Listen to my interview with Eldar Tuvey, CEO of ScanSafe, which is a leading provider of web security as a service.
In this podcast, hear why many companies prefer to have external providers monitor their web traffic for security threats and inappropriate content, and learn how the security-as-a-service model brings economies of scale that can lead to more rapid, cost-effective threat protection.
Listen to or download the 7:57 minute podcast below:
---Transcript---
PW: Eldar, when people talk about software-as-a-service, one of the first objections they raise is security and yet, you have a thriving business with ScanSafe providing security software, as a service. Isn't there a contradiction in there somewhere?
ET: I don't believe so. Perhaps when we started, there was a lot of skepticism in the market about whether security could indeed be delivered as a service. But as we've grown the service and the company from our early roots in 2004, when we pioneered this space, we've noticed less and less reticence and skepticism on behalf of the IT directors that we talk to day in and day out, and I think that software-as-a-service in general has really come of age over the last perhaps 12 to 18 months.
I think what really started as a sort of selective deployment of software-as-a-service for some vertical applications like CRM is really now proving to be the best practice for more mission-critical resources like security. Initially, it used to be payroll, CRM and ERP systems that were delivered as a service. Now, we really see mission-critical infrastructure applications like security and indeed web security specifically — which is the market that we operate in — being delivered as service.
Email security is already very, very successful in delivering email security as a service, with players like Google and Microsoft in this space, and security is now following in the same sort of trajectory. Most of the Gartners of this world and the analysts predict that, out of the whole web security market, something like 40 to 60% of it will be delivered as a service in years to come — and so that's really the market that we operate in. We've noticed —
Right. Yes, sorry Eldar to interrupt there, but I think that one of the things that I think is interesting there is that we're talking things that are — that tend to be hosted out on the web anyway like web sites, and email servers sometimes are hosted outside, so putting the services that go with them I suppose to an extent does make sense.
Absolutely. In terms of our specific business, we obviously are focused very much on web security — so protecting employees and corporate customers, and their networks when their employees are out using the web. And roughly speaking, what we do is, any web request that goes out from the browser goes through our data centers and infrastructure — which is distributed around the world to reduce latency — and there all those web requests are scanned for any viruses, malware, trojans, etcetera, and filtered to ensure that no pornography or gambling sites, etcetera get through.
And in that way, the best way to — the most logical place to stop bad or harmful websites and web threats coming into your network is out on the Web. It makes a lot of sense from a security point of view. There's some number of very real benefits to delivering security as a service, which I'm happy to go into, but most of them are based on the fact that you really try and stop these threats before they even reach your network.
So the alternative, if someone is using a competitive conventional product, they're going to actually have the server on their premises, really checking all the web traffic as it's going in and out of the network. And therefore, if there's any malware or improper material, it's already actually in the corporate network once it starts being examined.
Absolutely. So that's the historical legacy way of delivering web security, going through an appliance or software within the network. But our approach, which we pioneered in 2004, is to try and deliver it as a service to stop those threats before they reach the network. And there's a number of very real benefits that we can deliver in terms of security which is actually what we do by doing that.
Firstly, and most importantly, is that we can apply multiple scanning technologies and techniques to try and really improve that security, which would not be possible to replicate if you were doing that within the network. There's some very real cost advantages to companies of doing that, because they don't need to replicate the appliances and software — or maintain them and update them and support them across their companies around the world — because simply with us utilizing a service, they just route all their traffic through to our nearest data center, and effectively we become a sort of upstream proxy for them and a security blanket covering their operations around the world —
Okay. So if they had — for example, if they had 14 sites — with the other model, the on premise model, they would actually have to have 14 different servers at each of those sites as opposed to having a single server in your data center. But on top of that, because it's all concentrated in your data center, you can actually put the messages through different types of equipment and software to increase the scanning that you're doing.
Yeah, absolutely. In the current model, they could all route their web traffic back to a central gateway but that obviously increases cost, and congestion and bandwidth, and it's not always possible. Here they have a much faster way of delivering that security by just routing through to the nearest data center and that improves their performance.
We've got certain customers that have — like ICI for example — that have operations in over 50 countries. And by using a service, they can route all those different subsidiaries through central gateways — if you like, in the sky which is what — or in the cloud where we are. And they can actually control all those users, control security that's offered to those users all from a central place, without having hardware to maintain, deploy and support. And then of course, for redundancy reasons you need replicated hardware, etcetera. So it's a much more cost-effective solution, especially for the very geographically diverse companies or the big enterprises that we now work with.
And I suppose the final thing is that you've got some economies of scale because you're doing everything for your customers across a single infrastructure rather than it being a different infrastructure at each individual customer.
Absolutely. And that's the inherent advantage of having security delivered as a service. Say for example, if we spot a particular piece of malware for one of our customers let's say in Korea — immediately, all our customers in the UK and the US are equally protected from that same threat or from that same website that we've identified as being malicious.
And the secret to good security is having good data. By routing all these customers' web requests through our infrastructure, we're now scanning something like 20 billion web requests a month. That's an enormous amount of data, which we can use to analyze, to look for anomalies and look for malware out on the web. We're stopping about 200 million threats a month for our customer base now. So they're all immediately updated, immediately protected from these threats, and benefit from the network effect of being in one massive community, which they would not have if they were trying to do that security and remain up-to-date on the latest threats individually.
Leave a comment