One customer CSO spoke with didn't even seem aware that AT&T is cheerleading the in-the-cloud model, and AT&T says that only about 10 percent of its devices are handled in the cloud. But that's changing.

For instance, the company says that the number of virtual firewalls it manages has been growing at a compounded rate of

65 percent to 75 percent annually over the past three years and has already passed the halfway point. "The shift is starting to happen pretty rapidly," says Stan Quintana, vice president of AT&T Security Services. He projects that five years from now, the ratio of in-the-cloud devices to CPE will almost have flipped, with a full 80 percent of services handled virtually.

Even before the announcement that it would acquire Cybertrust, competitor Verizon was saying that its managed security service offerings were growing at a fast clip of about 67 percent a year, with two in-the-cloud services similar to AT&T's offerings proving to be especially popular. While the Cybertrust acquisition doesn't add to Verizon's in-the-cloud offerings, a spokesperson says, it might give the company more options for adding cloud-based functions later on.

One of those already successful services is e-mail filtering, in which inbound e-mail is scrubbed by four antivirus engines and spam is deleted through a partnership with e-mail security company MessageLabs before being passed on to the customer. "It's the same service [Verizon customers] could get on their own," Verizon Business CISO Sara Santarelli says, "but they're only interacting with Verizon's customer service."

The second, faster-growing in-the-cloud service at Verizon is DoS protection, in which Web traffic is filtered for spikes of malicious activity. "Things like DoS mitigation and detection are far exceeding industry growth expectations across MSSPs," Santarelli says. "A lot of customers keep traffic running through our [DoS attack] mitigation units all the time, just as added insurance."

None of which should be much of a surprise, given that companies such as Gartner suggest that customers demand DoS protection from their connectivity provider. "That's been our recommendation," Pescatore says. "Whoever you choose for your bandwidth, tell them, 'I don't want the raw bandwidth costs. Give me your price for DoS-protected bandwidth, and I'll compare you with others on that basis--not just on who sells me the cheapest bits per second.'"

Both AT&T and Verizon declined to provide any specifics about revenue for their security operations, but Pescatore estimates that right now, telecom companies are getting about 10 percent to 20 percent additional revenue by adding security filtering to connectivity charges. The question is how long that will last. "At some point," Pescatore predicts, "one of them is going to say, 'Hey, we'll give you that DoS protection for free if you switch from them to us.'"

Indeed, much of the industry's shift to security services seems more about staying competitive than about making buckets of money. "It's not a great portion of our revenue, but it's strategic to our overall revenue," Quintana explains. "When customers are evaluating AT&T versus vendor A, B or C, our security portfolio acts as a differentiator to pull through" the sale.