Security applications delivered as cloud-based services will have a dramatic impact on the industry, as many cloud-based services will more than triple in many security segments, according to Gartner.

In messaging security controls such as malware and spam detection/exclusion for e-mail and instant messaging, cloud-based services account for 20 percent of revenue in 2008, and by 2013 cloud-based services in messaging security controls will account for 60 percent of revenue.

Cloud computing will enable security controls and functions to be delivered in new ways and by new types of service providers. It will also enable enterprises to use security technologies and techniques that are not otherwise cost-effective.

Gartner defines cloud computing as a style of computing where massively scalable IT-related capabilities are provided 'as a service' using Internet technologies to multiple external customers.

"The ability to provide massively scalable processing, storage and bandwidth inherent in cloud computing will require security controls and functions to be delivered to customers in new ways and by new service providers," said Kelly Kavanagh, principal analyst at Gartner. "It will also allow security technologies and techniques that are cost-effective to be used only with cloud-style computing. The massively scalable resources provided through the cloud also will be available to people who develop attacks that require intense processing, pursue cloud providers, or both."

Gartner said that the increase in use of cloud-based services, such as salesforce.com or Google Apps, means that many mobile IT users will be accessing business data and services without traversing the corporate network. This will increase the need for enterprises to place security controls between mobile users and cloud-based services.

"Although perimeter security controls will be required to protect the remaining data centre functions and the large portions of enterprise populations that are not mobile, new approaches will be needed to secure cloud-based IT services," said John Pescatore, vice president and distinguished analyst at Gartner. "One answer will be cloud-enabled security 'proxies' whereby all access to approved cloud-based IT services will be required to flow through cloud-based security services that enforce authentication, data loss prevention, intrusion prevention, network access control, vulnerability management and so on."

Another feature of cloud-enabled computing will be the ability to obtain more enterprise security controls or functions on demand. Enterprises often struggle to justify the expense of security controls or functions that are needed to respond to unanticipated or infrequent events. Cloud computing, however, can make these types of services available at short notice, at the scale appropriate to address the threat.

Cloud-style computing will also enable more vendors to offer their security products as a service and quickly match the IT service delivery infrastructure — such as bandwidth, storage and processing — to the demand for their as-a-service delivery. Some security functions — such as vulnerability scanning, security event and information management, and log management — require the technology provider to make substantial infrastructure developments to deliver security as a service. However, cloud computing will enable the provider to scale delivery resources in line with customer demand, lowering the entry barriers to the security service market.

However, Pescatore said that the use of peer-to-peer in cloud computing will also make enterprises more vulnerable to some security risks by reducing the cost of brute force attacks. "Inexpensive cloud-based processing will make it easier and cheaper to break encryption keys or find vulnerabilities in software, and financially motivated criminals will certainly seek to take advantage of that," he said. "Enterprises will need to prioritise the adoption of encryption technologies that provide easy movement to longer keys."

According to Kavanagh, as cloud-based security services emerge, some enterprises and providers will succeed, while others may miss the mark. The winners will be trusted security brands that can extend their products and services to assess and validate the security controls of cloud-style infrastructure and IT function providers, as well as security service providers that can implement and manage security controls for IT ‘cloud-style’. He said that enterprises that use cloud-based security services to reduce the cost of security controls and to address the new security challenges that cloud-based computing will bring are most likely to prosper.