So far, we have addressed the security provided by cloud service providers (CSPs) as well as the security provided by customers using cloud services. In this chapter, the focus is on security provided as cloud services; that is, security delivered through the cloud, also known as security-as-a-service.

Just like software-as-a-service (SaaS), the business model with security-as-a-service is subscription-based. In addition, security-as-a-service is also sometimes referred to as “SaaS,” which is how we will address it specifically in this chapter.

With SaaS, there are two emerging provider types. The first type comprises established information security vendors who are changing their delivery methods to include services delivered through the cloud. The second type comprises start-up information security companies that are also emerging in this field as pure, play CSPs—that is, these companies provide security only as a cloud service, and do not provide traditional client/server security products for networks, hosts, and/or applications.

Among established information security companies that are changing their business models to also include SaaS, the most prominent are traditional anti-malware vendors. However, other established information security companies are also involved in the delivery of SaaS, especially with regard to email filtering.