Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Help From Above

Security managers are looking to the keepers of the Internet cloud for relief.

This article can also be found in the Premium Editorial Download: Information Security magazine: How to stop data leakage

Security managers are looking to the keepers of the Internet cloud for relief.

Antigua--home of sunsets, sand and online point spreads--has become ground zero for Internet gambling. These offshore gambling sites are also prime extortion targets for organized criminals who threaten distributed denial-of-service attacks if monthly "protection money" isn't paid up. It's a scene right out of gangster movies with a high-tech twist.

"We've been hosting some of these gaming sites, and they are literally being threatened by the mob," says Dr. Bill Hancock, former chief security officer at Savvis Communications, a Texas-based carrier and maintainer of an Internet backbone. "I've seen the e-mail messages. The gambling sites start off demanding $3,000 a month, then $30,000 a month. They may pay them off at first, but when it gets this expensive, there's no ROI. They turn to us asking, 'What can you do?'"

Security managers for these gambling sites aren't the only ones asking that question. Others are also looking for a little help from above--the Internet cloud and the keepers of the Internet backbone. Carriers are starting to offer in-the-cloud security services that take advantage of their inline position with network traffic and their ability to stop attacks before they reach the enterprise gateway.

"We own the networks and the pipe; it's simple," Hancock says.

Savvis, AT&T, MCI and Perimeter Internetworking sell DDoS, antispam and antiphishing protection and other security services from the cloud. The majority of these services are in their infancy, with a few financial services organizations and SMBs among the early adopters in 2005. Carriers, meanwhile, continue to seek the right combination of technology to mitigate threats and add new services down the line--all the while managing a level of cooperation among competitors to keep incidents in check.

If carriers take hold of the ever-dissolving network edge and move enterprise DMZs into the cloud, companies will be able to retire hardware licenses and subscribe to services currently offered by managed security service providers at a fraction of the cost.

"All security functions will be forced into the cloud--DDoS, antivirus, firewalling. If we're right, it's a profound concept," says AT&T CISO Ed Amoroso. "We become an MSSP. We are taking what MSSPs do and meshing that with our own infrastructure so that the service provider and the carrier become one."

Telecommunications providers are in position to offer the following security services from the Internet cloud:

Denial-of-service protection
This chokes off large-scale DDoS attacks, as well as those targeting specific organizations, before they reach the enterprise edge.

Firewall, IPS management
A natural service because attacks can be stopped before reaching a gateway. Carriers can cheaply price these services because virtual firewalls are shared from a single device.

Antivirus, antispam filtering
Monitoring and blocking unwanted e-mail in the cloud reduces infrastructure investments for the enterprise. Gartner says one-fifth of the e-mail filtering market already comes from in-the-cloud services.

IDS management
IDS management in the cloud eliminates the need for sensors on the enterprise network edge.

Content filtering
This cuts off unwanted inbound content and prevents the outbound loss of intellectual property.

With the do-it-yourself configuration, left, an enterprise has the option of either retaining the human and financial resources to manage network traffic (Option 1), or outsourcing it to a traditional MSSP (Option 2). Opting for in-the-cloud security services from a telecommunications carrier or a network services provider, right, frees a company of expensive hardware purchases and license renewals. Moving the DMZ to the Internet cloud enables a carrier (Option 1) or NSP (Option 2) to cleanse traffic inline, re-route it to your network and keep denial-of-service, spam and phishing attacks to a minimum.
SOURCES: AT&T, MCI, Perimeter Internetworking, Gartner Inc.
A Crucial Heads-Up
Mark Ramsey, global manager of data security and compliance for Pitney Bowes, had the scoop on the August Zotob worm outbreak days before most of his peers. Zotob exploited a buffer overflow in Windows Plug and Play and spread from network to network. It opened a back door and enabled remote access to infected machines. It appeared less than a week after Microsoft released security bulletin MS05-039.

But Pitney Bowes' network survived unharmed. Why? Its bandwidth provider, AT&T, put out the word that spikes in activity on port 445 were signaling an impending outbreak of malicious code. Ramsey was able to act on this intelligence and order patching and other remediation steps. Eighty-five percent of Pitney Bowes' network was patched days before Zotob struck. AT&T, meanwhile, choked off the bad traffic.

"AT&T has the unique perspective that it can see everything at the bits and bytes level, collate that information and see things like this coming quickly," Ramsey says. "It's great as a security manager getting that kind of heads-up. We're not blindsided."

Carriers are banking on enterprises recognizing that bandwidth providers have the edge in their ease of access to network traffic, and that there is an economy of scale in outsourcing network security services to the cloud.

"The big Tier-1 types definitely have the advantage because they see everything at the backbone," says Gartner vice president John Pescatore.

The trickle-down to security managers rests in the fact that carriers have to meet bandwidth SLAs with their customers. Carriers must invest in avant-garde technologies to defend and clean their pipes, and to absorb DDoS attacks and malware outbreaks while still hitting these service levels. Also, in order to squeeze a few bucks out of their investments and stave off tumbling revenue and profit margins, carriers can offer cloud security services cheaper than an MSSP, putting a chokehold on that segment of the competition.

Savvis, for example, operates 10,000 firewalls in its backbone, says Hancock who recently left Savvis for SecureInfo. "It's not something the customer sees or needs to tweak if we push that into the cloud for them," he says. "We have to do it anyway. You don't have to buy it."

AT&T, meanwhile, says it can trim 30 to 50 percent off the total cost of ownership of a security infrastructure.

"The biggest advantage to doing [security] in the cloud is that you remove attacks from bandwidth," Pescatore says. "If I pay for a T1 line, and 700 kilobits per second [of traffic] are worms and viruses scanning my network, I might consider buying another T1 because I need more bandwidth. If that noise gets filtered at the cloud, I might not have to buy another T1." T1 lines can cost up to $1,500 a month, which includes carrier and ISP fees. "You're looking at real big numbers," Pescatore says. "If you're looking at some of the big T3s, how many megabits per second are they logging for no reason? Think about the amount of spam before filtering became popular--hitting hard drives and requiring more storage."

The numbers are compelling, but they're not the clincher in this kind of decision. A company needs to consider how its network architecture is constructed, how it connects to the Internet and what kind of trust relationship an enterprise has with a network service provider.

A Forrester Research paper points out that security managers are usually unwilling to give up control over part of their infrastructure, but should to realize that providers already carry company's sensitive data and are responsible for how they connect to and present themselves on the Internet. Internally, there has to be a determination in an SLA what a carrier, for example, would be responsible for blocking and what a company would secure.

That would force security and network teams to examine how a company connects to the Net. Companies with many locations may use multiple service providers. If some security functions are transferred to a carrier, the carrier becomes responsible for that risk, Forrester says. A company would then have to make decisions on who would provide connections to the Internet and where, what kind of traffic is carried via those connections and what security services would be required for the different connections.

Up In the Air
Ken Emerson, CIO of Boiling Springs Bank, a 14-branch regional financial services provider in New Jersey, says his organization's investment in cloud services (IDS management, spam filtering) from Perimeter Internetworking helps keep its business model viable. Perimeter sells managed network security services and acts as a utility between a customer and its carrier or ISP. Traffic is routed through Perimeter via a point-to-point switch or frame relay VPN, cleansed and then routed back to the customer.

"If ISPs don't take care of this themselves, you're going to see a reduction in online activities," Emerson says. "The business model won't work, and people won't invest in it unless we have a cleansing of the Internet at the level of those who provide access to it--it's incumbent upon ISPs and carriers to do so."

AT&T's Amoroso says the challenge with security managers is not only overcoming those reticent to give up control of all or part of their security operations to a carrier, but fighting long-standing infrastructure investments.

"The only thing standing in the way would be inertia, meaning, 'I'm set now; this would be a change. Even if it's cheaper, it would be a change,'" Amoroso says. "The issue in the industry is that there are an awful lot of companies that are not happy about the message that we are proposing. It's been a very lucrative market for so long to sell IDS and IPS. Then Ed comes along and says, 'Hey, this functionality really can be embedded in the carrier infrastructure.' Naturally that's not going to make everyone happy."

MSSPs argue that the carriers don't have the in-house expertise to develop technologies like theirs. Keith Laslop, vice president of business development for MSSP Prolexic Technologies, which offers a Clean Pipe managed service, says the carriers have to rely on partnerships with providers like Arbor Networks, McAfee and others that have established DDoS protection tools on the market.


Alerts customers to potential outbreaks before they happen

Cleanses traffic on their networks before it reaches enterprise border

Blocks unwanted traffic

Mitigates DDoS attacks

Eliminates customer premises equipment (CPE)

Eliminates licenses, or redeploys detection and prevention CPE to other areas of infrastructure

Frees up bandwidth

Uses familiar service models


Limits carrier configurations or policy options because equipment is shared by multiple customers

Restricts customer control over security devices

Relies on portals for updates on device status and analysis

Complicates coordination of cloud services among multiple carriers in same organization

Sources: AT&T, MCI, Perimeter Internetworking, Gartner Inc.

"The difference is in expertise," Laslop says. "It's just not the same." He also argues that carriers cannot adequately satisfy the security needs of medium or larger companies getting bandwidth services from multiple carriers.

"[DDoS] services, for example, are next to impossible to do themselves unless you are the largest of the large with 20 gigabits of bandwidth. You have no chance of stopping an attack yourself," Laslop says, adding that a trend is developing where many DDoS attacks originate from competitors and arrive without warning. "A lot of companies want to be proactive and want protection either because they're being threatened, or someone in their [market] has been threatened."

A company like Prolexic can charge about $5,000 per month for its anti-DDoS services, as opposed to almost double that price per month from a big carrier, according to a Gartner study. While some may think that a steep figure, providing DDoS protection internally could run in the hundreds of thousands of dollars annually, factoring in the purchase of additional hardware, bandwidth and staffing expertise, Gartner says.

MCI, via its acquisition of NetSec, veered away from AT&T's approach to cloud services. NetSec's Finium platform integrates input from a user device with intelligence gathered from MCI's IP network to prioritize threats and manage them according to policy.

"We combine our cloud services with what's happening inside," says MCI vice president of security Sara Santarelli.

"In pure cloud services, you're not matching up what's happening inside with the cloud perspective. How do you protect the inside threat as well as the outside?"

MCI has been offering DDoS mitigation and detection services since June, and it also offers an e-mail content service and a WAN defense service, both available since May.

Clear or Cloudy Forecast?
Gartner's Pescatore says the carriers' cloud services model resembles what security managers are used to from bandwidth providers--services across a shared infrastructure. The difference is that enterprises would no longer have to manage expensive hardware or pay licensing fees.

There are several sticking points the carriers must iron out before cloud services become viable, especially for larger enterprises. Primarily, Pescatore says, security managers are concerned about sharing routers, servers and switches with others on the carrier network, and whether carriers would limit configurations or policy options to reach a particular price point. Security managers aren't willing to be flexible in most cases and will demand dedicated equipment at the carrier.

Control loss is another issue; AT&T offers customers a portal service where they can monitor device status and alerts.

Pitney Bowes' Ramsey is an AT&T portal customer and shrugs off the control question. "Trust but verify; we have a stipulation [in our SLA] that we can monitor anytime we want," Ramsey says. "You miss something and we're hit financially, you're partly responsible."

Carriers must also provide availability guarantees, and reporting and auditing capabilities. The biggest worry, especially for SMBs going with a smaller telco or ISP, is the long-term viability of the provider.

"If a [provider] goes under, now I don't even have a firewall," Pescatore says. "I'm stuck. It's not so much an issue of loss of control and not being able to control policy, but the issue of what happens if the service provider goes away and I don't have protection."

This was last published in January 2006

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.