Cloud Cover

Data security used to be all about spending big bucks on firewalls to defend data at the network perimeter and on antivirus software to protect individual computers. Internet-based computing, or cloud computing, has changed all that, at the same time expanding exponentially the chances for data thieves and hackers.

The cloud creates other opportunities too: a handful of security vendors now deliver security as a service–a one-two punch of hardware and software that monitors and manages an enterprise’s data security and bills customers only for the computing power they use. “For years, security was about big companies pushing technology to their customers,” says Qualys CEO and founder Philippe Courtot. “Now it’s about the customers pulling precisely what they need and providing them with those resources on demand.”

Qualys, a privately held company in Redwood Shores, Calif., was among the first to embrace the service-oriented model, in 1999. Today four different modules of QualysGuard, its flagship offering, are used by more than 3,500 organizations in 85 countries. The company performs more than 200 million security audits per year.

Courtot knows something about opportunity. The French entrepreneur arrived in Silicon Valley in 1987 and has built a number of companies into big-time players, including Signio, an electronic-payment start-up that was eventually sold to VeriSign in a combined deal for more than $1 billion. As CEO, he rebuilt Verity and transformed cc:Mail, a once unknown firm of 12 people, into a dominant e-mail platform before Lotus acquired it in 1991. “Throughout my career, I’ve been able to recognize that for a technology to succeed, it must have a purpose,” he says. “Technology itself has no value. It’s what you do with it that counts.”

Under the old paradigm, according to Courtot, enterprises overspent for stand-alone security devices that became unruly and difficult to operate over the long term. He says Qualys attacks the flaws in this strategy by streamlining security and tackling most of the service delivery through the cloud. “We control the infrastructure, software updates, quality assurance and just about everything in between,” he says. The firm unveiled QualysGuard in 2000. After an infusion of $25 million from the venture firm Trident Capital and another $25 million from Courtot, Qualys tweaked the service to focus mostly on vulnerability management.

Much of the company’s current revenue–sales topped $50 million last year–is being driven by a set of standards established by the Payment Card Industry Security Standards Council (PCI SSC), a trade organization composed of credit-card companies. The standards were created in 2006 to help organizations that process card payments prevent fraud by tightening controls around customer data. One of those controls: a quarterly audit for network vulnerabilities by a firm from a list of approved vendors that includes Qualys. Analysts estimate that the PCI standards have generated at least $2.5 billion for security vendors in the U.S. “It’s been a major driver of business for all of them, especially Qualys,” says Avivah Litan, a vice president and analyst at market-research firm Gartner. “When everyone has to comply, there’s a lot of work to go around.”

Qualys aims to increase the depth of its vulnerability-scanning services, reaching further into networks by auditing servers that host and operate certain Web applications for self-propagating virus programs known as malware. It released a special QualysGuard module in April 2008 to achieve this objective. After a series of acquisitions this summer, an improved version will probably be forthcoming in the next 12 to 18 months. “Because of the Internet, the enterprise network is disappearing, and companies need to be ready to protect what’s left,” Courtot forecasts. Security as a service, it turns out, is a pretty legit business.