Numerous start-up cloud vendors are busy hyping their "Security-as-a-Service" wares, with requisite promises of turnkey "Security in a Box" and the like. But enterprise CIOs have tough questions about the validity and reliability of such firms and their services — as well they should. Securing a global IT infrastructure is paramount — with millions of dollars and customers at stake, not to mention a company's tarnished reputation if a major security breach occurs. It’s wise to ask whether such a mission-critical task can be entrusted to a third-party host.

That’s why Matthew Clark, Senior Director of IT at telecom provider Qualcomm in San Diego, is taking a cautious approach to cloud services. "Trust and security in cloud computing are big deals to companies,” he says, and too often cloud providers are more concerned with protecting their own business than the customer’s. As a result, “We are very, very cautious about what we allow to be put out into external clouds," Clark says.

Lina Liberti, VP of the Security business at CA Technologies, understands the concerns. She told me recently that, "Some of these new-to-the-market Security-as-a-Service providers are great for small to midsize business, as smaller firms are more likely to take risks in order to realize the benefits from a cloud deployment." But, she warns, outsourcing large enterprise security to a new, immature vendor is a risky consideration.

That doesn’t mean a large or growing enterprise can’t take advantage of the cost and resource savings cloud security offers; they just need to partner with companies that have hardened enterprise-grade security tools delivered as a service.

Peter Hinssen, one of Europe's leading tech gurus, noted that "CA [Technologies] realized that cloud was going to happen faster than anyone else anticipated, and the company has taken a leading role in this market. Hinssen believes that CA Technologies also is out front with its Identity Management-as-a-Service as well.

The company recently released several cloud solutions aimed at the identity and access management (IAM) security market. The CA CloudMinder portfolio, for example, is morphing the firm's long-established IAM solutions into hosted, subscription-based security services for customers. With the new services, CIOs no longer need to purchase, install and maintain their IAM tools via old-school methods (as applications on CDs, for instance). Now, they're available in the cloud as services customers can procure or buy or license from CA Technologies.

Besides its experience with enterprise data centers, CA Technologies provides trained support 24x7x365 — critical to most global online enterprises. These “comfort factors” may boost Security-as-a-Service among skeptical CIOs — even those like financial and healthcare CIOs, who need to meet stringent requirements and regulations with their cloud deployment.

To me, that's hope, not just hype.

Larry Lange is a freelance writer on the business of technology and a contributor to Smart Enterprise magazine.