Regulatory and cost-cutting pressures are forcing enterprises to reexamine the value of managed security services.
"We needed help," Tom Giangreco says about his decision to contract a managed security service provider (MSSP)...
|The Growing MSSP Market|
"We have a lot of security drivers," continues Giangreco, the information security officer at Orange County Teachers Federal Credit Union in California. "There are federal regulations, and we have state of California regulations. Beyond that, we have developed our own policies with our own internal auditing group that is pretty intent on keeping us secure."
For most enterprises, outsourcing security was once a last resort, mostly because it required handing an outside party the keys to the digital kingdom. The instability of the managed services space a few years ago didn't help instill trust and confidence among enterprise consumers.
But things have changed (see "The Growing MSSP Market"). Security managers, like Giangreco, are now faced with increasing risk and compliance pressures.
Mounting regulations, such as Sarbanes-Oxley, GLBA and the California Security Breach Information Act (SB 1386) are forcing enterprises to invest in security to ensure data integrity. At the same time, enterprises are constantly looking for ways to contain costs.
"Part of what makes it a business decision is that businesses now are facing all of these regulations," says Yankee Group analyst Jonathan Ayal Singer. "There are all these things that businesses have to comply with legally, so this is no longer a matter just for the IT people. Everyone in the organization now has to understand IT's role in keeping data secure."
MSSPs, in their various incarnations, provide enterprises with a means of improving security with expert teams and systems, reducing costs, and demonstrating due diligence to auditors and regulators.
Are managed security services a silver bullet? Certainly not, but they do offer an attractive value proposition. However, contracting an MSSP isn't that simple. Enterprises need to evaluate their needs and understand that employing an MSSP isn't outsourcing, but rather a partnership in security with a trusted outsider.
"M" Also Stands for Myriad
People talk about MSSPs as if the term refers to a single set of offerings. The truth is that the MSSP market is broken down into a number of subsets (see "Managed Security Services"). There are no all-or-nothing propositions; enterprises can pick and choose services that best fit their needs.
The MSSP space is dominated by device management and traffic monitoring and incident response services, such as those offered by VeriSign, Symantec Internet Security Systems and Counterpane Internet Security. In most instances, IDS sensors are placed on the customer's network to monitor traffic for anomalies and signatures. Most programs will correlate events from the networks to provide threat intelligence and attack forecasts.
"MSSPs have feelers out everywhere," says Yankee's Singer. "They're monitoring attacks all over the world in all different networks, so they will be the first to see certain attacks."
Depending on the level of service, an MSSP will either support the enterprise security team in responding to attacks, or unilaterally respond by closing firewall ports and dropping traffic. Services will also use agents to handle maintenance of firewalls rule sets, router configurations and IDS updates.
Completely separate from perimeter defense are the e-mail security services offered by such firms as Symantec, MessageLabs and Postini. These services replace the last hop in the e-mail transmission, performing deep scans and analysis of messages before they reach the destination network. They're primarily used for malware protection, but they also offer content filtering and antispam services. Antivirus services are offered by McAfee and Trend Micro.
Vulnerability assessment services, such as those offer by Qualys, Digital Defense and McAfee (through its Foundstone acquisition), probe enterprise networks for holes, providing security managers with detailed reports on their security posture, trending data and remediation guidance.
VPN management services, such as those offered by FiberLink and Positive Networks, relieve enterprises of the burden of establishing and maintaining secure remote connections with individual users and branch offices.
Many MSSPs and large telecoms/ISPs will offer all or most of these services. Selecting the right service requires extensive due diligence, since not all services use compatible technologies and most require varying levels of access to network resources.
Essential is determining the level of trust you're willing to give a service provider, since it will see into your network and, in certain cases, have the ability to alter your traffic flows. VA services will know also where your weaknesses are; and monitoring and response services will know when you've been attacked and breached.
Each service provides a different piece of the security and risk management puzzle. MSSPs can either replace, supplement or support the existing security infrastructure, and most provide extensive reporting capabilities for demonstrating compliance with internal security policies, auditor requirements and regulations.
Cost savings, however, aren't always the chief objectives. Some management and monitoring services will charge as much as several thousand dollars per device per month. The value proposition isn't in the reduction of head count, but the increased security that the MSSP provides by augmenting the capabilities of your staff.
But there are potential savings. MSSPs alleviate the burden of having to build and maintain complex security infrastructures--firewalls, IDS/IPS, Web security--and hire and train staff to operate them.
When Orange County's Giangreco determined he needed a security information management system to collect and correlate security logs, the cost of purchasing a software solution ranged between $50,000 and $100,000--before adding staff training costs.
"We were either going to hire some pretty high-level people, or do some extensive training. Either one would have been pretty expensive," he says. The ballpark figure for development, training, salary and benefits for one FTE could be $250,000 the first year, plus $150,000 annually for personnel and maintenance, he says, compared to less than $90,000 per year for an MSSP.
"And the cost doesn't reflect the benefit of having a much larger and more highly skilled staff available than we would have maintained on our own," he adds.
Stability and Size Matters
After the Y2K crisis, MSSPs were heralded as the solution for enterprise security. Businesses could simply offload their security burden to trusted third parties, which would provide 24/7 network and data protection.
The nascent market got a couple of black eyes quickly because large enterprises--particularly Fortune 500s--were reluctant to turn over their security to service providers. Then, the spectacular implosion of pioneer MSSPs Pilot Networks and The Salinas Group further shook enterprises' confidence in managed services.
However, a series of acquisitions, consolidations and bankruptcies has weeded out the bad seeds and strengthened the offerings in the security services arena. Symantec bought pioneer Riptech in 2002 and Brightmail last year, and VeriSign acquired Guardent. Most recently, Ubizen, TruSecure and Betrusted have come together to form Cybertrust. These moves have created an air of stability in the services industry, which remains critical to security managers.
Adding to the new stability and confidence in the services space is the longevity of such MSSPs as Internet Security Systems and the security services offered by telecom and IT stalwarts such as MCI, AT&T, Sprint, Computer Sciences Corp. and IBM.
"We wanted a vendor that could best help," says VeriSign customer Charles R. Hudson, assistant VP and information security manager for Wilmington Trust in Delaware. "I would be very leery to go with a smaller or brand-new company that has no history."
A number of smaller MSSPs continue to gain market traction, including Solutionary, LURHQ and RedSiren. They're benefiting from the notion that MSSPs can augment security and regulatory compliance. Still, enterprises remain cautious about contracting smaller service providers. Guardent sold to VeriSign because it was convinced that it didn't have the global infrastructure to compete for larger contracts.
Ken Pfeil knew he needed extra security for his financial services firm's expanding use of the Internet for business transactions.
"All of our data and services are provided over the Internet," says Pfeil, CSO at Capital IQ in New York. "We have interoperable partners and intranets, and then we have the day-to-day use of the Internet to analyze or ship data. Every time that data touches the Internet, it takes on an added dimension of vulnerability."
But before signing a single-year device management and monitoring contract with RedSiren, Pfeil did extensive research to ensure he would get the level of service he required, and that RedSiren was financially stable enough that it wouldn't suddenly go out of business.
"We felt that if anything was going to happen, it would happen during that first year," Pfeil says.
Not Outsourcing, But Partnering
MSSPs aren't a contract-and-forget option, and security services aren't about outsourcing. They are meant to build partnerships with security experts that augment an enterprise's security capabilities and work with internal teams on security challenges and incidents.
Jack Mundie has built a close working relationship with LURHQ to secure the networks of Gannett, the media giant that publishes USA Today and owns numerous other newspapers and television stations. LURHQ provides monitoring and reporting, but Mundie's team retains all operational change control and incident response.
"They understand what we are trying to do, and they will always try to fulfill that need," says Mundie, Gannett's director of operations and infrastructure services.
Few enterprises will turn over their entire security operations to an MSSP. Rather, they'll tailor services for specific needs and establish policies on how service providers should act during an incident. For instance, an enterprise may want to close a firewall port that's being exploited by a worm. Its service provider may maintain the firewall, but its SLA will require that the MSSP obtain authorization for the configuration change.
"Most customers, especially at the enterprise level, want a sense of internal control," says Jonah Paransky, senior manager of security product development at Symantec. "They want 'out-tasking,' where you have control of the process, as opposed to full outsourcing, which has someone take away the entire process."
In some cases, however, services providers can win increased trust.
"When we first started out with AT&T four years ago, they would call us no matter what the issue was," says Rebecca Autry, CIO for the U.S. Olympics Committee. "As time went on, we became more comfortable letting loose of some controls. Today, AT&T knows that during the off-hours, it can just do what it needs to do."
Trusting an MSSP isn't an act of faith, but the product of an enterprise's due diligence. With executives feeling the heat of regulatory compliance and the level of threats constantly increasing, service providers will earn that trust only after enterprises establish strict requirements and restrictions for handing over the keys to their digital kingdom.