Escalating threats are forcing people to look at new ways of fortifying their security capabilities, and in many cases enlisting the help of a third party makes more sense than doing it in-house. There’s also growing confidence that the managed security services business is a legitimate one.
But it seems every carrier – Bell, Telus, Allstream, AT&T and Primus – not to mention IT service providers, resellers and integrators are all offering security as a managed service. For customers, the choices can be confusing, and there’s not a lot of clarity on the definition of managed security services.
Security is a specialized role, traditionally something that organizations have handled internally – in a lot of cases by their network management team.
Intrusion alerts cumbersome
“Security is a very different animal than managing the network,” said James Quin, senior research analyst at Info-Tech Research Group. “That’s because for the most part network management is about ensuring speed of throughput and easy flow of communications, whereas IT security really is making sure that packets are handled in a safe manner, which slows down connections and limits throughout, so passing the functionality onto the networking group really puts them in a difficult position.”
As a result, security has often come second. But the requirement for security has become stronger, he said, and dedicated security people are few and far between – they’re difficult to find, hire and retain, and expensive once you’ve got them. Then there’s the cost of infrastructure. Buying security tools can be expensive, particularly when a lot of tools on the market aren’t integrated with one another. That’s why paying a flat monthly fee for security tools and expertise is becoming such an attractive alternative.
Firewall management is a strong candidate for outsourcing, said Quin, because maintaining a rules database can be a complex process – some companies have up to 300 rules in their firewall. But intrusion detection is the primary candidate for outsourcing because it’s extremely labour-intensive. “Someone has to comb through all those alerts,” said Quin. “It’s got to be one of the most boring jobs on the face of the planet, going through a list of 2,000 to 3,000 alerts trying to find one that’s valid.”
One of the primary reasons why organizations keep security in-house, however, has to do with regulatory compliance, especially with the Personal Information Protection and Electronic Documents Act (PIPEDA).
“If I’m a Canadian company I have to work under the constraints of PIPEDA,” said Quin, adding an American service provider doesn’t necessarily have to follow PIPEDA. If there’s a security breach that falls under PIPEDA, the service provider may not accept any responsibility.
Legal liability questions
People should be extremely careful when they sign a contract, said Joe Greene, vice-president of IT security research with IDC Canada. “If you completely outsource your security and you get hacked and company secrets are stolen or lists of people with their ID, who would be liable for that kind of thing?” he said. If there’s a huge turnover in staff, for example, or a smaller company is acquired, what happens?
“They should certainly take stock of what they currently have and match that to what the threats are out there,” he said, “and taking stock of what their current technical capabilities are in terms of security and their current in-house capabilities.”
The difficulty in these relationships often occurs when something goes wrong and both sides end up blaming the other. “You need to find a provider that is accountable and clearly identifies what they are responsible for and what the customer is responsible for,” said Sandra Palumbo, senior analyst of security solutions and services with the Yankee Group.
Know what you are paying for, what is in scope, and have established reporting procedures and service-level agreements. “If you are a control-freak-type organization, managed services may not be for you,” she said. “While you need to keep track of what your provider is doing for you, you don’t want to spend all of your time managing them.”
Typically an organization won’t turn all of its security over to a third party, but aspects of it. Those aspects are typically areas that are either challenging to manage, requiring a lot of time and expertise, said Palumbo, or are not core to the business itself. Managed security service providers can also be used as part of backup or disaster recovery plans.
What if the service provider folds?
Small or mid-size businesses often consider managed security as a way to augment their staff with security expertise they would not have otherwise, she added, or look at it as a way to save money and management costs.
Managed firewalls or IDS systems are already established offerings, but of increasing interest to organizations is managed messaging, said Palumbo, including storage, e-mail cleansing or hygiene and security intelligence services.
It’s not so much an either/or scenario, but a question of where and how a third party can complement or augment your internal competencies, said Jeff Kaplan, managing director of THINKstrategies.
Organizations should make sure the service provider’s approach matches their corporate and cultural environment, he said, because there are varying kinds of businesses out there that have varying kinds of security requirements. Banking or financial companies, for example, are strict about the way in which they do this, versus other sectors that may not have the same kind of security requirements – and therefore don’t have the same constraints. In some cases, too much security can get in the way of getting work done as opposed to making sure your systems are secure.
“The biggest uncertainty is the financial viability of the [service provider] and the potential they could be acquired by a third party, like IBM’s acquisition of ISS, and what kind of an impact that could have on their operations,” he said.
Make sure you understand who is accountable for what because in some cases the accountability still rests in your hands, especially in financial services.
“For a lot of organizations, they obviously need to maintain an internal competency in these areas,” said Kaplan. “It’s important that you don’t relinquish the responsibility entirely.”