For obvious reasons, many people get jittery at the prospect of handing responsibility for their organisation's security to an outsider – and yet the benefits remain alluring. Kathryn Pick weighs up the pros and cons of using managed security service providers.
There is a huge business within the IT industry for managed services. Small businesses and large enterprises alike often choose to pass on tasks, from hosting email to managing hardware, to outsiders. When it came to security, though, corporates had traditionally been more reserved, preferring to keep this function in-house rather than hand the secrets protecting their fortresses to a third party.
But in recent years, the relationship between internal IT teams and external providers has been getting closer. There may still be doubters, but companies are embracing the experts from outside their four walls and trusting them with more of their IT than ever before.
The number of managed security service providers (MSSPs) has therefore been increasing. As well as the traditional security companies such as Symantec and Trustwave coming up with their own services, big IT firms such as HP and Dell have also embraced the trend and now there is a plethora of options for outsourcing security.
Before you make that move, however, there are certain things that you need to consider.
What's on offer?
The point of a managed service is for the vendor to offer whatever the customer wants and, as such, it is hard to pin down an exact list of what is on offer.
Greg Jones, director at independent security consultancy Digital Assurance, tries to sum up the range of products out there. “MSSP is a broad term, varying from consultants who want to broaden their service to information security practitioners who are experts in managing network infrastructure,” he says. “In the middle of these are the managed security service providers. At their best, they provide brilliant and innovative services, including: anti-virus, malware and phishing email scanning, managed firewall and intrusion detection systems, authentication and vulnerability scanning.”
Although services vary between MSSPs, some specialise in one or a few areas, and it is this specialism that you should seek out when making enquiries.
The first benefit of any managed service is that the business task gets put into the hands of seasoned professionals. When it comes to security, that breadth of knowledge could make a huge difference to the safety of your company.
“Taking advantage of the MSSP's depth of knowledge and dedicated technical resources, which you would not have access to in-house, is a headline benefit,” says Brian Honan, owner of IT consultancy BH Consulting. “Many MSSPs specialise in particular areas, such as log monitoring or spam filtering, so they should be able to provide a better quality of service in these areas.”
By outsourcing such a complex issue as security, a company doesn't need to recruit in-house staff with these specialist skills, freeing up money – and time – to be spent elsewhere. Ed Rowley, product manager at Trustwave, believes this is the main benefit of MSSPs.
“The story would have been different just five years ago,” he says. “Now this area is getting more complex, with an ongoing cat-and-mouse struggle, and it means businesses can end up spending all their time focusing on security. It needs to be given to security experts, leaving you to focus on your business.”
These specialists can also keep your organisation ahead of the game, says Honan. “An MSSP will have exposure to issues across all of its client base, which should provide you with the advantage of being kept abreast of the latest trends and threats to better secure your environment,” he explains.
Furthermore, the MSSP is obliged to provide a good service, and this could be an improvement on what an in-house IT department delivers.
Bob Tarzey, analyst and director at Quocirca, says: “The MSSP operates to agreed service levels that could not be achieved in-house (which is often the case in the mid-market). And they offer value through providing economies of scale for both products and the availability of human expertise across multiple customers.”
With the growing threat of cyber crime, Gavan Egan, vice president of sales at Terremark, part of Verizon, thinks that MSSPs can offer peace of mind. “Security risks have increased exponentially as every business is linked to the internet, leaving them exposed to increasingly sophisticated attacks,” he comments.
He adds: “MSSPs provide many businesses with a lifeline in these situations, giving them access to security experts and technology that are generally beyond in-house capabilities.”
The benefits are clear, but the fact remains that you are putting your trust into the hands of someone outside your organisation – something that is not without risk.
“To me, the main fear would be giving away control of a particular function that may be difficult to reclaim at a later stage, in particular if you no longer have those particular skills in-house,” says Honan. “The loss of internal skills [could lead] to a higher dependency on the MSSP over time. Should you wish to move the functions back internally, or to another MSSP, you may find you no longer have the skills to facilitate such a move and have to remain with the current MSSP, even if you are not happy with its service.”
What businesses must remember in particular is that even if they outsource their security, the buck will stop with them if anything goes wrong.
“A big concern for lots of organisations is getting the appropriate levels of control to keep the regulators happy,” says Garry Sidaway, global director of security strategy at Integralis. “When using an MSSP you need to understand where data is, what controls are in place, the reliability… all of these things are essential as you still need to demonstrate to the auditor that you are doing them. This responsibility doesn't go away [just because you are using] a trusted provider.”
Tarzey adds: “The ultimate aim of IT security is to protect an organisation's data and its reputation, and the latter can't be outsourced. The ultimate responsibility must lie with the organisation itself. After all, when a major data leak occurs, the regulator will come knocking on the door of the data owner, not the MSSP.”
And the concerns don't stop there. “By using an MSSP, you potentially open another possible attack vector into your organisation,” advises Honan. He adds: “Should the MSSP ever get breached, it could become a conduit for the attacker into your network.
“Also, now that staff within the third-party organisation have access to your data, and possibly your network, you have extended your insider threat to include not just your own employees, but also those of the MSSP.”
It is no surprise that the vendors themselves are full of praise for outsourcing, but even the consultants believe that most industries could benefit from a managed service.
“Military and government may have data-handling and protection requirements that are just not covered or are simply incompatible with a traditional MSSP, but generally the majority of sectors and industries utilise MSSPs for at least some of their security functions,” says Digital Assurance's Jones.
Trustwave's Rowley goes further, saying that even government is embracing the idea of security as a service.
“The public sector might not be the first place you think of for outsourcing security, but it is already doing this by using systems integrators that offer private managed security,” he says. “It depends on your definition, but the
point of an MSSP is that you choose what you outsource.”
He adds: “We service a number of public sector organisations in the US and the UK. There is a pressure on the purse – to make savings without sacrificing security.”
More conventional users of Trustwave's services are franchises and businesses with branch offices. “Restaurants and hotels are adopting this,” Rowley comments. “These are large distributed companies, each with the same business model but short on the in-house skills and very spread out. They need the compliance and, by outsourcing it, they can leave it to the experts.”
Integralis's Sidaway explains where his company is attracting clients: “Financial service providers and pharmaceuticals have really embraced the concept that the MSSP is the expert. Retail as well, as it is traditionally not a place with IT security skills.
“But while financial firms and pharmaceuticals have the buying power to get in the skills, retailers and small- to medium-sized businesses often don't – so this is where we see growth.”
Are you ready?
As with the adoption of new technology, those considering MSSPs need to examine all the angles. When it comes to security, none of the pros and cons should be ignored – and with a managed service, weighing up risk and security is a tough call.
However, by taking into account all the points raised above, you should now be in a better position to make that call with confidence.
Case study: East London NHS Foundation Trust
When East London NHS Foundation Trust wanted to enable staff to work on the move, as well as give mental-health patients greater control of their care, it brought in Eurodata Systems, which offered a managed tokenless system from Swivel Secure.
Now staff and patients can log onto systems via a code sent by SMS. The managed service means the trust did not have to go to the expense – or risk – of providing tokens to each user, but could still ensure secure access.
“We looked at various options, including a leading token system, but our concern was that it was too expensive to implement, had a limited life and there was always the risk that users may lose their tokens,” says Jonathan Buchan, former network development manager at the trust. “We were inspired by [this solution] as it overcame all these issues and provided a flexibility that some other solutions simply cannot offer.”
Case study: Expolink Europe
When Expolink Europe – a provider of contact centre and security solutions to the likes of BAE and the Royal family – wanted to extend its offering to smaller businesses, it approached MSSP The Bunker, which suggested a cloud solution to cut the running costs for SMEs.
Although hosted in an external multi-tenanted data centre, virtual machines are created by Expolink on a dedicated server, with The Bunker managing their security.
“We weren't just looking for a cloud provider; we wanted to ﬁnd a best-practice partner with a proven record in the deployment of secure solutions,” says Kate Shoesmith, project manager of incident and security management software solutions at Expolink.