New hosted e-mail security offerings underscore the struggle of hardware vendors to stay relevant in the age of cloud services.Today Cisco announced a trio of e-mail security services based on the company's IronPort anti-spam and AV appliances.

First is a managed on-premises offering, in which Cisco remotely monitors and manages IronPort appliances that reside on the customer premises. This service is available today.

Second is fully hosted mail security, in which Cisco hosts and operates the appliances on behalf of the customer in one of Cisco's data centers. Unlike other cloud-based offerings built on a multitenant architecture, each customer gets dedicated hardware. This service will be available in April.

Third is a hybrid premises/hosted offering, in which Cisco filters in-bound mail, and customers maintain IronPort devices on their own networks for outbound messages. In this hybrid approach, customers don't have to plug in more appliances to handle the processing load as spam volumes increase.

Meanwhile, customers still have the premises appliance with which to apply outbound controls, such as DLP and encryption. These services could be handled just as securely by a provider, but the premises device acts like a security blanket for customers who aren't ready to let go entirely of mail management.

Proofpoint announced a similar hybrid e-mail security service last month.

Hidden beneath the PR fanfare around this announcement is that Cisco suffers from a real dilemma. How can a hardware vendor capitalize on the cloud without killing its own business?

The e-mail security appliance market is robust enough that Cisco won't cannibalize it with a pure-play cloud offering. But the growth momentum is tipping toward the cloud and SaaS. So Cisco is trying to split the difference with something that looks like a cloud offering, but isn't built like one. And in the end, it probably won't be as profitable as one.

Cisco uses "cloud" and "SaaS" to describe these offerings, but that's not accurate. They are more like an application service provider (ASP) model, which is a problem for Cisco.

Cloud/SaaS offerings tend to be built on a multitenant architecture, in which customers share infrastructure resources. In theory, a multitenant architecture is more efficient and scalable than an ASP because providers can spin up new customers without having to add new capacity to the system.

By contrast, Cisco will dedicate IronPort appliances to each customer. Where a cloud provider would run three customers on one box, Cisco has to deploy three boxes for three customers -- even if those boxes are only 30% utilized. That's wasteful and inefficient on many fronts, including capacity, power and cooling, and management.

This model leaves Cisco with two options: eat the cost of that inefficiency, or pass it along to customers.

I suspect that for now, Cisco plans to eat it. I asked the company if it thinks it can affordably run an operation built on dedicated hardware. It assured me it has plenty of margin in the business to scale up.

Luckily for Cisco, many companies aren't ready to leave the ground for a full cloud security deployment. The company can probably bank on this reluctance for a few more years while it searches for a more sustainable solution.