Microsoft already hosts security software for some of its products, such as Exchange Hosted Services and antimalware scanning for Microsoft Office SharePoint Online. With its size and resources, a full-blown entry into security SaaS would do a lot to legitimize the market, according to Darren Bibby, senior channel analyst for IDC. But because of its size and its vast network of partners, Microsoft would also feel more pressure to define what exactly is the channel's role in security SaaS, Bibby said.
"The whole challenge/threat/opportunity of SaaS presents issues to both vendors and partners," he added.
Other large vendors who offer security SaaS, including Symantec and McAfee, will also bear that burden. In the meantime, their partners will have to start figuring out how to survive and succeed in SaaS -- despite not knowing what their roles will be.
They'll need to do it quickly, because Microsoft's entry will expedite growth in the security SaaS market, said Jeff Kaplan, managing director for THINKstrategies in Wellesley, Mass.
"They're all still searching," he said. "In fairness, nobody is really quite sure where their value-add is."
The companies that are having the most success in security SaaS are smaller businesses that are able to have close, strong relationships with their clients, said Mark Shavlik, CEO of Shavlik Technologies, a Roseville, Minn.-based independent software vendor (ISV) that partners with Microsoft and Symantec. That puts larger vendors at a disadvantage but also creates opportunities for partners to bridge that gap.
"It has to be a big mass market for Microsoft, Symantec and McAfee," Shavlik said. "It's not just a technology solution. It's technology plus people. […] Today's market requires a level of trust."
Acting as a trusted advisor to security SaaS clients is not just a matter of survival. It takes a high level of skill to host and manage security, which means solution providers can charge more for their work, Shavlik said.
"Those that are good at it will definitely make a successful business," he said.
The flip side to that argument is that solution providers' service opportunities aren't as complex, because the goal of security SaaS is to simplify the process, so therefore they can't charge as much for their work, Bibby said.
Either way, a lot of the success that solution providers could have hinges on the vendors' offerings, and for the most part those remain to be seen. Symantec plans to make all of its software available as services through a platform called the Symantec Protection Network, but the only offering announced so far is Online Backup Service, which won't launch until later this year.
Microsoft, which hasn't officially announced Forefront Online, has "a horrendous record when it comes to security," said Adam Gray, chief technical officer for Novacoast, a Santa Barbara, Calif.-based Symantec partner. Still, Gray said Microsoft knows it will have to do a better job with security SaaS than it has with traditional security software. And the fact that Microsoft is jumping in means it's a good market for channel companies as well.
"Getting into that business means they see an opportunity there," he said.