Analysis: MSSPs - a helping hand?
Despite the worries that persist around the outsourcing of security generally, more and more organisations - from city councils to small businesses - are finding that the pros of managed security services far outweigh the potential cons, writes Hannah Prevett.
When vendors first began offering managed security services (MSS) a decade or so ago, it barely paid its own keep. But today, MSS is doing more than wiping its own face. According to Gartner, growth in the European MSS market continues to beat expectations and reached $2.1bn in sales last year. This growth shows no signs of abating, with a predicted compound annual growth rate of 14 per cent from 2010 to 2014. Yet Carsten Casper, research director at Gartner, says the market is trickier to define than ever. “It's consistently confusing,” he claims.
He's right: MSS certainly is a slippery term. As Casper points out, there are, broadly speaking, three different types of players in the mass market. First, there are the telcos such as AT&T and BT, which “have built solid relationships with the client and have good network connectivity, so they just add security services on top”.
Next, there are the IT outsourcers or system integrators such as IBM, Atos Origin or Wipro; they manage IT infrastructure, so naturally they can take care of the security picture, too. Then there are the security specialists – “who bring the additional level of expertise that these general-purpose players don't necessarily have” – including the likes of Integralis and SecureWorks, both of which have been snapped up by larger outfits in recent years.
Just as approaches to MSS differ dramatically, so too do the delivery models. Traditionally, the device – a firewall, for example – would remain on the customer premises and be managed by the MSS provider remotely. Then there are the hosted infrastructures, when the MSSP takes the client's device and puts it in its own data centre and manages it from there. For some customers, this more hands-off approach – or what Casper calls the “lean back” method – is the ideal arrangement. “They will say, ‘You're the provider, you're good at security – you take care of it',” he reveals.
This would certainly appear to be the strategy taken by a rare start-up in financial services. The USP of Metro Bank, the first bank to launch in the UK since the 19th century, was to ditch the received wisdom concerning opening hours to deliver unparalleled levels of customer service and convenience. To support this (almost) always-on approach, it needed a technology infrastructure partner that could deliver a highly innovative and resilient platform. “Outsourcing provided us with a faster method of achieving compliance, but any move to outsource IT is a careful decision and requires a diligent process,” warns Metro Bank's chief executive, Craig Donaldson.
Proposals tendered and due diligence completed, Metro Bank decided to outsource to converged IT and telecoms specialist niu Solutions. Hosted from niu's ISO 27001- and ISO 9001-registered data centres, its ICT platform features comprehensive security controls to ensure Metro Bank is fully compliant with stringent industry regulations. Being able to rely on its provider to stay on top of governance was clearly a major benefit for the bank. “Legislative changes demand ongoing reviews of business processes and often new applications to cater for requirements. Niu constantly monitors our compliance and security controls, ensuring we proactively meet changing regulatory requirements,” says Donaldson.
Keeping on top of compliance is just one benefit of outsourcing security to a third party. Another is cost – it's often far more efficient to outsource to a security expert than to try and build a team to implement and run a top-drawer strategy. Ostensibly, it's cheaper than ever to outsource key functions: analysts say the cost of managing a firewall, for example, has decreased by as much as 80 per cent in the past five years. “Everyone is trying to tighten up their IT budget, and thus their security budget, so cost is the number-one driver,” says Latha Maripuri, director of security services at IBM.
It is also a case of taking the pain away, says Gerhard Knecht, head of global security services at Unisys. “It is all fun and interesting for customers to introduce security services themselves, but when it's actually implemented and they have to run it, it's no longer fun. The guys who built it don't want to do it 24/7, and then they give it to MSSPs,” he explains.
Knecht's point about in-house talent is a pertinent one, as the necessary skills are seemingly becoming increasingly rare. “Once an alarm goes off on an intrusion detection system, for example, you need someone to investigate – and that investigation needs to be done by someone who really is knowledgeable, and these people are scarce,” he says.
Maripuri agrees. “I know companies that have tried to do it themselves in-house; when they've begun recruiting the 55 people they need to form the team, they have struggled to find even the first one,” she says.
For SMEs, of course, the problem is even more pronounced as even if they can find a full-time employee with the appropriate skills, it is unlikely they will be able to afford the extra cost. What's more, the person is likely to be under-used in the long term. This means SMEs often end up hiring on a contractual basis – a process that Knecht describes as “horribly expensive”.
SMEs, though, have been compelled to change their attitude to outsourced security. “SMEs are more aware because of the breaches that are occurring. We have seen an uptake of security services in the SME space,” says Maripuri.
Ray Stanton, BT's vice president of professional services, concurs: “SMEs need a canned service that does what it says on the tin.”
Meanwhile, IBM has set up a vulnerability management service that is cloud-based. “They don't have to own any software or hardware, so it's resonating,” says Maripuri.
That may be all very well and good for SMEs, but to say that the cloud as a delivery model for security services in general is getting mixed reviews would be an understatement. Gartner's Casper sounds a cautious note: “Different types of security services lend themselves to different types of delivery. Depending on the type of security services, there will be different uptake of cloud delivery. Overall, I would say there's more hype and noise in the market than actual implementation. But that's true not just of security in the cloud, but of everything in the cloud.”
So, it's not quite the explosive growth the headlines would have us believe. And Casper says the reluctance is warranted: “Security is more of a slow mover in that respect – you really think twice before trying something new. General outsourcing through the cloud? Yes, we've made that move. Security in the cloud? We really have to think through the risks – privacy, security, regulatory compliance – before we do such implementations.”
Naturally, the outsourcing of security services in general still has its detractors. The same arguments still hold – some companies remain reluctant to hand over the reins to an outsider. But Knecht suspects that confidence in outsourcers will only grow over time, thanks in part to positive word of mouth. So what is the secret to a successful outsourced security project?
“Treat it like a partnership,” says Stanton, whose clients at BT have included The City of Edinburgh Council (see box). “It's not just about technology – it's about processes and people. You have to bring the people along on the journey with you.”
Case study: MSS in action at the City of Edinburgh Council
The City of Edinburgh Council certainly has its hands full: it is responsible for governing the Scottish capital and, as the second-biggest conurbation in the country, with more than 477,000 inhabitants, that is no mean feat. The council controls the majority of local affairs including transport, urban planning, green spaces, economic development and community regeneration, so it follows that it needs a robust IT infrastructure to handle all the disparate functions of the organisation. That was not the case 15 years ago.
“At that time we did have problems,” admits Donald Crombie, information security manager at the council. “We were actually two councils joined together, so we had completely different operating systems and network systems.”
The first few years of the current partnership with BT were spent getting to grips with the scale of the IT system. “We're a very large organisation – we probably have 20,000 computers in all,” explains Crombie. To say its IT services were quite fragmented would be an understatement: “Our servers were dotted around and not secure. We also had issues with admin rights.”
These days, a secure network and server infrastructure are in place. “Data is stored where it should be – in data centres,” says Crombie. “It gives us a great deal of confidence in the security of our information, not just in terms of the services we provide internally to our staff, but in our external services to citizens as well.”
But the work didn't end there. The constantly evolving threat landscape, combined with the changing nature of work in the 21st century, meant more vital upgrades were needed. Increasingly, staff were asking about flexible working; and for those working from home, considerable security upgrades would be required. At that point, council laptops were not encrypted by default and portable storage devices were becoming increasingly popular. “Because we didn't have an outright ban on these, their use was becoming widespread,” says Crombie.
It was clear that the council needed some form of data encryption that would provide security without hindering the ability to work flexibly. BT subsequently rolled out the encryption software across 8,000 computers, including 1,000 laptops used by workers and around 1,700 MacBooks in schools. What's more, corporate desktops were given media encryption only, which meant the data on any storage device plugged into them would be secured. Now, if the USB key is then plugged into a non-council computer – a worker's home PC, for example – the user has to key in a separate user name and password to access the information.
As a result, staff use storage devices as they did before, but do so safe in the knowledge that if their laptop or USB key is stolen, the information on it will not be easily accessed.