Security as a service (or SECaaS) involves outsourcing your security to a company that operates within the cloud.
Your vendor will incorporate their offerings into your infrastructure, and you'll pay some kind of fee to keep the work going. You'll get the help you need, but you won't invest in software, programs, or staff.
SECaaS vs MSSPs
SECaas has some similarities to managed security service providers (MSSPs). Both help organisations address security issues without having to hire a full security staff. But they use different approaches and SECaaS is typically more comprehensive.
MSSPs provide system monitoring, and will alert you when there is an incident.
SECaaS also provides monitoring, but also includes investigation, incident response, and remediation. That’s why it can be the best choice when you need to ensure compliance.
SECaaS Pricing Models Available
You'd like to provide your organisation with robust security services, but you don't have the staff or the time to do so. You could hire an on-site consultant to develop and implement the protections you need. Or you could invest in a completely different solution.
Most SECaaS providers charge a fee for their work. But the way their pricing is structured and implemented can vary widely.
Typically, companies that offer software as a service choose from one of the following five types of pricing models:
- Usage based: The provider tracks how often you use the services they provide, and you're charged accordingly.
- Per user: The provider examines how many authorised people from your company can use their services. You pay a fee for each user (or seat).
- Tiered: The provider has several different service packages. The more features or capabilities included, the higher the price.
- Flat: Only one version of the product is available, and it's offered at the same fee to all customers.
- Per feature: You pay for each service the company offers. The more help you need, the more you will pay.
Some companies offer trial pricing, so you can use the service for a time and see if it works for you. Others ask you to start paying the moment the work begins.
How Can a SECaaS Company Help?
You may have dozens (or even hundreds) of different assets to protect. Similarly, security companies have different capabilities they offer in their subscription packages. To get the most for your money, choose a company that provides what you need to keep your company safe.
The Cloud Security Alliance recognises 12 categories (or services) that SECaaS companies provide:
- Network security: The company offers products that can monitor your network and protect it from attack.
- Vulnerability scanning: The company uses a public network to scan your systems or infrastructure.
- Web security: The company offers real-time protection of any asset that is public facing and provided via the web.
- Email security: The company can protect both inbound and outgoing mail.
- Identity and access management: The company offers authentication, identification, and user management services.
- Encryption: The company protects sensitive data at rest and in transit via encryption methods.
- Intrusion management: The company examines your servers, and if unusual activity appears, steps are taken to block an attack.
- Data loss prevention: The company protects data within your company.
- Security information and event management: The company takes in data about incidents, and you're provided with real-time analysis.
- Business continuity and disaster recovery: If service is interrupted, the company gets you back online as quickly as possible.
- Continuous monitoring: The company is always working through risk management steps to protect your organisation.
- Security assessments: The company performs periodic audits to assess protection levels.
Some companies offer every single item on this list, ensuring that you have full protection. But others specialise in just a few.
Benefits & Challenges of Security as a Service
Should you invest in a partnership with a security company? Make a wise decision by understanding what people both like and dislike about the SECaaS model.
Commonly cited benefits include:
- Cost. You won't buy hardware, pay for licenses, or hire staff. Instead, you'll pay a fee related to the work you need.
- Ease. Most SECaaS companies offer convenient dashboards that help your team control key processes.
- Scale. Add to or remove services quickly, and rely on your vendor to update settings based on current threats. Many companies appreciate the ability to add users to the service, especially when many employees work from home.
- Expertise. A security skills gap can leave your company vulnerable to attack. Vendors have trained staff members who spend all day working to prevent threats.
SECaaS does come with a few drawbacks. For example, some security professionals dislike handing over minute control to a third party. They worry about regulatory challenges, the speed of change, and segmentation.
Others worry that cloud-based applications leave companies wide open for attack. If a hacker can pull down the SECaaS server, a company's assets are fully exposed.
6 Things to Look for in Providers
Plenty of companies are ready to compete for your business. What should you look for as you shop?
Ask each provider about the following six items:
- Affordability: Inquire about the total cost of ownership of your security solution, and make sure it's within a range that you can afford.
- Availability: When is staff ready to help you when something goes wrong? Do they provide true global coverage?
- Capabilities: What services will the vendor offer? And if some are offered through third parties, what will those organisations do?
- Flexibility: If you need additional help down the line, can the company flex and expand?
- Reporting: Hiring a consultant doesn't mean abdicating your responsibilities. How will the company keep you apprised through reports?
- Speed: What uptime can your vendor guarantee? And how quickly will the team respond if disaster strikes? How quickly will they act in response to smaller problems too?