Cloud Cover by Matt Vilano
Data security used to be all about spending big bucks on firewalls to defend data at the network perimeter and on antivirus software to protect individual computers. Internet-based computing, or cloud computing, has changed all that, at the same time expanding exponentially the chances for data thieves and hackers.
The cloud creates other opportunities too: a handful of security vendors now deliver security as a service–a one-two punch of hardware and software that monitors and manages an enterprise’s data security and bills customers only for the computing power they use. "For years, security was about big companies pushing technology to their customers," says Qualys CEO and founder Philippe Courtot. "Now it’s about the customers pulling precisely what they need and providing them with those resources on demand."
Under the old paradigm, according to Courtot, enterprises overspent for stand-alone security devices that became unruly and difficult to operate over the long term. He says Qualys attacks the flaws in this strategy by streamlining security and tackling most of the service delivery through the cloud. "We control the infrastructure, software updates, quality assurance and just about everything in between," he says.
Much of the company’s current revenue–sales topped $50 million last year–is being driven by a set of standards established by the Payment Card Industry Security Standards Council (PCI SSC), a trade organization composed of credit-card companies. The standards were created in 2006 to help organizations that process card payments prevent fraud by tightening controls around customer data. One of those controls: a quarterly audit for network vulnerabilities by a firm from a list of approved vendors that includes Qualys. Analysts estimate that the PCI standards have generated at least $2.5 billion for security vendors in the U.S. "It’s been a major driver of business for all of them, especially Qualys," says Avivah Litan, a vice president and analyst at market-research firm Gartner. "When everyone has to comply, there’s a lot of work to go around."
Qualys aims to increase the depth of its vulnerability-scanning services, reaching further into networks by auditing servers that host and operate certain Web applications for self-propagating virus programs known as malware. It released a special QualysGuard module in April 2008 to achieve this objective. After a series of acquisitions this summer, an improved version will probably be forthcoming in the next 12 to 18 months. "Because of the Internet, the enterprise network is disappearing, and companies need to be ready to protect what’s left," Courtot forecasts. Security as a service, it turns out, is a pretty legit business.