Wednesday, July 15, 2009

Panda's SaaS-Based PC Security Manages Client Risks, Adds Efficiency for SMBs and Providers

Transcript of a BriefingsDirect podcast on security as a service and cloud-based anti-virus protection and business models.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com.

Download the transcript. Learn more. Sponsor: Panda Security.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on automating and improving how PC security can be delivered as a service. We'll discuss how the use of cloud-based anti-virus and security protection services are on the rise, and how small to medium-size businesses (SMB) can find great value in the software-as-a-service (SaaS) approach to manage PC support.

We'll also examine how the use of Internet-delivered security provides a strong business opportunity for resellers and channel providers to the businesses trying to protect all of their PCs, regardless of location.

Recent announcements by Panda Security for cloud-based PC anti-virus tools, as well as a Managed Office Protection solution, highlight how "security as a service" is growing in importance and efficiency.

Here to help us better understand how cloud-delivered security tools can improve how PCs are protected across the spectrum of end users, businesses, resellers, and managed-service providers, we're joined by Phil Wainewright, independent analyst, director of Procullux Ventures, and a ZDNet SaaS blogger. Welcome back to the show, Phil.

Phil Wainewright: It's great to be here, Dana.

Gardner: We're also joined by Josu Franco, director of the Business Customer Unit at Panda Security. Welcome to the show, Josu.

Josu Franco: Hello, Dana. Nice to be here.

Gardner: Let's start, Josu, with looking at the big picture. The general state of PC security, the SaaS model, and the dire economy are, for many organizations, conspiring to make a cloud-based solution more appropriate, perhaps now more than ever. Tell us why a cloud-based solution approach to PC security is a timely approach to this problem.

Franco: There are two basic problems that we're trying to solve here, problems which have increased lately. One is the level of cyber crime. There are lots and lots of new attacks coming out every day. We're seeing more and more malware come into our labs. On any given day, we're seeing approximately 30,000 new malware samples that we didn't know about the day before. That's one of the problems.

The second problem that we're trying to solve for companies is the complexity of managing the security. You have systems with more mobility. You have vectors for attack -- in other words, ways in which a system can be infected. If you combine that with the usage of more and more devices in the networks, that combination makes it very difficult for administrators to really be on top of the security mechanisms they need to watch.

In order to address the first problem, the levels of cyber crime, we believe that the best approach that we, as an industry, need to take is an approach that is sustainable over time. We need to be able to address these rising levels of malware in the future. We found the best approach is to move processing power into the cloud. In other words, we need to be able to process more and more malware automatically in our labs. That's the part of cloud computing that we're doing.

In order to address the second problem, we believe that the best approach for most companies is via management solutions that are easier to administer, more convenient, and less costly for the administrators and for the companies.

Centralized approach

Gardner: Now, Phil, we've seen this approach of moving out toward the Web for services -- the more centralized approach to a single instance of an application, the ability to manage complexity better through a centralized cloud-based approach across other applications. It seems like a natural evolution to have PC security now move to a SaaS model. Does that make sense from your observations?

Wainewright: It certainly does. To be honest, I've never really understood why people wanted to tackle Web-based malware in an on-premise model, because it just doesn't make any sense at all.

The attacks are coming from the Web. The intelligence about the attacks obviously needs to be centralized in the Web. It needs to be gathering information about what's happening to clients and to instances all around the Web, and across the globe these days. To have some kind of batch process, whereby your malware protection on your PC is something that gets updated every week or even everyday, is just not fast enough, because the malware attacks are going to take advantage of those times when your protection is not up-to-date.

Really making sure that the protection is up-to-date with the latest intelligence and is able to react quickly to new threats as they appear means that you've go to have that managed in the center, and the central management has got to be able to update the PCs and other devices around the edge, as soon as they've got new information.

Gardner: So, the architectural approach of moving more back to the cloud, where it probably belongs, at least certainly from an architectural and a timeliness or a real-time reaction perspective, makes great sense. But, in doing this, we're also offloading a tremendous burden from the client in terms of these large agents, tremendous demand on the processing of this client, the need to move large files around, drag on the networks, labor for moving around the organization, and physically getting to these machines. It seems almost blatantly obvious that we need to change this model. Do you agree, Josu?

Franco: I do. One point that I want to make, though, is that when we refer to SaaS, we use the term to refer to the management console of the security solutions. So, SaaS for us is an interface for the administrator, it’s an interface obviously based on the Web.

When we refer to cloud computing, it refers to our capacity to process larger and larger volumes of malware automatically, so that our users are going to be better protected. Ideally, cloud computing and SaaS should be going together, but that's going to take a little bit of time, although, in our case at least, all of our solutions align into those two concepts. We've been moving towards that. The latest announcements that we've made about this product for consumers go certainly into that direction.

I just want to make clear that SaaS for me is one thing. Cloud computing is a different thing. They need to work together, but as a concept we should not confuse the terms.

Wainewright: That's very important, Dana. One of the key things that people misunderstand about notions of cloud computing and SaaS is this idea that everything gets sucked up into the network and you don't do anything on the client anymore.

That's actually a rather primitive way of looking at the SaaS and cloud spectrum, because the client itself is part of the cloud. It's a device that interacts with other peers in the Web environment, and it's got processing power and local resources that you need to take advantage of.

The key thing is striking the right balance between what you do on the client and what you do in the cloud, and also being cognizant of where people are at in terms of their overall installed infrastructure and what works best in terms of what they've got at the moment and what their roadmap is for future migration.

Separating SaaS and cloud

Gardner: I see. So, we do need to separate SaaS and cloud. We need to recognize that this is a balance and not necessarily an all-or-nothing approach -- neither all-cloud nor all-client. This seems to fit particularly well into the demands of an SMB, a distributed business, or perhaps even a multi-level marketing (MLM) company, where there are people working at home, on the road, in remote offices, and it's very difficult for the administrators or the managed providers or resellers to get at these machines. Moving more of that balance towards the cloud is our architectural goal.

Let's move to the actual technical solution here. Josu, you described some new products. Clearly, there's still an agent involved, coming down to the PC. I wonder if you could describe some of the two big announcements you've had, one around this consumer security cloud service, and then the second around your Managed Office Protection solution.

Franco: The announcement that we've made about the Cloud Antivirus, is a very important announcement for us, because we've been working on this for a couple of years now, and this involves rebuilding the endpoint agent from scratch.

We saw the opportunity, or, I would say, the necessity of building a much lighter agent, much faster than previous agents, and, very importantly, an agent that is able to leverage the cloud computing capacity that we have, which we call "Collective Intelligence," to process malware automatically.

As I said before, this aligns with our technology vision, which is basically these three ideas: cloud computing or collective intelligence, as we call it, regarding the capacity to process

We believe that the more intelligence that we can pack into the agent, the better, but always respecting the needs of consumers -- that is to be very fast, to be very light, to be very transparent to them.

malware; SaaS as the approach that we want to take for managing our security solutions; and third, nano-architecture as the new endpoint architecture, in which we want to base all of our endpoint based solutions.

So, Cloud Antivirus is a very tiny, very fast agent that sits on the endpoint and is going to protect you by some level of local intelligence. I want to stress the fact that we don't see the agents disappearing anytime soon to protect the endpoints. We believe that the more intelligence that we can pack into the agent, the better, but always respecting the needs of consumers -- that is to be very fast, to be very light, to be very transparent to them.

This works by connecting with our infrastructure and asking for file determinations, when the local agent doesn't know about a particular file that it needs to inspect.

The second announcement is more than an announcement. Panda Managed Office Protection is a solution that we've been selling for some time now, and is working very well. It works by having this endpoint agent locally in every desktop or PC or laptop. Once you've downloaded this agent, which works transparently for the end user, all the management takes place via SaaS.

It's a management console that's hosted from our infrastructure, in which any admin, regardless of where they are, can manage any number of computers, regardless of where they are located. This works by having every agent talk to this infrastructure via Internet, and to talk to other agents, which might be installed in the same network, distributing updates or distributing other types of polices.

Gardner: Now, an interesting and innovative approach here is that you've made the Cloud Antivirus agent free to consumers, which should allow them to get protection for virtually nothing, but in doing so you've increased the network population for what you can do to gather instances of problems. The agent immediately sends that back to your central cloud processing, which can then create the fix and then deliver it back out. Is that oversimplifying it?

Staying better protected


Franco: That's a very true statement. We're not the first ones giving away a security agent for free. There are some other companies that I think are using the Freemium model. We've just released this very first version of Cloud Antivirus. We're distributing it for free with the idea that first we want people to know about it. We want people to use it, but very importantly, the more people that are using it, the better protected they're all going to be. As you say, we're going to be gathering intelligence about the malware that's hitting the streets and we're going to able to process that faster and to protect all those users in real-time.

Gardner: Phil, this strikes me as Pandora opening the box. I can't imagine us going back meaningfully in the marketplace to the older methods in architecture for security. Do you agree with me that this is a compelling shift in the market?

Wainewright: It is, obviously. We're talking about network scale here. The malware providers are already using network scale to great effect, particularly in the use of these zombie elements of malware that effectively lurk on devices around the Web, and are called into action to coordinate attacks.

You've got these malware providers using the collective intelligence of the Web, and if the good guys don't use the same arsenal, then they're just going to be left behind.

The malware providers are already using network scale to great effect, particularly in the use of these zombie elements of malware



I think the other thing that’s great about this Freemium model is that, even though the users aren't paying anything for the software, in effect they're giving something back, because the intelligence that's being collected is making the potential protection stronger. So, it's a great demonstration of how you can derive value even from something that is actually distributed for free.

Gardner: Sort of all for one, one for all?

Wainewright: Yes, that's right.

Gardner: So, if this works well for security, it strikes me that this also makes a great deal of sense for remediation, general support, patches, upgrades, or managing custom applications. It certainly seems to me that crossing the Rubicon, if you will, into security from a cloud perspective will open up an opportunity for doing much, much more across the general total cost of ownership equation for PCs. Is that in your future? Do you subscribe to that vision, Josu?

Franco: Yes, I do. First, we've been a specialized player in the anti-malware business, but I certainly do see the opportunity to do more things once you are installing an endpoint to be able to use the same management approach and be able to configure the PC, or to do a remote session on it based on the same console. For now, we're just doing the full anti-malware and personal firewall in this way, but we do see the opportunity of doing more PC lifecycle management functionalities within it.

Gardner: That brings us back to the economy. Phil, I've heard grousing from CEOs, administrators, and just about anybody in the IT department for years about how expensive it is, from the total cost perspective, to maintain a rich PC-client experience. Nowadays, of course, we don't have a luxury of, "It would be nice to cut cost." We really have to cut cost. Do you see a significant move towards more cloud-based services as an economic imperative?

Increasing the SaaS model

Wainewright: Oh yes, and one of the interesting phenomena has been that things like help desk, security, and remote support have increasingly been delivered using the SaaS model, even in large enterprises.

If you are the chief security officer for a large enterprise that's very dependent on the Web for elements for its operations, then you've got a tremendously complex task. There's an increasing recognition that it's much better to access pools of expertise to get those jobs done, than for everyone trying to become a jack of all trades and inevitably fall behind the state of the art in the technology.

More and more, in large enterprises, but also in smaller businesses, we're seeing people turning to outside providers for expertise and remote management, because that's the most cost effective way to get at the most up-to-date and the most proficient knowledge and capabilities that are out there. So yes, we're going to see more and more of that, spot on.

Gardner: I understand how this is a benefit to end-users -- a simple download and you're protected. I understand how this makes sense for SMBs who are trying to manage PCs across distributed environment, but without perhaps having an IT department or a security expertise on staff. But, I'm not quite sure I understand how this relates now to an additional business model benefit to a reseller or a value-added provider of some kind, perhaps a managed service provider.

Josu, help me understand a little bit better how this technology shift and some of these new products benefit the channel.

This means that for the end user it's going to reduce the operating cost, and for the reseller it's going to increase the margins for the services they're offering.



Franco: In the current economic times, more and more resellers are looking to add more value to what they are offering. For them, margins, if they're selling hardware or software licenses, are getting tougher to get and are being reduced. So, the way for them to really see the opportunity into this is thinking that they can now offer remote management services without having to invest any amount in what is infrastructure or in any other type of license that they may need.

It's really all based on the SaaS concept. They can now say to the customers, "Okay, from now on, you'll forget about having to install all this management infrastructure in-house. I'm going to remotely manage all the endpoint security for you. I'm going to give you this service-level agreement (SLA), whereby I'm going to check the status of your network twice or three times a week or once a day, and if there is any problem, I can configure it remotely, or I can just spot where the problems are and I can fix them remotely."

This means that for the end user it's going to reduce the operating cost, and for the reseller it's going to increase the margins for the services they're offering. We believe that there is a clear alignment among the interests of end users and partners, and, most importantly, also from our side with the partners. We don't want to replace the channel here. What we want is to become the platform of choice for these resellers to provide these value-added services.

Gardner: Does Panda then lurk behind the scenes, the picks and shovels for solution? Do you allow them to brand around it? Are you an OEM player? How does that work?

Franco: We can certainly play with a certain level of branding. We've been doing so with some large sales that we've made, for example, here in Spain. But, most of them want to start touching and kicking the tires and see if it works. They don't need the re-branding in the first instance, but yes, we've seen some large providers who do want some customization of the interface for their logos, and that's certainly a possibility.

Gardner: We've also seen in the market more diversity of endpoints. We've seen, for cost and convenience, reason to move towards netbooks. Smartphones have certainly been a fast growing part of the mix, despite the tough economy. This model of combining the best of SaaS, the best of cloud, and a small agent coordinating and managing them, strikes me as something that will move beyond the PC into a host of different devices. Am I wrong on that Phil?

Attacking the smartphones

Wainewright: No, you're absolutely right. One of the scary things is that many of us are carrying around smartphones now. It's only a matter of time before these very capable, intelligent platforms also become vulnerable to the kind of attacks that we've seen on PCs.

On top of that, there is a great deal more support required to make sure that the users gets the best out of those devices. Therefore, we're going to see much more of this kind of remote support being provided.

For example, the expertise to support half a dozen different types of mobile devices within our organization is something that the typical small business can't really keep up with. If they're able to access a third-party provider that has got the infrastructure and the experts on how to do that, then it becomes a manageable issue again. So, yes, we're going to see a lot more of this.

Ultimately, it's going to give us a lot more freedom just to be able to get on with our jobs, without having to worry about understanding how the device works, or even worse, working out how to fix it when something goes wrong. Hopefully, there will be much fewer instances when that downtime happens.

Gardner: Well, let's hope that we nip the bud here for this malware on multiple devices in the cloud before it ever gets to the device, and that removes the whole incentive or rationale

I think that we're going to see a convergence between the world of the consumer and the world of what we call a business.

for trying to create these problems in the first place. So, maybe moving more into the cloud actually starts stanching the problem from its root and core.

Let's move forward now to some of the proof points. We've talked about this in theory. It certainly makes sense to me from an architectural and vision perspective, but what does it mean in dollars and cents? Josu, do you have any examples of organizations that have started down this path -- SMBs perhaps, and/or resellers? How has this affected their bottom line?

Franco: Yes, we do have very good examples of people who have moved along this path. Our largest installation with the Managed Office Protection product is over 23,000 seats in Europe. It's a very large school or education institution, and they're managing their entire network with just a very few people. This has considerably reduced their operating cost. They don't need to travel that much to see what's happening with their systems.

We also have many other examples of our resellers that are actually using this product, not only to manage business spaces, but also managing even consumer spaces. I think that we're going to see a convergence between the world of the consumer and the world of what we call a business.

Moving to the consumer space

Some analyst friends are talking a lot about the consumerization of IT. I think that we'll also see that consumers are going to start using technologies that perhaps we thought belonged in the business space. I'm talking, for example, about the ability for a reseller to centrally manage the PCs of consumers. This is an interesting business model, and we have some examples of this emerging trend. In the US, we have some researchers who are managing thousands of computers from their basement.

So, even though our intention was to position this product for SMBs, we do see that there are some verticalized niches in the market into which this model fits really well. Talking about highly distributed environments, what's more highly distributed than a network of consumers, everyone in their own home, right? So, I think this is definitely something that we're going to see happening more and more in the future.

Gardner: Without going down this very interesting track too much, we're starting to see some CIOs cotton to the notion of letting people pick their end device, but then accessing services back in the enterprise, and with some modest governance and security. It sounds as if a service like this might fill that role.

Then, in addition to the choice of the consumer or end user on device, it seems to me that we're also in a position now for the providers of the bit pipes -- the Internet, telephony,

The value that's being created and is being shared out by the vendors and the providers in the SaaS model is that time saving and opportunity cost saving

communications, and collaboration -- to start offering the whole package, a PC with security, remediation, protection, and you pay a flat fee per month. Do you think these two things are around the corner, Phil, or maybe three or four years out?

Wainewright: To the previous point, people often think of the consumer Web as completely separate from the business Web. In fact, the reality today is that individual users at home are just as likely to be doing business things or work things on their home PCs as they are to be doing actually home things or even side businesses on their work PCs.

If someone is auctioning off their collection of plastic toys on eBay, then are they an individual consumer or are they a business? The lines are shading. I think what you need to look at is, what is the opportunity cost? If it's going to cost me time that I can't afford, or if it's going to mean that I'm not going to be able to earn money that I could otherwise be earning, then it's going to be worth my while to pay that monthly subscription.

One of the key things that people forget, when they're comparing the cost of a SaaS solution or a Web provided solution to a conventional installed piece of packaged software, is they never look at the resource and time that the user actually spends to get things setup with the packaged software, to fix things when they go wrong, or to do upgrades.

The value that's being created and is being shared out by the vendors and the providers in the SaaS model is that time saving and opportunity cost saving.

Gardner: Now, we have to assume that the security is going to be good, because if it doesn't protect, then that's going to become quite evident. But what we're also talking about, now that I understand it better, Josu, is really we're focusing on simplicity and convenience vis-à-vis these devices, vis-à-vis security, but also in the larger context of the level of comfort, of trust that the device will work, that the network will be supported, and that I'm not going to run into trouble. Is that what we're really talking about here as a value proposition -- simplicity and convenience?

Franco: As you said, it needs to protect. It needs to be very effective at a time when we're seeing really huge amounts of malware coming out every day. So, that's preconditioned. It needs to protect.

But if it's something that is going to be there protecting users, and many users see security as something that they need to live with, it's not truly something that they see as a positive application that they have. It's something that sometimes annoys people. Well, let's make it as simple, as transparent, as fast, as imperceptible as possible, and that's what this is all about.

Gardner: Very good. We've been learning a lot today about PC security and how it can be delivered as a service in conjunction with the cloud-based central management and processing. This architectural approach is now quite prominent for security, and perhaps will become more prominent across other aspects of client device support and convenience and lower cost and higher trust. So a lot of goodness. I certainly hope it works out that way.

Cost and protection benefits, along with productivity benefits, and as a result less downtime, is a good thing. We've looked at it across the spectrum of end users and businesses, resellers, and managed service providers. Helping us understand this we've been joined by our panel. I want to thank them. Phil Wainewright, independent analyst, director of Procullux Ventures, and a ZDNet SaaS blogger. I appreciate your time, Phil.

Wainewright: It's been great to be with you today, Dana.

Gardner: We've also heard from Josu Franco, director of the Business Customer Unit at Panda Security. Thank you Josu.

Franco: It's been my pleasure, thanks.

Gardner: I also want to thank the sponsor of this discussion, Panda Security, for underwriting its production.

This is Dana Gardner, principal analyst at Interarbor Solutions, thanks for listening, and come back next time.

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com.

Download the transcript. Learn more. Sponsor: Panda Security.

Transcript of a BriefingsDirect podcast on security as a service and cloud-based anti-virus protection and business models. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.