The firm predicted in a new report on the subject that growth in cloud-based security will remain strong, at about 20% through 2017, but that revenue opportunities will vary.
Gartner said that, for now, the top three most sought-after cloud services moving forward will remain email security, web security services, and identity and access management (IAM). However, in 2014, the highest growth is forecast to occur in cloud-based tokenization and encryption, security information and event management (SIEM), vulnerability assessment and web application firewalls.
"The cloud-based security market remains a viable one, offering providers many opportunities for expansion," said Ruggero Contu, research director at Gartner, in a statement. "Encryption will be a new area of growth, but it remains a complex activity. The strongest interest will be in encryption products from cloud security brokers, which are relatively easy to deploy and have options for on-premises encryption management."
Within the IAM space, interest in cloud-based security has been driven mostly by SMBs' needs to extend their basic IAM functions and serve employees who are accessing SaaS and some internal web-architected applications. An increasing number of organizations seem to be adopting cloud-based IAM services to replace IAM on-premise tools. Larger businesses are often looking to use IAM as a mixture of legacy- and web-architected cloud and on-premises.
"Although organizations' interest in encryption is expected to grow, service providers' relative lack of interest in cloud-based encryption means it has remained a complex activity, requiring organizations to initiate complex, build-your-own deployments," said Contu. "The strongest interest is in encryption products from cloud security brokers, thanks to their relative ease of deployment and their options for on-premises encryption management. Nevertheless, Gartner expects cloud hosting providers and IaaS providers to show an increased interest in cloud-based encryption capabilities."
Gartner also noted that security providers endeavoring to capitalize on this growth would be best served by identifying the most viable offerings (such as encryption), and focusing their marketing on small and medium-sized businesses. However, given the differences in maturity, cultural acceptance and local IT infrastructures, considerable regional differences exist in the deployment rates of cloud-based security systems. For instance, privacy remains an important inhibitor in the deployment of all forms of cloud-based services. This is particularly true in those regions and countries with strong regulatory requirements.
"Areas such as SIEM and IAM offer the biggest growth potential, although for SIEM this will be from a small base," said Kelly Kavanagh, principal research analyst at Gartner. "The benefits cloud security offers — particularly encryption — are making it an increasingly popular choice. However, trust concerns and regional variations mean that providers will have to assess each market opportunity carefully before deciding which to focus on."
The firm noted that the adoption of software-as-a-service (SaaS) and other cloud-based services encourages organizations to implement cloud-based security controls that are delivered either as stand-alone features or as part of an integrated SaaS package. But also, managed security services (MSS) are driving adoption of cloud-based security services among organizations. MSS delivery models are in turn being affected by demand for cloud-based security services, which is enabling security providers to become de facto MSS players.
In the next 24 months, new security-as-a-service-based offerings that address specific security controls for cloud-based IT resources will be available from larger IT and network service providers, aimed initially at small or midsize businesses (SMBs). Gartner predicts that smaller, pure-play managed security service providers (MSSPs) will be most affected by the introduction of these services, and expects them to consolidate.
"The benefits of deploying cloud-based security services are clear," said Kavanagh. "Aside from the broad area of IAM, specific controls, such as encryption, are becoming vital to the adoption of cloud computing. They are further helping to generate interest in this particular form of security service delivery."
Gartner expects acceptance of, and reliance on, cloud-based security-as-a-service offerings to increase, based on organizations gaining more experience with SaaS and more consumer-grade technology being made available to corporate systems as a result of trends, such as bring your own device (BYOD). Overall, cloud-based security services will grow faster than the market for remotely monitored customer premises equipment (CPE), but starting from a smaller base.
The report echoes recent research from Infonetics, which expects cloud-based security service revenue to grow at a 10.8% compound annual growth rate (CAGR) from 2012 to 2017, to reach $9.2 billion.
Taken together, the firm said that the managed security services market is projected to grow 45% over the next five years, barring any “potential stumbling blocks,” such as better, easier-to-manage premise-based products coming to market.
“The long-term outlook for managed security services, and especially cloud services, is quite strong, but there are some potential stumbling blocks,” cautions Jeff Wilson, principal analyst for security at Infonetics Research. “Improvements in the efficacy and ease of management of security products could decrease the urgency to move to the cloud, and regulatory drivers are forcing some customers to keep all data on premise.”