So you've decided to outsource your security function. But how do you choose the provider that's right for you? Barry Mansfield reports.
For a company with limited IT staff, outsourcing its information security operation to a managed service security provider (MSSP) is an attractive proposition. After all, it's one less thing for an already overburdened IT department to worry about. Now, many organisations are turning to MSSPs to manage specific areas of security. This can mean anything from firewalls and data hosting to code development and vulnerability assessment.
However, not everyone is happy to relinquish control over the security of their systems. While outsourcing security can relieve the stress of managing these systems in-house, competence among MSSPs can vary considerably. And a crucial point to keep in mind is that the burden of responsibility still lies with the organisation if a breach does occur. It is therefore vital to investigate and conduct due diligence of any provider before signing the contract.
Many IT professionals feel that information security is a central business function, and outsourcing it would be equivalent to handing over the keys to the kingdom. This is understandable for companies with highly specialised security needs or policies.
"Managed security has its place, but the benefits just don't apply in all areas of business, particularly where security is absolutely critical to public confidence in the company," says Thomas Raschke, senior analyst at Forrester Research. "For example, I wouldn't be surprised if e-commerce giants such as Amazon were reluctant to outsource security. They might be happy offloading the more mundane tasks, but if you are handling huge volumes of sensitive data you really want to keep the difficult stuff in-house."
However, some organisations decided long ago that security would be better handled by others. And as attackers become more sophisticated, so must the tools wielded to stop them. According to Gartner, managed security services will be the fastest-growing segment of the managed services arena in western Europe, expanding at a compound annual growth rate of around 15 per cent over the next few years.
"We entrust our health to specialists, to doctors, and outsourcing security is no different," says Raschke. "It can be difficult to recruit experts to an in-house setup. The bottom line is that if somebody can do a better job than you, and help free up valuable time for the company, then it will hold some appeal. These MSSPs have many customers, and they are used to dealing with the same issues over and over again, on a daily basis."
By contrast, in-house security teams can be stifled by long periods of boredom when nothing is happening, but must react quickly when an incident does occur. "Management may question the importance of security if they can see that nothing much is happening internally," adds Raschke. "Of course, that would be unwise, but it's their perception. So outsourcing security is also a way of avoiding counter-productive politics."
MSSPs are benefiting from the shrinking window between weakness discovery and exploit, the arrival of sophisticated new technologies such as network admission control and the ever-expanding network perimeter, which now includes business partners and mobile workers. At the same time, CTOs are under mounting pressure to cut costs, improve services and comply with government regulations - all while maintaining quality of service and ensuring business continuity.
Economies of scale
With top in-house security managers commanding an average annual salary of around £60,000, according to InformationWeek's 2006 salary survey, the initial cost advantages of outsourcing are obvious. And that's before factoring in the expenses associated with security hardware and software. The size and scope of MSSPs' businesses permit them to negotiate substantial volume discounts with vendors for products and maintenance costs. In short, all the ingredients for MSSP growth are there.
Considering the changes that both the IT industry and the managed-services sector are going through, it is particularly important to apply outsourcing best practices to an MSSP engagement. Successful CTOs always work hard at developing relationships with their providers while taking care to put comprehensive management and control policies in place. Many MSSPs have spent years perfecting their traditional offering. They often strive to maintain patch levels as part of their service-level agreements (SLAs), which is good news considering the alarming speed at which vendors issue security patches and the time-sensitive, expensive process of reviewing the need for each patch.
Thanks to their vendor relationships, MSSPs often receive advance notice of worm and viruses outbreaks, in addition to gaining access to patches sooner. Virgin Mobile, for example, claims that ISS's Virtual Patch helped it greatly in this way. "We have several hundred Windows, HP and Unix servers, managed under third-party outsourcing deals," explains Ian Medd, information security manager at Virgin Mobile. "Timely patch management used to be a real nightmare for us. Virtual Patch provides us with a degree of comfort that our assets are protected against new vulnerabilities at the earliest possible stage in the cycle."
When you get around to reading the small print, however, it turns out that SLAs are not always a sure-fire guarantee of service quality. "Some agreements are quite vague," says Forrester's Raschke, "but recently we've noticed more powerful gestures being made, for example cash-back guarantees."
Organisations well served by in-house experts may find certain tasks extremely time- and labour-intensive. Before signing up to Postini's on-demand solution, Scottish law firm MacRoberts spent hours every day checking spam for false positives. "We were receiving thousands of spam messages every day that had to be manually checked to ensure no genuine emails were blocked," explains David Murphy, the firm's IT director. Apart from using up valuable time, the delay in forwarding genuine emails caught up in the sheer volume of spam was a significant business annoyance.
The turning point came in 2006, when the company experienced a denial-of-service attack that knocked out the entire email system for two days. He says he opted for Postini because the software allows users to set their own white and black lists and go online to check spam, enabling them to take control of their own email. Because the information is accessed via a web browser, MacRoberts' 60 BlackBerry users can also control email from any location, and authorised users can check their colleagues' mailboxes on their behalf. "Allowing secretaries and paralegals to manage white lists and monitor email for partners is especially useful, as it ensures that fee-earning time is maximised," he explains.
Keep it simple
As with other types of outsourcing, businesses wanting a lot of customisation may run into problems. MSSPs' operational model is usually based on scaling up for the masses; outsourcers are not too keen to deviate from their operational model. It is best to avoid asking an MSSP to customise configurations; for example, if the company requires a specific port on the firewall to be open, but the MSSP's policy forbids it, it may be tough convincing the provider to change this. Some service companies claim to evaluate special requests on a case-by-case basis, but they may be reluctant to offer a configuration that benefits only one client and falls short of security best practices.
Organisations should remember that outsourcing security monitoring and management does not eliminate the need for internal expertise. When MSSPs identify an exposure, they must be able to liaise with an internal contact who understands the technical repercussions and can make an informed decision about changes relating to their employer's applications, network and servers. Also, the company must assign someone with enough expertise to evaluate the MSSP's performance and make sure all the benefits are being realised.
An "out-of-sight, out-of-mind" approach is not an option when it comes to outsourced security. Remember, ultimate responsibility if things go wrong is the one thing you can't hand over to a third party, and your organisation's reputation is far more likely to be damaged by a high-profile security breach than that of the MSSP.
MORE PLAYERS, BIGGER PLAYGROUND
The shape of the modern MSSP is changing, and the array of choice is now bewildering. Some internet service providers have added managed security to their repertoires, while a few security vendors have started offering internet access. Still other providers have come into existence as new entities. Systems integrators such as Netstore and Serco have evolved into service integrators, providing managed security for a monthly fee instead of simply shifting the equipment and leaving day-to-day management to their clients.
As network threats have increased in volume and complexity, managed services have evolved to provide a combination of expert technological skills and human analysis such as data mining and automated security event correlation to prevent network breaches. Some MSSPs supply professional services. For example, BT, ISS and SecureWorks offer project management, vulnerability and penetration testing, emergency response assistance and risk assessments.
There has been a clear trend away from simply "firefighting" to a more abstract, non-technical advisory role involving security reporting. Whereas the emphasis used to be on protecting the organisation from external threats, information leakage is now emerging as a new area in which MSSPs are keen to ply their trade.
CASE STUDY - THE NORWICH AND PETERBOROUGH GROUP
The Norwich and Peterborough Group (N&P) includes property surveyors Hockleys Professional, as well as Norwich and Peterborough Building Society and Insurance Brokers.
Last year, the group started to upgrade its remote-access server and authentication system. At that time its primary user, Hockleys, was using an old dial-up remote access system but, with more of Hockleys' surveyors working from home, it made sense to implement a more powerful and intuitive internet VPN system to support these employees' increased take-up of home broadband.
"The time was right to implement a group-wide VPN remote access system," says Chris Cornish, N&P's group data security manager. "By putting in a group-wide system, we could achieve high-speed access and authentication for all areas of the business. The goal was not only to improve our service to remote staff, but also to reduce our telecoms, support and implementation costs."
The company currently has around 150 users, who can now access email, intranet services and the web from home via an encrypted VPN tunnel.
The VPN servers communicate with Signify's authentication service over encrypted internet connections. Signify manages its authentication process via multiple secure internet data centres, while N&P's administrators can control every aspect of their service via the MSSP's web portal.
"We are able to manage the set-up and day-to-day running of our authentication service, add new users and handle most issues, thanks to the portal," says Cornish. "Signify's 24/7 end-user helpdesk allows our staff to help themselves should they lose their token or forget their PIN. They can fix the problem at any time of day and night without contacting our IT support team."
The web portal models the organisational structure of the group, with the building society and Hockleys Surveyors as separate organisations. While Cornish has control over all users and systems, administrators in each sub-organisation only have scope over their local users and systems, and have no visibility of users in the other business unit.
"This solution doesn't require any sacrifices," explains Cornish. "I can delegate day-to-day responsibility but still retain overall control of the group's security policy and users."
KEY QUESTIONS TO ASK YOURSELF AND YOUR MSSP
1. Are you fully equipped for short-term tasks that fall outside the remit of the MSSP? Although it is acceptable to expect an MSSP to respond to a hardware or software failure within 15 minutes, acknowledging non-critical requests may take up to 24 business hours.
2. Does the provider indicate a focus on actively preventing - rather than just detecting - intrusions?
3. What are the MSSP's main vendor relationships? Will it be able to update software protecting your systems should one of its providers go out of business? Be sure to get your legal advisers to draft a sound contract identifying liabilities and ramifications if a security incident were to happen, and have a well-developed contingency plan in place.
4. Is the MSSP financially healthy? If a provider meets your service-level agreement (SLA) and technical requirements, but its financial health is questionable, be prepared to walk away.
5. What is the background of the people who will be working on your equipment? Are potential employees subjected to background checks or security clearance?
6. When negotiating your SLA, have you paid close attention to the MSSP's agreed-on time to respond to a request, the time in which the change should be made, and additional fees charged for unscheduled changes? With a good SLA, you can recoup financial penalties should the provider fail to meet its contractual obligation.
7. What is the MSSP's procedure for accommodating new business partners? Will these new additions be defined as separate projects or included in the recurring fee?
8. Will the vendor need to involve channel partners, resellers, subcontractors or other providers to deliver your requested services?
9. Which of your administrators will have access to security data? Remember it's your responsibility to collaborate with the MSSP to make sure only authorised personnel can request security changes. It's also up to the organisation to make sure all documentation concerning device configurations, IP addresses, users and support-contract information is up to date.
10. Does the prospective outsourcer provide free trials? If so, make use of the opportunity to try before you buy.