Qualys debuts its next-generation security-as-a-service

For a decade, Philippe Courtot, chairman and chief executive of Qualys, has been singing the praises of cloud-based security. Many people were skeptical of security-as-a-service, where the security for a company or an application resides in a web-connected data center.

But Qualys is now a company with $65 million in revenue and it’s now introducing its second-generation cloud-based security platform, dubbed QualysGuard IT, at the RSA security conference in San Francisco, which runs this week. Just as Salesforce.com has transformed the way sales people deal with customers through a cloud computer service, Qualys is trying to transform security in the same way, so that it moves from attempts to protect individual machines to protecting an entire enterprise and its data, wherever that might be. If it succeeds, there’s a bigger pot of gold awaiting it.

The new Qualys platform represents a big overhaul, and it comes on the heels of new cloud-based scanners announced a year ago. It is an entirely new back-end computer system with new Qualys applications, service and ways to protect user security. If it works as billed, then corporate customers — 47 percent of the Fortune 100 already use Qualys — will be able to protect their data and see more uptime for their web sites. For example, if a user moves from one side of the company to another, Qualys can simply drag and drop the individual’s computing resources so that he or she can access them immediately upon transfer.

“We have spent a lot of time re-architecting the system,” Courtot said. “The network is changing. Virtualization has arrived. The movement to the cloud is unstoppable.”

Courtot, who is one of the keynote speakers at RSA, said in an interview that Qualys has worked on the new technology for two years, integrating the best lessons of the Web 2.0 era, cloud computing and software-as-a-service technologies. The new back-end infrastructure is based on the Java programming language and it has a user interface built for people familiar with social networking services.

The service is aimed at making it easy for information technology managers to spot anomalies and figure out if the corporation has a security problem or not. The simplified user interface is aimed at targeting smaller businesses, where it’s less like that they would have a large in-house security team.

Courtot said that the service can be deployed in a matter of hours anywhere in the world. That’s one of the advantages of having a cloud platform. Big Qualys partners include BT, Etisalat, Fujitsu, IBM and others.

Qualys is also unveiling a new web-based application firewall today. The open-source software is known as IronBee, and its goal is to create a way to detect threats to the corporation at the point where data crosses from inside to outside of the company and visa versa. IronBee inspects traffic for security breaches and fixes them. Courtot said the application is open source because no single company can block all security threats. New kinds of collaboration are necessary.

Qualys is used by 5,000 organizations in 85 countries. The company raised its last round of venture money in 2004 and it became cash-flow positive in 2006. The company has been profitable for the past two years and gross margins are at 83 percent. The company makes its money via subscription revenues and it has been expanding by moving into adjacent services. Now, the company has a full suite for cloud-based security.

Rivals include enterprise software vendors and other cloud-based startups.