Managed security service providers now exist for a wide range of security functions, including:
- Firewall management
- Antivirus management
- Intrusion detection and prevention (IDS/IPS)
- Virtual private networks (VPNs)
- Workstation, server and network device configuration and management
In this tip, we'll take a look at when enterprises should outsource these critical elements of their security infrastructure. The decision to move to one or more managed providers is a complex one, and the answer will vary depending upon given business requirements.
Why make the switch to MSSPs?
There are two basic reasons to consider a managed security service provider: cost savings and service enhancements (or some combination of the two). It's important to clearly understand the objectives before evaluating service providers, as the balance struck between them will definitely influence your MSSP selection.
Economic factors often force the consideration of MSSPs as a cost-saving measure. Indeed, economies of scale often permit MSSPs to provide security services in a much more cost-effective fashion than what can be performed in-house. Consider the costs, for example, involved in maintaining a highly available border firewall in an enterprise. In addition to equipment costs (which may or may not be covered in an MSSP agreement), staff must be recruited, hired and trained to operate the equipment. The costs of fringe benefits, payroll taxes and other employer obligations will also need to be covered. And when an employee decides to leave your organization, you'll need to begin the recruiting, hiring and training process all over again. The MSSP approach shifts this burden to the provider.
MSSPs also offer the opportunity to obtain superior functionality than what can be supported in-house. While an IT shop likely has security as one of many areas of concentration, such as server/desktop management, network infrastructure and database administration, MSSPs have one function: security. This focus allows them to gather expertise that is extremely difficult to obtain in the environment of a busy IT enterprise.
Why to not switch to MSSPs
Is it always appropriate to move to an MSSP-based security infrastructure? Definitely not. Here's some food for thought before making the plunge to managed security service providers:
- Cost savings
If you decide to take the plunge, you'll need to consider the terms of your contract with the provider before signing on the dotted line. Here are some items to address in the service-level agreement (SLA):
- Response time in the event of a security incident.
By taking the time to lay an appropriate foundation of understanding and written agreements, your relationship with a managed security service provider can be a long and fruitful strategic collaboration. Taking the time to plan appropriately will greatly increase the likelihood of success. The judicious use of MSSPs can help enterprises achieve cost savings and gain access to security specialists, but they're not a panacea. It's critical to perform due diligence to ensure that each potential relationship is built upon a solid foundation.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.
This was first published in March 2009