the Internet .

Q: What changes has the SaaS industry undergone that makes it more appealing to it organizations? A: Before SaaS, there were application service providers that hosted what was essentially on-premise software out of data centers . While they modified the applications to be Web-friendly, they were kludgy . SaaS offerings have been engineered from the ground up to be delivered over the Web . And they also support multi-tenancy — allowing more than one customer on a server — to drive down costs . In addition, these services have been optimized in terms of their Web interface, performance, Internet delivery infrastructure, security and other key areas . In many ways, they offer far better reliability these days than most corporate networks .

Q: Do you think organizations will go back to on-premise solutions when we pull out of this economic crisis? A: No, I think we are on a very clear evolutionary path here . Early on, IT was gung ho to buy and deploy software themselves . Then they turned to appliances because they offered an all-in-one solution . Each step has been designed to make application deployment and management simpler . And SaaS is clearly the next step in that journey . I’m confident SaaS will prove from a technical, ease of use and pricing perspective to be a benefit to IT organizations everywhere for the foreseeable future .

Sandra Gittlen is a Massachusetts-based technology writer.

4


Getting the Most From SaaSSigning on with a software-as-a-service (SaaS) provider may have you worried that you are giving up control, but that doesn’t have to be the case. Here are some surefire ways to guarantee you stay in the driver’s seat.

1. try before you buy. There’s no better way to understand how SaaS will benefit your environment than seeing results for yourself . While this can be cumbersome with appliances and on-premise solutions, SaaS offerings make evaluating the benefits of Web and email security as easy as redirecting your traffic to an alternate URL or altering your MX record . You can even send production traffic through the SaaS provider’s environment to check real-time latency and the other impacts on the end-user experience .

2. Get it in writing. The most important part of any SaaS offering is the service-level agreement (SLA), which outlines your provider’s guarantees . You’ll want to make sure that the SLA covers performance, uptime, notification of downtime, and other critical factors as well as the repercussions for failing to meet those guarantees . For instance, your provider should offer 24/7 availability . You’ll also want a false-positive rate for catching viruses that is lower than 1 in 400,000 . To ensure these metrics are being met, have your provider send you regular reports .

3. Know your compliance mandates. When it comes to security, it’s imperative that you understand the guidelines for data protection that your company must follow . For example, do you have requirements that dictate how long you have to retain business records or privacy restrictions regarding customer information? Develop policies that reflect these mandates and then convey them to your SaaS provider . Together you’ll be able to conduct audits that ensure ongoing compliance .

4. Share your SaaS success. It’s easy to measure the success of a SaaS solution . For instance, if your email security solution is stopping 98% of the spam that would otherwise have to be handled by your network, then that’s a tremendous savings in terms of bandwidth and server capacity . Or if your Web security service has blocked hundreds of attempts by employees to visit “bad” sites, then you’ve essentially stopped malware from taking down the network and increased worker productivity . Make sure to share these benefits with corporate executives so they understand the business value of your SaaS decision .

5. enjoy your newfound freedom. With SaaS, you no longer need a dedicated employee to chase down the latest virus signatures, test and deploy patches, or update URL blacklists . All this is handled automatically as part of your service . You also don’t have to spend time purchasing, provisioning and maintaining hardware, software or appliances in-house and at remote locations . This means that you can redeploy staff to more strategic and mission-critical tasks .

The Webroot ROI Calculator allows you to estimate total cost savings based on your specific email and Web security solutions.

5


About WebrootWebroot provides industry-leading security solutions for consumers, enterprises and SMBs worldwide . Webroot recently announced two new perimeter security offerings, Webroot E-mail Security SaaS and Webroot Web Security SaaS . A proven software-as-a-service offering, Webroot E-Mail Security SaaS delivers e-mail archiving, encryption, business continuity, anti-spam, anti-virus and anti-phishing capabilities that give companies of all sizes better manageability, better value and better protection . Webroot Web Security SaaS provides web-filtering protection and secures against viruses, spyware and inappropriate Web usage, with no hardware or software to maintain and lower total cost of ownership . Service features include access control, content control, threat protection, detailed logging and real-time reporting . Recently voted Best Anti-Malware Solution by SC Magazine readers, Webroot AntiSpyware Corporate Edition and Webroot AntiSpyware Corporate Edition with AntiVirus are comprehensive, centrally managed solutions that aggressively block, detect and eradicate malware on desktops across the network .

Webroot products consistently receive top review ratings by respected third–party outlets and have been adopted by millions globally . Available either as branded solutions or on an OEM basis, Webroot products can be found at www .webroot .com and on the shelves of leading retailers worldwide . To find out more visit www .webroot .com or call 1 .800 .870 .8102 .


© 2009 All rights reserved . Webroot Software, Inc . Webroot, the Webroot icon, Spy Sweeper and the Webroot tagline are trademarks or registered trademarks of Webroot Software, Inc . in the United States and other countries . All other trademarks are properties of their respective owners .

Webroot Software, Inc. – World Headquarters2560 55th Street

Boulder CO 80301 USA www.webroot.com • 800.870.8102

Webroot Ltd. – EMEA HeadquartersVenture House, Arlington Square, Downshire Way

Bracknell, Berkshire RG12 1WA, UKwww.webroot.com/uk • +44 (0)870 1417 070

Webroot Software Pty Ltd. – APAC HeadquartersLevel 20, Tower A, 821 Pacific Highway

Chatswood NSW 2067 Australia www.webroot.com • +61 (0)2 8448 8144 • 1.800.029.234

uSa-280109-1.2

saas secures in uncertain times -...

Documents