The need to manage security patches, monitor intrusion detection systems and update firewalls and anti-virus software have made some IT managers wonder whether they should outsource to a managed security service provider.
Kees Vos, Global Market Portfolio Management Director for AT&T Inc., says there’s always some initial resistance from IT staff when faced with placing security responsibilities outside their grasp. Gradually, though, they decide they can be satisfied if they know the contractors are doing their jobs.
Less visibility may be thought of as loss of control. Vos says this shouldn’t be the case. “What we posit as a first rule is that the customer is always in charge of their security policies,” he says, adding today’s monitoring tools keep clients as well-informed as they want to be.
What nobody questions is the need for information security. Worldwide sales of network security appliances and software topped US$4.3 billion in 2005 according to The Digital Economy Factbook, by Thomas M. Lenard and Daniel B. Britton. That makes for a 15 per cent jump over 2004 revenues, and market research firm Infonetics predicts a leap to US$5.7 billion by 2009.
VoIP brings new risks
MSSPs account for significant chunks of these sales. In a Forrester Research Inc. telephone survey of more than 702 North American companies, 30 per cent of respondents said they outsource their firewalls, 26 per cent content filtering and 23 per cent intrusion detection, which includes both intrusion detection systems (IDS) and intrusion prevention systems (IPS).
However, in the same survey, between 41 per cent and 49 per cent of respondents said they don’t want to outsource these network security duties.
Paul Stamp, senior analyst with Cambridge, Mass.-based Forrester, sees embedded security in current products and services as another explanation for this reticence. “When we understand threats, we embed security into the functions that we’re trying to protect,” he says.
Consider VoIP. Service providers like Telus are quick to point out the differences between Internet-based services and those that reside on private MPLS networks.
“You are exposing a whole new range of technologies to public IP traffic,” explains Richard Reiner, Chief Security and Technology Officer for Telus. “You are opening additional ports, exposing additional equipment that hasn’t had the long shakedown to potentially hostile public IP traffic that older equipment has had.”
For example, Spam over Internet Telephony (SPIT) is proving difficult to counter. For a spammer, success hinges on the ability to spoof their point of origin, and Reiner says this issue only affects pure Internet plays.
“There’s no opportunity to inject spurious voice messages on a private network that doesn’t cross the Internet,” says Reiner.
Protecting voice presents its own challenges. “If some customers try doing this using IPSec technology, the more firewalls and tunnelling devices you put in between the connections, the more effect it’s going to have on the latency,” says AT&T’s Vos. “If it hits 150 milliseconds at some point, it doesn’t sound like voice anymore.”
More established responsibilities like patch management can still cause problems when done wrong. “I think patching is one of those things companies should outsource,” says Zeus Kerravala, senior vice-president of enterprise research at the Boston-based Yankee Group.
Stamp views patch management as a bundled commodity. “You very seldom get a stand-alone security patch management service,” says Stamp. “You generally have a managed desktop service which would include patch management.”
E-mail comes with its own security requirements, like deploying bridgeheads. MSSPs often take that one step further with services like automatically switching to the best performing gateway and “store and forward” functions, which queue incoming mail should a firm’s mail server experience problems.
Intrusion detection systems (IDS) are giving way to intrusion prevention systems (IPS) but in both cases firms that implement these systems need time to make them work properly.
“IDS would sit there and monitor your network,” says Reiner. “Often the system would be improperly tuned so that it would detect either nothing or report millions of things each day that were of no possible significance.”
GET AN INSURANCE POLICY
The tuning stakes for IPS are higher since, unlike IDS, IPS are in-line devices that can shutter part of a network if they perceive an attack.
“It could be a technology that businesses simply turn off because it keeps shutting the network down,” says Reiner
Recent data suggests that’s not a good idea. The Digital Economy Factbook reports that massive attacks spread in as little as 5.5 hours.
When those attacks take a client network down, who pays for the service disruption? Vos equates such disruptions with robbery or vandalism of a server. The solution? Take out an insurance policy.
Stamp adds that security service providers will usually assume some liability for their mistakes. “For example, if there’s a data leak because you messed up, you might have to pay for credit checks for a year for all of the customers whose data was compromised.”
If a firm is debating whether to outsource security functions, they may want to consider an audit to determine needs.
“The rule of thumb is to have a company do the audit that’s different from the one that will do the work,” advises Kerravala. “I’d recommend getting at least two done, and I’d let (the auditors) know up front that they won’t be doing the follow-up work.”
Stamp sees additional value in audits. “If you’re less secure than other people, you’re putting yourself at risk,” he says. “If you’re vastly more secure than other people’s environments, then perhaps you’re spending too much money on security.”
Stamp added it’s difficult for companies to analyze whether they are putting enough resources into security.
As with any other managed service, the key is the service level agreement (SLA). Chris Bazinet, director of managed services for Cisco Canada, said there are several ways network managers can compare offerings from competing vendors.
“Make the SLA linked to measurable activities that matter to your business,” says Bazinet. He also urges companies considering MSSPs to watch for the correlation between various threats and the equipment and software that firms seek to protect. “Although both have complex systems, the needs of an airline are different from those of a bank,” he says, adding another key to an MSSP SLA is the speed with which the service provider responds to threats.
Above all, service providers must remember that their customers are leery of outsourcing information security, at least at first. Enhanced reporting and real-time visibility on their security situations helps to assuage customer concerns.
“No company will just turn over the keys to the car,” says Bazinet. “They want to see how you’re driving the car.”