A recent Wall Street Journal article discussed the challenges and opportunities around the emerging business model of software vendors offering both "online applications" (SaaS) in addition to the traditional mode of providing software as on-premise applications.  I am not going to wade into the merits of one approach of the other here, other than to say that some applications are well-suited to SaaS and will be provided as a service - many already are.  The question I want to ask and partially answer is, where does this leave enterprises with security management?  The fact that applications and their associated data are outsourced certainly doesn't mean that organizations also can outsource ultimate responsibility for the security of these applications.  Who do you think will get blamed if there is a data leak?

If IT security organizations think that they have a heterogeneous IT security management challenge now, just wait until more of their applications are provided via SaaS - and thus delivered via the Internet and hosted who knows where.  What enterprises are going to need is an approach to security management that automates the management of security without regard to whether the applications are deployed via the traditional on-premise mode or via the SaaS mode (what I call the hybrid application deployment world).  In addition they will need an approach to security management which is nearly instantly re-configurable so that what is outsourced one-day can be in-sourced the next, and vice versa.  While there is no perfect solution yet to this hybrid security management challenge, many of the problems are well understood and at least partially solved in the world of identity and access management, Web access management, federation, and Web services security as well as through the use of associated standards such as SAML , XACML, and SPML.  Vendors, like CA, have been providing solutions to the management challenges of cross-domain, Web security management for many years now.  It is only natural that CA, and vendors like us, will do so for this hybrid application deployment world as well. 

One certainty is that the Web security industry needs to work together at many levels such as technology to policy, interoperability to privacy, and other areas to make this all work from a security management point of view.  And that is exactly what we are doing.  For two very timely proof points, take a look at the SaaS interoperability demonstration that is on tap at July's Burton Catalyst Conference.  For another proof point on how the industry is working together to make security work in this model, take a look at the newly launched industry consortium, the Kantara Initiative. 

While the particular business viability of one application deployment mode over another is still pretty foggy right now, it isn't foggy that security will need to be managed in a hybrid mode for as far as one can see ... and solutions to this problem have and will primarily come out of the Web security management software world.