Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 1 of 112
`Case 4:18-cv-07229—YGR Document 108-3 Filed 09/24/20 Page 1 of 112
`
`EXHIBIT 5
`
`
`
`
`EXHIBIT 5
`
`REDACTED VERSION OF
`DOCUMENT SOUGHT TO
`BE SEALED
`
`REDACTED VERSION OF
`
`DOCUMENT SOUGHT TO
`
`BE SEALED
`
`
`
`
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 2 of 112
`
`ESCP
`
`EUROPE
`
`QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`The Road Ahead
`in the Cloud
`
`QUALYS
`
`FeDEMAND SECURITY
`
`
`
`
`
`Object
`
`ICP team
`
`Recipients
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883675
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 3 of 112
`
`QUALYS"
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`Agenda
`
`Executive summary
`
`1.
`
`Introduction
`
`1.1. Context of the ICP
`1.2. Methodology framework
`
`2. Presentation of Qualys' company
`
`2.1. Corporate profile
`2
`
`
`
`
`
`3. Analysis of the European Security as a Service industry
`3.1. Assessment of the European Security as a Service (SecaaS) industry
`3.2.
`Identification of the industry's external factors
`3.3. Assessment of the industry's competitive forces
`3.4.
`Identification of the Key Success Factors of the industry
`3.5.
`Identification of the major strategic groups within the industry
`
`3.6. Assessment of the industry's attractiveness
`
`4.
`
`5.
`
`6.
`
`7.
`
`8.
`
`4
`
`8
`
` 8
`8
`
`10
`
`10
`12
`13
`
`21
`21
`36
`48
`54
`
`57
`61
`
`64
`64
`66
`74
`75
`
`77
`
`77
`77
`78
`
`79
`
`79
`82
`
`85
`85
`85
`86
`
`87
`
`88
`
`88
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 2 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883676
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 4 of 112
`
`QUALYS"
`
`Addressing the European SMB Security as a Service market
`Why and what?
`93
`99
`104
`
`9. Conclusions and perspectives
`
`109
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 3 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883677
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 5 of 112
`
`QUALYS'
`
`Executive summary
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`Qualys was created in 1999 and became rapidly the leading vendor of on demand IT (Information
`Technology) security risk and compliance solutions delivered as a service.
`Qualys is one of the most innovative and fastest growing software companies - ranked the 44th Fastest
`Growing Company in the Silicon Valley in 2010 and number 415 on Deloitte's 2010 Technology Fast 500.
`Qualys recently announced that it has received SC Magazine Europe 2011 awards1 for best SME
`security solution and CEO of the year for Mr. Philippe COURTOT, Chairman and CEO of Qualys.
`Qualys' business model is based on Software as a Service. Qualys licenses an IT security application to
`customers as a service on demand, through an annual subscription, in a "pay-as-you-go" model. This
`approach to application delivery is part of the utility computing model where all of the technology is in the
`"cloud" accessed over the Internet as a service. It allows clients to save money by not having to purchase
`servers or other software to support use.
`
`
` Implementation is faster: customers can deploy SecaaS services within hours
`rather than weeks or months.
`As at today, Qualys remains the worldwide leader of the VM market with 17.7% e€ market share according
`to Frost & Sullivan November 2010 report.
`
`
`
`
`
`
`
`
`Over the last past years, Qualys has expanded its offering and adapt its strategy from a pure VM
`player to a global Security as a Service provider. Qualys provides an industrialized and automated
`solution to its customers so that they can permanently assess and control compliance to the enterprise IT
`security policy, regulations and legislations.
`
`
`Qualys ambition is now to become a major global Security as a Service player. Qualys has recently
`acquired in August 2010 the Nemean Networks' solution to expand its intrusion and malware detection
`capabilities. Qualys aims at becoming the incontrovertible partner of cloud computing services providers.
`Chairman and CEO of Qualys, Mr. Philippe COURTOT, considered Qualys to be the "sheriff of the
`cloud".
`
`
`
`
`
`
`
`
`
`
`
`1 http ://www.qualys.com/company/newsroom/newsreleascs/usa/view/20 1 1 -04-26/
`2 Malware, short for malicious software, is software designed to secretly access a computer system without the
`owner's informed consent. The expression is a general term used by computer professionals to mean a variety of
`forms of hostile, intrusive, or annoying software or program code. Software is considered to be Malware based on the
`perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, Trojan
`horses, spywarcs, dishonest adwarcs, scarewarcs, crimcwares, most rootkits, and other malicious and unwanted
`software or program.
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 4 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883678
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 6 of 112
`
`QUALYS"
`
`
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Qualys will have to select carefully its strategic partnership among large European players having a
`strong and trusted brand.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 5 / 111
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883679
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 7 of 112
`
`QUALYS"
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`3 littp://www.canalys.com/
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 6 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883680
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 8 of 112
`
`QUALYS6
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`■ Consistency with Qualys' ambition, with segment and brand positioning.
`■ Determine what to offer.
`■ Differentiate Qualys from competition.
`■ Prove that Qualys adds value to SMEs' customers.
`In addition, it's worth mentioning that Trend Micro has great returns of experience on the European and
`French SMEs market, and will be a perfect example to follow for Qualys in order to design its European
`marketing mix and deploy a pilot on the French market:
`■ Trend Micro addresses the SMEs market (up to 250 users) with a range of services called "Worry-
`Free. The idea behind this range is to provide the SME clients with value added services, so that
`they don't have to worry about IT security. The range includes 3 different types of 1eve1s4.
`■ Typically, in terms of marketing mix, "Smart protection network" technology and simplicity of
`the service are the most attractive characteristics of Trend Micro's offer, and are a real competitive
`advantage for the company. Considered as a breakthrough innovation, this simple solution
`efficiently stops threats in real time, and moreover test results confinn the effectiveness of the
`network at blocking over 5.3 billion threats daily for customers worldwide.
`■ A partnership has been set up with Dell called "Worry free" which is installed on Dell computers,
`therefore Trend Micro can be considered as an OEM5 (Originally Equipment Manufacturer). This
`service is invoiced on an annual basis.
`In order to raise "buy in" among prescribers (channels), one of the key success factor is to deliver
`free training programs providing them with core skills and raising confidence among them. A
`well trained network should benefit to all the stakeholders in the process.
`Finally, we think that a major shift to distribution model will take place in a near future for SMEs. Indeed,
`some IT security vendors (e.g. Trend Micro, Symantec, and Mc Afee) are directly selling their Security as a
`Service solution on the Internet in order to simplify their distribution channel and reduce significantly the
`costs. The distance between the seller and the buyer is reducing. Qualys will have to stick to this trend to be
`successful.
`
`■
`
`4 http ://emea . trendmicro . com/emea/products/sb/worry- free -busines s- security-product-comparison/index.html
`5 The Original Equipment Manufacturer (OEM) channel: This is the primary channel to market, whereby the security
`product is bundled with another purchase. The most obvious example is the PC channel, whereby security vendors
`partner with PC vendors to pre-install their software on new machines. The software is usually available for a 30 day
`trail, after which the end user can choose whether or not to keep the solution and pay for it through the vendor's web
`site. Another example is the
`fact that many Internet Service Providers (ISP's) provide their clients with a
`complementary suite of security products as part of their subscription.
`To be Approved V1.0 May 2011
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`Page 7 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883681
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 9 of 112
`
`Q QUALYS'
`
`1. Introduction
`
`1.1.Context of the ICP
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1.2. Methodology framework
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`6 Refers to the channels a company will use to connect with its customers/business and the organizational processes it
`develops (such as high tech product development) to guide customer interactions from initial contact through
`fulfillment.
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 8 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883682
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 10 of 112
`
`QUALYS6
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 9 /111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883683
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 11 of 112
`
`Q QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`2. Presentation of Qualys' company
`
`2.1. Corporate profile
`
`2.1.1.
`
`Strategy
`
`Qualys was created in 1999 and became rapidly the leading vendor of on demand IT security risk and
`compliance solutions delivered as a service.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Qualys delivered its solution as services through the cloud, as at today, Qualys remains the
`worldwide leader of the VM market with 17,7% of market share7. Qualys' core business is still the
`scanning of software flaws (or vulnerabilities) at the O.S., network and application level and now the
`scanning of malwaress.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`7 Frost & Sullivan November 2010 report
`8 Malware, short for malicious software, is software designed to secretly access a computer system without the
`owner's informed consent. The expression is a general term used by computer professionals to mean a variety of
`forms of hostile, intrusive, or annoying software or program code. Software is considered to be Malware based on the
`perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, Trojan
`horses, spywares, dishonest adwarcs, scarewarcs, crimcwares, most rootkits, and other malicious and unwanted
`software or program.
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 10 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883684
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 12 of 112
`
`QUALYS"
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`Qualys extended its range of products:
`■ 2000: QualysGuard solution was launched: accurate and easy-to-use scanning technologies.
`■ 2005: extension of QualysGuard to IT compliance issue including PCI-DSS.
`■ 2008: introduction of QualysGuard Policy Compliance global scanning capabilities to collect IT
`compliance data from hosts and other assets within the organization, and maps this information into
`policies to document compliance with regulations and mandates.
`■ 2008: launch of QualysGuard Web Application Scanning (WAS), QualysGuard Malware Detection
`and Qualys Go Secure to help organizations to protect their Web sites from malwares and
`vulnerabilities.
`
`2.1.2.
`
`Mission
`
`
`
`
`
`
`
`
`
`
`
`
`Qualys is one of the fastest growing software companies - ranked the 44th Fastest Growing Company
`in the Silicon Valley in 2010 and number 415 on Deloitte's 2010 Technology Fast 500.
`The ambitions of Qualys are:
`■ Provide global visibility for organizations' IT security risks and compliance posture
`
`
`■ Be at the heart of the IT security ecosystem
`
`
`
`
`
`
`
`
`
`
`
`
`
`QualysGuard is integrated with leading security solutions and technologies9 such as: Access Management ,
`
`
`
`
`
`■ Collaborate with the IT security market in order to fight cybercrimes
`
`9 See http://www.qualys.com/partners/solpartner/
`10 hilps://community.qualys.com
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`
`
`
`Page 11/ 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883685
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 13 of 112
`
`QUALYS"
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`
`
`
`Mr. Philippe COURTOT, chairman and CEO of Qualys, states that "it is also our intention to build
`it into a global community effort to better fight increasingly sophisticated cyber attacks".
`
`2.1.3.
`
`Vision
`
`Qualys can be considered as a pioneer in the Security as a Service (SecaaS) industry and has greatly
`influenced the creation of the SecaaS industry.
`
`
`Chairman and CEO of Qualys, Mr. Philippe COURTOT, considered Qualys to be the "sheriff of the
`cloud".
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 12 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883686
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 14 of 112
`
`QUALYS"
`
`2.2.2.
`
`Values
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`
`
`
`
`2.3.1.
`
`External criteria
`
`The external criteria chosen to assess Qualys are: customers, relevant market, distribution network and
`competition.
`
`2.3.1.1.
`
`Customers
`
`
`
`
`
`
`
`
`
`
`
`11 Freemium is a business model that works by offering a basic product or service free of charge (such as software,
`Web services or other) while charging a premium for advanced features, functionality, or related products and
`services. The word "Freemium" is a portmanteau combining the two aspects of the business model: "free" and
`"premium". The business model has gained popularity with Web 2.0 and open source companies.
`ESCP Europe EMBA 2011
`To be Approved V1.0 May 2011
`Diffusion : confidential
`
`Page 13 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883687
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 15 of 112
`
`QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`Relevant market
`2.3.1.2.
`As we have seen before, given the importance of risk management, government regulations and exposure
`with vulnerabilities, the IT security market have been full of opportunities.
`Technologically speaking, this market has been shaped mainly according to the delivery systems criterion:
`software, hardware and services.
`
`
`
`
`
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 14/ 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883688
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 16 of 112
`
`QUALYS"
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`2.3.1.3.
`
`Distribution network
`
`
`
`
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 15 / 111
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883689
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 17 of 112
`
`Q QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`Others
`21.2%
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 16 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883690
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 18 of 112
`
`Q QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`Pilch. Participant
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Source: Frost & Sullivan
`
`Figure 4: Frost & Sullivan 2010 Report, Competitive Landscape
`
`2.3.2.
`
`Internal criteria
`
`The internal criteria chosen to assess Qualys are: technologies, competencies, synergies and cost
`structures.
`
`2.3.2.1.
`
`Technologies
`
`
`
`
`
`
`11101.011111
`ima.0600 .
`
`
`
`
`
`
`
`
`
`
`
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 17/111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883691
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 19 of 112
`
`QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 18 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883692
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 20 of 112
`
`QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 19 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883693
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 21 of 112
`
`QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 20 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883694
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 22 of 112
`
`QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`3. Analysis of the European Security as a Service industry
`
`Definition and
`assessment of the
`SccaaS industry
`
`) Analysis of the macro Analysis of the micro
`environment
`environment
`
`/
`
`e dentification of the
`Key Success Factors of
`the SecaaS industry
`
`Identification of the
`major strategic groups
`within the industry
`
`) 1
`
`Assessment of the
`SecaaS industry
`attractiveness
`
`Objectives
`and task
`
`• Define the SaaS
`concepts
`• Define the European
`IT security industry
`
`• Define the European
`SecaaS industry
`
`• Identify the main
`players
`
`• Characterize the
`maturity level and
`future trends of the
`industry
`
`• Identify Political
`factors
`
`• Identify Economical
`and environmental
`factors
`
`•
`
`•
`
`Assess the bargaining
`power of buyers force
`
`Assess the bargaining
`power of suppliers
`force
`
`• Identify technological
`and social factors
`
`Assess the threats of
`new entrants force
`
`• Score the five
`competitive forces of
`the SecaaS industry
`
`• Define the Key
`Success Factors of the
`SccaaS industry
`
`• Define analysis
`criterion
`
`• Represent the major
`strategic groups on a
`map
`
`• Assess the SecaaS
`industry attractiveness
`from a Qualys
`perspective
`
`• Identify the 3 major
`European countries to
`address fur Qualys
`
`• Identify legal factors
`
`• Asses the threats of
`substitutes products or
`services force
`
`• Asses the rivalry
`among competitors
`force
`
`Expected
`results
`
`• Have a clear vision of
`the SecaaS industry
`
`• Know the macro
`environment threats
`and opportunities for
`Qualys
`
`• Know the micro
`environment threats
`
`• Know the key factors
`to succeed and survive
`in the industry for
`Qualys
`
`• Have a clear vision order SecaaS market and anticipate
`future trends and needs
`
`• Confirm the 3 key countries in terms of business
`potential
`
`Figure 10: Methodology used for the analysis of the European Security as a Service industry
`
`3.1.Assessment of the European Security as a Service (SecaaS) industry
`
`A top down approach is used in order to define and assess the European Security as a Service
`industry, defining firstly the cloud and SaaS concepts and the overall European IT security industry.
`
`3.1.1.
`
`Definition of the European cloud computing services industry
`
`Various definitions and interpretations of "clouds" and / or "cloud computing" exist.
`The European Commission in its report "The future of cloud computing: Opportunities for European Cloud
`Computing Beyond 2010"12 states that "In its broadest form, a "cloud" is an elastic execution
`environment of resources involving multiple stakeholders and providing a metered service at
`multiple granularities for a specified level of quality (of service)."
`Cloud systems have the following characteristics:
`■ Elasticity and instant scalability are essential core features of cloud systems and circumscribe the
`capability of the underlying infrastructure to adapt to changing, potentially non-functional
`requirements, for example amount and size of data supported by an IT application, number of
`concurrent users, etc.
`■ Reliability is essential
`for all cloud systems — in order to support today's data centre-type
`applications in a cloud, reliability is considered as one of the main features to exploit cloud
`capabilities.
`■ Quality of Service (QoS) support is a relevant capability that is essential in many use cases where
`specific requirements have to be met by the outsourced services and / or resources. In business
`cases, basic QoS metrics like response time, throughput etc. must be guaranteed at least, so as to
`ensure that the quality guarantees of the cloud user are met.
`
`12 http://cordis.europa.eu/fp7/ict/ssai/docs/cloud-report-final.pdf
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 21 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883695
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 23 of 112
`
`Q QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`• Agility and adaptability are essential features of cloud systems that strongly relate to the elastic
`capabilities. It includes on-time reaction to changes in the amount of requests and size of resources,
`but also adaptation to changes in the environmental conditions.
`• Availability of services and data is an essential capability of cloud systems and was actually one
`of the core aspects to give rise to clouds in the first instance. It lies in the ability to introduce
`redundancy for services and data so failures can be masked transparently.
`Cloud providers typically centre on one type of cloud functionality provisioning: Infrastructure as a
`Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), though there is
`potentially no restriction to offer multiple types at the same time, which can often be observed in PaaS
`(Platform as a Service) providers which offer specific applications too, such as Google App Engine in
`combination with Google Docs. In the present document, cloud computing services stand for cloud
`computing, Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service
`(PaaS).
`
`CL
`
`--4
`
`■ Shared resources
`Scability and flexibility
`■ Access by the Internet
`Pay on demand
`
`IaaS
`
`Amazon Web Services
`IBM Global Services
`Sun Grid ENgine
`HP Business Technology Optimization
`
`Amazon EC2
`Force.com
`Google App Engine
`Microsoft Azure
`
`PaaS
`
`SaaS
`
`Gmail
`Google Apps
`SalesForce
`ADP GSI
`SAP Business by Design
`Cegid Business on Demand
`
`\\N
`
`Figure 11: The cloud computing services
`
`Software as a Service (SaaS) are offering implementations of specific business functions and business
`processes that are provided with specific cloud capabilities, i.e. they provide IT applications / services
`using a cloud infrastructure or platform, rather than providing cloud features themselves. Often, kind of
`standard application software functionality is offered within a cloud. Examples: Google Docs, Salesforce
`CRM, SAP Business by Design. SaaS was initially developed for sales automation and customer
`relationship management (CRM). As at today, many business13 tasks are using this mode of delivery:
`finance and accounting, purchasing, e-commerce, CRM, supply chain, HR management, computerized
`billing, ERP software, invoicing, service desk management, etc.
`
`13 See the MARKESS International market study: « Cloud Computing & SaaS Attentes et Perspectives Referentiel de
`praliques Edition 2010
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 22 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883696
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 24 of 112
`
`QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`Software as a Service (SaaS) is basically a software deployed and accessible all over the Internet. With
`SaaS, a provider licenses an application to customers either as a service on demand, through a subscription,
`in a pay as you go model, or at no charge. This approach to application delivery is part of the utility
`computing model where all of the technology is in the cloud accessed over the Internet as a service.
`7-
`
`Sad Provider
`
`t
`
`All appIrca:nori,
`database, and
`
`SO-vet% CentralIv
`hosted and
`managed
`
`Internet traod a S
`coenemosatateent
`
`path From SaaS
`pega,dee to uses.
`
`Lose users need
`only browser access
`
`to Web to use SaaS
`
`semen'
`
`Figure 12: The SaaS concept
`
`The SaaS concept originally appeared in the early 2000's and became more popular thanks to the
`development of information technology and the Web.
`The business benefits perceived from a customer perspective are the following ones:
`• Pay per use. Pay per use strongly relates to quality of service support, where specific requirements
`to be met by the system and hence to be paid for can be specified. One of the key economic drivers
`for the current level of interest in cloud computing is the structural change in this domain. By
`moving from the usual capital upfront investment model to an operational expense, cloud
`computing promises to enable especially SME's and entrepreneurs to accelerate the development
`and adoption of innovative solutions.
`• Cost reduction. Companies are not required to invest massively in IT systems and other
`equipments (servers, additional softwares, etc.). They are turning CAPEX (Capital expenditure) into
`OPEX (Operational expenditure). Without capital equipment requirements, the economics of cloud
`computing are dominated by variable costs — costs that are controlled by the customer according to
`the organization's use of the service, as shown below.
`
`COSTS
`
`Traditional IT
`
`Fixed Cools
`(Ca pEv)
`
`Variable Coals
`(OpEO
`
`Cloud Computing
`
`Figure 13: The economics of cloud computing
`
`ER'
`
`USERS
`
`Source Qualys whitepaper « Strategies for the efficient CISO — The shift into the cloud » October 2010
`
`• Fast implementation and improved time to market are essential in particular for small and
`medium enterprises that want to sell their services quickly and easily with little delays caused by
`acquiring and setting up the infrastructure, in particular in a scope compatible and competitive with
`larger industries. Larger enterprises need to be able to publish new capabilities with little overhead
`to remain competitive. Clouds can support this by providing infrastructures, potentially dedicated to
`specific use cases that take over essential capabilities to support easy provisioning and thus reduce
`time to market.
`
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 23 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883697
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 25 of 112
`
`QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`■ "Going Green" is relevant not only to reduce additional costs of energy consumption, but also to
`reduce the carbon footprint. Whilst carbon emission by individual machines can be quite well
`estimated, this information is actually taken little into consideration when scaling systems up.
`IDC estimates that total IT cloud services revenue will grow from $17,4 billion in 2009 to $44,2
`billion by 2013.
`Worldwide cloud services estimated revenue by 2010 could reach $68.3 billion, a 16.6 percent
`increase from 2009 revenue of $58.6 billion, according to Gartner. The industry is poised for strong
`growth through 2014, when worldwide cloud services revenue is projected to reach $148.8 billion.
`The scale of application deployments is growing; multi-thousand-seat deals are increasingly common. IT
`managers are thinking strategically about cloud service deployments; more-progressive enterprises are
`thinking through what their IT operations will look like in a world of increasing cloud service leverage.
`This was highly unusual a year ago.
`
`
`
`
`
`
`
`
`
`
`
`
`
`According to the survey "Trends & Evolution in Cloud Computing market in Europe" done by Pierre
`Audoin Consultants (PAC) firm14:
`■ The overall cloud computing European market represents around EUR4,5 billion in 2010.
`■ SaaS is the most mature market, mainly around messaging, Office applications, CRM, etc.
`■ PaaS position will remain limited, until a real standard emerge.
`■ IaaS will see its growth limited by price pressure.
`
` I 1
`
`8 000
`
`7 000
`
`6 000
`
`5 0110
`
`4 000
`
`3 000
`
`2 MO
`100o
`0
`
`Saa5 Total
`
`• PaaS Total
`
`■ laaSlOtall
`
`2007 2008 2009 2010 2011 2012
`
`Figure 14: The cloud computing services European market
`
`The U.S. share of the worldwide cloud services market was 60 percent in 2009 and will be 58 percent in
`2010, and around 50% by 2014 as other countries and regions begin to adopt cloud services in more-
`significant volumes. Western Europe is expected to count for 23.8 percent of the cloud services
`market in 2010, and Japan will represent 10 percent. In 2014, respectively the U.K. and the Japan should
`count for 29 percent of the market, and 12 percent of cloud services revenue.
`
`14 1itips://www.pac-online.com
`ESCP Europe EMBA 2011
`Diffusion : confidential
`
`To be Approved V1.0 May 2011
`
`Page 24 / 111
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
`QUALYS00883698
`
`

`

`Case 4:18-cv-07229-YGR Document 108-3 Filed 09/24/20 Page 26 of 112
`
`QUALYS'
`
`Addressing the European SMB Security as a Service market
`Why and what?
`
`The financial services and manufacturing industries are the largest early adopters of cloud services.
`Communications and high-tech industries are also leveraging the cloud in significant volume, while the
`public sector is also clearly interested in the potential of cloud services and its share of the overall market.
`However, although interest in cloud computing has grown, many enterprises still have strong concerns
`about the idea of cloud computing and cloud-computing products as well as cloud services. Security is
`primary among these, while other concerns include availability of service, vendor viability and maturity.
`Many enterprises may be examining cloud computing and cloud services, but are far from convinced that it
`is appropriate for their requirements.
`
`
`
`
`
`In 2009, the ENISA has launched a survey of the actual needs, requirements and expectations of SMEs for
`cloud computing services, asking for the main likely outsourced business processes, main reasons for
`adopting cloud computing, their main concerns:
`
`Which IT services{ Applications supporting business processes are most likely to he
`outsourced to .a Cloud Computing service provider?
`
`Response
`Percent
`
`Response Count
`
`Answer Options
`
`Payroll
`Human Resources
`
`Procureme