The security threats to IP networks and executives’ legal responsibilities under the U.S. Sarbanes-Oxley legislation are making IT professionals think seriously about outsourcing network security.But many large companies already have their own security infrastructure, so service providers who offer outsourced network security are focusing mainly on the mid-tier market.
“We believe that the mid sized market is hungry and they don’t have the services already” says Roberta Fox Senior Partner with Markham, Ont.-based Fox Group. “They are at the point where they are aware, but just haven’t built it, and they are not going to be as aggressive in price expectations.”
Added to this is the fact that stringent client privacy requirements, as well as strategic planning requirements, may dampen the incentive of certain large corporations to outsource their network security requirements.
“I think certain industries like health care, because of the public privacy requirements are so strict, and it is not that an outsourcer couldn’t do it, it is just the perception that it is better to keep it in-house,” says Fox.
stopping denial of service attacks
However carriers such as Telus and AT&T, who are aggressively entering the managed network security market, insist that size does not matter.
“In today’s environment many of the customers, especially the ones that have the capability to do it themselves are finding that it is very difficult to keep up with the tech curve and the expertise necessary to manage these environments,” says Stan Quintana, vice-president of managed security services for AT&T.
“Very large customers are seeing this and they are starting to essentially out task a lot of the functionality to many service providers such as AT&T, that have a road map and an integrated strategy.”
Quintana says AT&T’s core IP network includes security infrastructure that can predict worms, viruses and denial of service attacks through “predictive analysis.” As this intelligence is incorporated into At&T’s platform, it can then be used to mitigate a denial of service attack pointed at a customer. The attack can be thwarted within AT&T’s network before it reaches the customer’s internal network.
AT&T can also perform anti-virus and anti-spam functions on a customer’s incoming e-mail messages. AT&T also offers a network-based firewall for customers who do not want to buy their own security products.
The carrier’s Secure E-Mail Gateway Service includes spam filtering, virus blocking and policy enforcement for both inbound and outbound e-mails.
Other carriers who provide security services include Bell Canada, which spun off a separate company — Bell Security Solutions Inc. — last February. Services include managed virtual private networks (VPNs) and virus protection.
execs could face jail time
Although there still may be an incentive for large corporations to retain network security in-house, recent laws governing corporate accountability, such as Sarbanes-Oxley in the United States, are making executives to pay particular attention to the viability of their network security infrastructure.
“In terms of Sarbanes-Oxley in the States you are facing jail time if you sign off as a CFO or CIO on your security measures and something isn’t right” says Alicia Wanless, an analyst with the Toronto-based SeaBoard Group. “If I were a CFO in that position I think I would still have my own IT department, but I would also think about partnering that up with other solutions.”
In addition, Internet Protocol networks are bringing new security problems that many existing solutions are not built to deal with.
“When you start bringing IP and mixing voice and data on the common network platform, you get a whole host of issues now that didn’t even exist a year or two ago” says Jon Arnold, Principal of Toronto-based Jon Arnold and Associates. “So even with large enterprises you could make the case for the outsourcing argument on the grounds that this area is just too new and unknown to totally handle in house.”