Trust has always been a big issue with managed security services. CISOs and security pros loathe the idea of putting enterprise security in the hands of outsiders. Some larger enterprises would license monitoring and correlation technology, but wouldn't use the service. Widespread, wholesale security outsourcing? Not on their watch.
Who can blame them, especially with the lackluster record of early MSSPs? Everyone remembers the implosions of The Salinas Group and Pilot Networks, which shut down without warning, leaving their customers defenseless.
But that's changing. Now, it's all about dollar signs.
Outsourcing anything not core to the business makes fiscal sense. The outsourcing model provides more flexibility in accounting and allows security to be expensed as monthly services. This rationale is meaningless to security pros, but it's a big deal to the bean counters.
By outsourcing some or all of your security operations, you gain expert personnel without the expense of training and salaries, 24/7 monitoring without the build-out and overhead costs, and advanced intelligence from the service providers' broad view of the world.
Enterprises have a range of options when they look to outsource security, yet few providers have the full range of services that enterprises require.
Email security: Vendors such as Message Labs, Frontbridge, Symantec and Postini manage the last hop of email communications, scanning messages for malware and spam. These offerings need to expand further because authentication schemes, such as Microsoft's CallerID, are more consistently being used to combat spam.
Vulnerability assessment: Qualys, Lumeta, McAfee (which bought Found-stone) and Digital Defense follow the ASP model to provide on-demand vulnerability scanning. This increased frequency reduces vulnerability latency and provides a more continuous monitoring model.
Perimeter security: These services give enterprises 24/7 views of security without the staff investment by monitoring perimeter security devices and alerting the enterprise to threats and attacks. In some cases, they'll even respond. The space is replete with large and small providers, including Symantec, Internet Security Systems, VeriSign, CyberTrust (formerly Betrusted, TruSecure and Ubizen), Counterpane Internet Security, Red Siren and Solutionary.
Managed PKI: Yes, PKI is alive and well. Services allow enterprises to harness the power of PKI without the investment in infrastructure. Look to new technologies and shared trust requirements to push managed PKI to the forefront. Leading service providers include VeriSign, CyberTrust and GeoTrust.
SMBs may embrace managed services for the security they can't afford to build on their own, while large enterprises may use MSSPs to augment their programs. Despite their reservations about trust and reliability, even the most ardent opponents can't ignore the economics and benefits of outsourcing.
About the author:
Pete Lindstrom, CISSP, is research director at Spire Security.