Editor's Note: There's never dull moment in the world of online security. Threat patterns evolve in volume, sophistication, and the types of exploits and sources. News about the recent Conficker virus got us talking with Scott Petry, founder of Postini (original developers of Google's suite of security and archiving services), and Wolfgang Kadek, CTO of Qualys. Their comments follow. To learn more about trends in spam, hacking, and ways of keeping email networks safe, join Google and Qualys in an on-line conversation, "In Cloud We Trust," on April 16, where we'll discuss these topics live.

Q: Ten years ago, packaged software was the norm. Yet Postini built a hosted service - what we today call cloud computing. Why did you drive a cloud architecture for Postini?

Scott: We believed that by offering a service infrastructure we could prove a lower TCO than an on-premise alternative. With that service infrastructure aggregating data, we'd also have insight into a wider sample of data, thus providing a more effective solution.

Q: How did the idea of having a "perimeter protection service" to protect email networks in the cloud first evolve? Is the right model for the future?

Scott: Postini's innovation was to see SMTP as an integration API and DNS as a way to access traffic, thus putting us "upstream" of the customers' infrastructure, alleviating integration challenges and stopping problems before they reached the firewall. We saw this as better for a number of reasons.

Email servers have a long shelf life, and customers typically add incrementally to their system, rather than get a complete replacement. This causes a management problem for IT, creating a heterogeneous environment into which they must layer in security and compliance services.

We never saw ourselves as just an anti-spam company, so we built infrastructure that allowed a business rule to be configured as tightly as a content string for a single user. This design decision is inherently linked to the cloud. It allows us to deliver a better anti-spam solution, and also expand into content compliance areas.


Q. Wolfgang, you've been keeping a tight watch on the latest vulnerabilities impacting networks worldwide via your Laws of Vulnerabilities research. What are some of the trends you're seeing in 2009?

Wolfgang: Our research into vulnerability trends has shown that the industry overall did not improve significantly its ability to address security problems in a timely manner At the same time attackers have been getting faster and more sophisticated. Proactive security by maintaining systems updated with the latest patches is the cheapest of all security tools, nevertheless it has not grown in the way I would have hoped.

The first three months of 2009 have been a great example. We've seen Conficker infect millions of machines. The simplest way of preventing the outbreak would have been to
preventively apply a patch, if available, to stop the worm. But figuring out such patches takes time. In contrast to worms of the past which often gave us months to react, Conficker activated only two weeks after the official release of the patch, clearly showing that attackers have become faster in their timing. It's getting tougher for patches to keep up.

Q: As network security budgets continue to tighten, how can "security as a service" be advantageous to users?

Wolfgang: SaaS solutions have the advantage that they have minimal setup and are immediately usable. Companies can get their feet wet with a small pilot, show success, and then grow it at their own pace to address larger needs. Organizations of any size can take advantage of the functionality and the predictable steady cost of cloud solutions, while at the same time enjoying the usability brought through constant improvements.

Scott: Agreed. As IT faces more pressure from a changing threat landscape and increased compliance mandates, the cloud model gives maximum leverage to IT – always important, but especially in this economic climate.

Register here for "In Cloud we Trust"

Thursday, April 16, 2009 1:00 p.m. EST / 10:00 a.m. PST