Security technologies delivered via the SAAS (software-as-a-service) business model may still be in their nascent stage, but some early adopters are already piecing together multiple offerings to outsource a significant portion of their IT systems defense infrastructure.

One such company is Imperial Chemical Industries, the massive London-based maker of paints and chemicals that is in the process of being acquired by industrial conglomerate Akzo Nobel to the tune of US$16 billion (AU$19.6 billion).

With worldwide business operations and an annual research and development budget approaching US$60 million, the chemicals giant is spending more effort than ever before in securing its assets and data, company officials said.

However, utilizing a handful of SAAS applications -- including vulnerability scanning tools offered by Qualys, e-mail and anti-spam filtering from MessageLabs, and Web filtering provided by ScanSafe -- IT executives at ICI claim they are maximizing personnel and budget in a manner that traditional on-premise security products wouldn't allow.

"We're pushing the envelope in terms of what's out there with security SAAS, but so far, it's been a fantastic success; SAAS can only be employed where IT truly benefits from doing something once centrally, but there are a number of sweet spots where that approach fits today," said Paul Simmonds, global information security director at ICI. "Over time we'll likely see a mix with SAAS being used more heavily where it can offer benefits of cost and management, just as with general outsourcing."

Having used Qualys' vulnerability scanning services for over five years, ICI is at the cusp of large enterprises that have begun replacing some in-house security tools with subscription-based services.

The company is currently considering use of hosted applications binary code scanning tools offered by Veracode, a relatively new start-up, under the idea that it can begin integrating multiple SAAS technologies to offload larger parcels of its security infrastructure to outside specialists, Simmonds said.

With five years of security SAAS experience under its belt, ICI is beginning to see the long-term promise of the services offerings, according to the executive. But the company is also cognizant that despite the benefits of moving to SAAS services, some elements of its network and data security must always remain on-site.

"The combination of outsourced vulnerability and binary code analysis through combining Qualys and Veracode is the type of thing that could be very significant as it's the kind of work that can truly benefit from being done once, centrally, in terms of running samples through tests. There's a huge opportunity there, and this type of scanning is very complex to do on your own," Simmonds said.

"At the same time, like everything else, you need to be selective in what you move into the cloud," he said. "Some things are a natural fit, but others will never work for this model; there's always a danger that when something like SAAS becomes an industry trend, like security appliances today, that the market tends to go overboard."

Emerging security tools like NAC systems and endpoint-oriented products, including data leakage prevention software, are among the types of technologies the ICI security chief said wouldn't ever likely be provided via SAAS.

In the meantime Simmonds said that the chemicals behemoth will continue to seek out new SAAS security alternatives as they come to market.

Philippe Courtot, chief executive of Qualys, is recognized as one of the chief evangelists of security SAAS in general, just as Salesforce.com CEO Marc Benioff has become associated with pushing the hosted applications model into the enterprise software space.