Originally published on itbusiness.ca
In August, IBM spent $1.3 billion to buy Atlanta-based Internet Security Systems Inc. (ISS). Analysts and ISS customers alike laud IBM’s acquisition In particular of the ISS managed security services portfolio.
Managed security services providers (MSSPs) serve firms that choose to outsource some or all of their information security needs. And many IT managers wonder whether they should join the trend.
Kees Vos, Global Market Portfolio Management Director for AT&T, admits to initial resistance from IT staff when faced with placing security responsibilities somewhere where they can’t see it. Gradually, they admit: “If I know it’s still doing its job, maybe I can be satisfied with that.”
Less visibility may be thought of as loss of control. Vos says this shouldn’t be the case. “What we posit as a first rule is that the customer is always in charge of their security policies,” he says, while mentioning today’s monitoring tools that keep clients as well-informed as they want to be.
What nobody questions is the need for information security. Worldwide sales of network security appliances and software topped $4.3 billion in 2005 according to The Digital Economy Factbook, by Thomas M. Lenard and Daniel B. Britton. That makes for a 15% jump over 2004 revenues, and market research firm Infonetics predicts a leap to $5.7 billion by 2009.
MSSPs account for significant chunks of these sales. According to a Forrester Research telephone survey of over 702 North American companies, 30% outsource their firewalls, 26%, content filtering and 23%, intrusion detection, which includes both intrusion detection systems (IDS) and intrusion prevention systems (IPS).
However, the same survey states that between 41% and 49% of respondents don’t want to outsource these network security duties.
Paul Stamp, senior analyst with Forrester Research, sees embedded security in current network appliances and managed services as another explanation for this reticence. “When we understand threats, we embed security into the functions that we’re trying to protect,” he says.
Consider VoIP. Service providers like Telus are quick to point out the differences between Internet-based voice solutions and those that reside on private MPLS networks.
“You are exposing a whole new range of technologies to public IP traffic,” explains Richard Reiner, Chief Security/Technology Officer for Telus. “You are opening additional ports, exposing additional equipment that hasn’t had the long shakedown to potentially hostile public IP traffic that older equipment has had.”
For example, Spam over Internet Telephony (SPIT) is proving difficult to counter. Spammer success hinges on the ability to spoof point of origin, so they can’t be traced. Reiner claims this issue only affects pure Internet plays with less robust technological frameworks. “There’s no opportunity to inject spurious voice messages on a private network that doesn’t cross the Internet,” says Reiner.
Protecting voice presents its own challenges. “If some customers try doing this using IPSec technology, the more firewalls and tunnelling devices you put in between the connections, the more effect it’s going to have on the latency,” says AT&T’s Vos. “If it hits 150 milliseconds at some point, it doesn’t sound like voice anymore.”
More established responsibilities like patch management can still cause problems when done wrong. “I think patching is one of those things companies should outsource,” says Kerravala.
Stamp views patch management as a bundled commodity. “You very seldom get a standalone security patch management service,” says Stamp. “You generally have a managed desktop service which would include patch management.”
Email, also long standardized in the business world, comes with its own security best practices, like deploying bridgeheads. MSSPs often take that one step further with solutions like automatically switching to the best performing gateway and “store and forward” functions, which queue incoming mail should a firm’s own mail server experience problems.
Intrusion detection systems (IDS) are giving way to intrusion prevention systems (IPS) but in both cases firms that implement these systems need time to make them work properly.
“IDS would sit there and monitor your network,” says Reiner. “Often the system would be improperly tuned so that it would detect either nothing or report millions of things each day that were of no possible significance.”
The tuning stakes for IPS are higher since, unlike IDS, IPS are in-line devices that can shutter part of a network if they perceive an attack.
“It could be a technology that businesses simply turn off because it keeps shutting the network down,” says Reiner
Recent data suggests that’s not a good idea. The Digital Economy Factbook reports that massive attacks spread in as little as 5.5 hours.
When those attacks take a client network down, who pays for the service disruption? Vos equates such disruptions with robbery or vandalism of a server in the physical world. The solution is similar – take out an insurance policy.
Stamp adds that security services providers will typically take some liability for their mistakes. “For example, if there’s a data leak because you messed up, you might have to pay for credit checks for a year for all of the customers whose data was compromised.”
If a firm is debating whether to outsource security functions, they may want to consider an audit to determine needs.
“The rule of thumb is to have a company do the audit that’s different from the one that will do the work,” advises Kerravala.
“I’d recommend getting at least two done, and I’d let (the auditors) know up front that they won’t be doing the follow-up work.”
Stamp sees additional value in audits. “If you’re less secure than other people, you’re putting yourself at risk,” he says. “If you’re vastly more secure than other people’s environments, then perhaps you’re spending too much money on security.”
“That analysis you really can’t do on your own. You have to do that either through your own data sharing with somebody else or more easily through using a MSSP.”
As with any other managed service, the key is the service level agreement (SLA). Chris Bazinet, Director of Managed Services for Cisco Canada, notes several metrics network managers must consider when comparing offerings from competing vendors.
“Make the SLA linked to measurable activities that matter to your business,” says Bazinet. He also urges those firms considering MSSPs to watch for the correlation between various threats and the equipment and software that firms seek to protect. “Although both have complex systems, the needs of an airline are different from those of a bank,” says Bazinet. Another key to an MSSP SLA is the speed with which the service provider responds to threats.
Above all, service providers must remember that their customers are leery of outsourcing information security, at least at first. Enhanced reporting and real-time visibility on their security situations helps to assuage customer concerns.
“No company will just turn over the keys to the car,” says Bazinet. “They want to see how you’re driving the car.”
Is security outsourcing for me?
Whenever you see security guards patrolling business premises, chances are those guards work for a third party. So if business routinely outsources physical security, why not do the same for network security?
Paul Stamp chuckles at the question. “I’ve never really thought of it that way,” admits the Forrester Research senior analyst.
“A lot of it is about comfort level,” he explains. “In the physical world, the threats we face are easier to grasp, so we’re more apt to let somebody else counter those threats.”
“In the network world, people are less likely to understand what the problems are.”
The complexity of security often determines whether a firm should consider security outsourcing. “Companies that are both tech-savvy and leading-edge keep (security) in house,” says Zeus Kerravala.
The vice-president of VP of Yankee Group Research adds: “If your company has made the strategic decision to not be quite as leading-edge as some of your competitors but you still want to run leading-edge technology, then using an MSSP adds a lot of value.”
Regulatory requirements foisted onto firms can also force their decision. “Some companies are very comfortable managing security ad hoc,” says Kerravala. “You have other ones that are heavily regulated, where a lot more spending is required.”
Complexity, often the key outsourcing driver, makes some firms opt for a middle ground. Service providers such as Telus feed threat data analyses to organizations that keep information security in-house so they can tune their “threat radar” more precisely. “These are the same analyses that we provide to security firms like McAfee,” says Richard Reiner, Chief Security/Technology Officer for Telus.
Kees Vos, Global Market Portfolio Management Director for AT&T, explains his own firm’s radar: “We use what we see on our IP backbone, which runs several terabytes per day,” says Vos, “and look at the trends on all the different ports to predict upcoming threats.”
Forrester’s Stamp sees this as the key reasons for using an MSSP: “Because they’re managing multiple environments, they see threats being exploited in those environments before they get to yours.”
“They have an early warning system that most firms probably don’t.”