Press Release

STAMFORD, Conn., July 15, 2008 View All Press Releases

Gartner Says Security Delivered as a Cloud-Based Service Will More Than Triple in Many Segments by 2013

Special Report Examines the Realities and Risks of Cloud Computing

Security applications delivered as cloud-based services will have a dramatic impact on the industry, as many cloud-based services will more than triple in many security segments, according to Gartner, Inc.

In messaging security controls, such as malware and spam detection/exclusion for e-mail and instant messaging, cloud-based services account for 20 percent of revenue in 2008, and by 2013 cloud-based services in messaging security controls will account for 60 percent of revenue.

Cloud computing will enable security controls and functions to be delivered in new ways and by new types of service providers. It will also enable enterprises to use security technologies and techniques that are not otherwise cost-effective.

Gartner defines cloud computing as a style of computing where massively scalable IT-related capabilities are provided "as a service" using Internet technologies to multiple external customers.

"The ability to provide massively scalable processing, storage and bandwidth inherent in cloud computing will require security controls and functions to be delivered to customers in new ways and by new service providers," said Kelly Kavanagh, principal analyst at Gartner. "It also will allow security technologies and techniques that are cost-effective to be used only with cloud-style computing. The massively scalable resources provided through the cloud also will be available to people who develop attacks that require intense processing, pursue cloud providers, or both."

Gartner said that the increase in use of cloud-based services, such as or Google Apps, means that many mobile IT users will be accessing business data and services without traversing the corporate network. This will increase the need for enterprises to place security controls between mobile users and cloud-based services.

"Although perimeter security controls will be required to protect the remaining data center functions and the large portions of enterprise populations that are not mobile, new approaches will be needed to secure cloud-based IT services," said John Pescatore, vice president and distinguished analyst at Gartner. "One answer will be cloud-enabled security 'proxies' whereby all access to approved cloud-based IT services will be required to flow through cloud-based security services that enforce authentication, data loss prevention, intrusion prevention, network access control, vulnerability management and so on."

Another feature of cloud-enabled computing will be the ability to obtain more enterprise security controls or functions on demand. Enterprises often struggle to justify the expense of security controls or functions that are needed to respond to unanticipated or infrequent events. Cloud computing, however, can make these types of services available at short notice, at the scale appropriate to address the threat.

Cloud-style computing will also enable more vendors to offer their security products as a service and quickly match the IT service delivery infrastructure — such as bandwidth, storage and processing — to the demand for their as-a-service delivery. Some security functions — such as vulnerability scanning, security event and information management, and log management — require the technology provider to make substantial infrastructure developments to deliver security as a service. However, cloud computing will enable the provider to scale delivery resources in line with customer demand, lowering the entry barriers to the security service market.

However, Mr. Pescatore said that the use of peer-to-peer in-the-cloud computing will also make enterprises more vulnerable to some security risks by reducing the cost of brute force attacks. "Inexpensive cloud-based processing will make it easier and cheaper to break encryption keys or find vulnerabilities in software, and financially motivated criminals will certainly seek to take advantage of that," he said. "Enterprises will need to prioritize the adoption of encryption technologies that provide easy movement to longer keys."

According to Mr. Kavanagh, as cloud-based security services emerge, some enterprises and providers will succeed, while others may miss the mark. The winners will be trusted security brands that can extend their products and services to assess and validate the security controls of cloud-style infrastructure and IT function providers, as well as security service providers that can implement and manage security controls for IT "cloud-style." He said that enterprises that use cloud-based security services to reduce the cost of security controls and to address the new security challenges that cloud-based computing will bring are most likely to prosper.

Additional information is available in the Gartner report "Cloud-Based Computing Will Enable New Security Services and Endanger Old Ones." The report is available on Gartner's Web site at This document is part of the special report on Cloud Computing. A full listing of the reports is available on Gartner's Web site at

About Gartner

Gartner, Inc. (NYSE: IT), is the world's leading research and advisory company and a member of the S&P 500. We equip business leaders with indispensable insights, advice and tools to achieve their mission-critical priorities and build the successful organizations of tomorrow.

Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We're trusted as an objective resource and critical partner by more than 15,000 organizations in more than 100 countries—across all major functions, in every industry and enterprise size.

To learn more about how we help decision makers fuel the future of business, visit

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.