Security as a Service - Infosec the Cloud Way?

Last month Google acquired VirusTotal, an on line virus and malware scanning tool.  VirusTotal has been around about 8 years, and provides a simple and focused virus and URL scanning service.  They basically act as a service wrapper and aggregator for some 60 anti-virus engines and tools.  They then provide the ability for a file or URL to be scanned by the the underlying engines, before returning a scan result from the various different partners.  This is a simple, yet powerful concept for several reasons.

I'd imagine Google's main interest would be in the ability to scan a particular URL that is returned from a user's Google search, before they go ahead and click through it.  This would help Google to identify any malicious links, trojan destinations and so on, increasing their credibility and the safety of it's users. VirusTotal also provides various internet browser plugins, which would likely become an integral default part of the Chrome browser too.


Security-as-a-Service

The interesting concept behind VirusTotal is the basis of it being a service provider and aggregator.  Whilst they are not a fully fledged anti-virus tool (they can't obviously provide quarantine services for example), they provide a very powerful additional security service.  As with a standard software-as-a-service offering, there is nothing to install or configure.  This instantly takes the effort and complexity away from the end user.  The end user has no real concern how the underlying software is configured or is managed.  Their only concern is having access to a results-lead service.  Throw some data, a question, a problem (or in this case a file or URL) at a piece of software via it's API, and you receive the end result. That result can then be consumed and wrapped into the users originating software or service and used how they see fit.  Each consumer could have an entirely different use for the result.

The main benefits of this as-a-service approach, are twofold.  Firstly, is the obvious ability for the service provider to aggregate data from various different sources.  To do this as an individual, would be time consuming, costly and complex to develop.  Whilst capitalism helps fuel product differentiation,  helping the consumer from a choice perspective, it also creates headaches from an information management perspective.  How does the consumer decide which product is the most cost effective, detailed or accurate? (the concept of market management is beyond the scope of this blog, but think of things like Google's price comparison engine, or CompareTheMarket.com).  Aggregators are now an expected part of consumer behaviour.  Making that concept become part of a service provision seems natural.

The second benefit, is that the end user or consumer, can focus on things they like or are good at.  In the case of VirusTotal, the end user is more interested in browsing the web or using software.  They don't want to have to spend time installing or building scanning engines just to stay safe.  By farming those non-specialist services out to a specialist provider, frees up the time and money of the consumer to focus on what they enjoy, or what their business is supposed to deliver.

If we look at information security from a business perspective for a moment, many businesses may not have a dedicated infosec team, policy manager or strategy.  Everyone likes to be (or more importantly likes to feel) secure, but the costs and complexity of that are sometimes too great.  Security can often be seen as an avoidable cost to the business, with security controls and policies seen as hindering employees from driving sales revenue or completing important business tasks.  Outsourced managed security service providers are increasing in popularity, as many organisations know they need to have complex network operations and log monitoring centres, but can't staff or manage them inhouse.

By being able to break that outsourcing process down to an individual security process level could potentially achieve the same thing.


Other Uses

Cloud is buzz, we know that.  Organisations are being constantly bombarded with platforms-as-a-service, infrastructure-as-a-service, software-as-a-service, (aggregated-services-as-a-service?) and many struggle with the legal, security and operational aspects of migrating key business functions onto a 3rd party provider.  But in the long run, is this the only real economically efficient outcome, of using best of breed suppliers as we do today, simply delivered via the internet?

From a infosec perspective, there could be a plethora of individual services that could be managed externally.  Qualys have made a mark in the vulnerability scanning market.  File and URL scanners are now common. Geo-location and IP address mapping services are now common.  What about IP address reputation management or network black listing?  All freely available today.

The concept of identity reputation management is a contentious issue, but with increased focus on cloud based identity and user services, this could easily become a powerful as-a-service offering.

@SimonMoffatt