Handing Off Security

Internet security is not just a network problem.

The advent of highly automated systems and their connection to public networks has brought new risks to enterprise systems. Exposing an enterprise's information assets to the Internet means that, while the traditional threats of intrusion, vandalism and unauthorized access still exist, they're no longer confined to the enterprise network.

Even before Sept. 11, trying to keep up with the new world of risks was daunting. Security talent these days is even more in short supply and in high demand. Many enterprises—even Fortune 500 companies—simply can't find the staff to bring sophisticated, up-to-date security management techniques to bear in an organization.

Some beleaguered CIOs ponder a different approach: "If I can't have someone on board to meet my security needs, perhaps I can pay someone else to do it. Why don't I pay my staff to do strategic tasks, and pay someone else to guard my network and ensure its protection?"

A new kind of company has emerged: A third party that provides the security applications and services that all enterprises require. Often called a "Managed Security Service Provider," these new companies promise to relieve enterprises of the day-to-day drudgery of basic security tasks while providing networks with the most up-to-date protection available.

An Industry Emerges
As the rush for additional security intensifies, many companies are rushing in to meet the demand for professionally managed, outsourced security. According to Quarterstone Communications' Peter Hiller, "there's tremendous variety in the industry right now." Hiller, Quarterstone's information protection services manager, explains that "some companies are trying to be one-stop shops for security, others are outgrowths of Application Service Providers. Some do after-the-fact forensic services, others concentrate on education, and still others focus on intrusion detection."

It's an industry with many new players, but at least one established company has a simple definition of what managed security providers bring to the table. "From my perspective, 'Managed Security Provision' is a well-defined term," says Amit Yoran, president and CEO of RIPtech, a security service provider. "MSP is outsourced management and monitoring of security infrastructure components. For many organizations," he says, "this is a critical function, but not a core capability."

Mitchell Hryckowian, principal architect for security solutions at Boston-based Interliant, an Application and Security Service provider, points out that some of the variety in offerings is partly the result of vendors trying to find their way in an emerging marketplace. "Anything that is as large in scope as security naturally lends itself to specialization," he says. "Some of the new offerings in managed security are not all that worthwhile [and] some only get rarely used."

Wouldn't it be possible to identify an organization's requirements and then find software and automation tools to meet those requirements? RIPtech's Yoran points out that there are "a handful of security management tools on the market today, but they aren't very mature yet." It may be that the relative immaturity of security management tools provides an opening for those companies that would deliver security as a service offering rather than as a product to be installed and monitored.

In fact, Yoran argues that security is best delivered as a service rather than as a product. "If you think about a router or an operating system, you often hope to install it and forget it. While there may be the occasional patch or configuration change, you generally hope to set it up once and then, for the most part, leave it be. Security isn't like that. If you treated it like a product, it would be out of date the moment you set it up: There are always new attacks, techniques and exploits for breaking into systems."

When Providers Go Under

If you decide to outsource security, you need to consider one scenario: The possibility of the company's demise. Imagine having a contract with a managed security provider and having that provider suddenly go out of business. That's just what happened earlier this year with customers of Pilot Network Services. Pilot had been providing a variety of security services, including outsourced, managed security, secure data center operations and remote firewall analysis. The demise of the company, which came without warning to either employees or customers, left managed security clients scrambling for services from other providers.

Despite contract provisions that ensured that neither Pilot nor the customer could terminate their contracts for firewall and intrusion detection services without a 90-day notification, Pilot closed with minimal notice. In fact, several of Pilot's customers reported that it was only because of the decency of some of Pilot's employees that they received any notice of Pilot's crisis.

Some industry analysts think the fate of Pilot is just the start of a shakeup in the managed security industry. In a report earlier this year called "Surviving the Managed Security Services Shakeout," Gartner made what it calls a "no-brainer" prediction in saying that more than half of the start-up managed security services would eventually fail or be bought by larger providers.

Gartner estimates that more than a billion dollars have been poured into the managed security startups, but that few have the marketing reach or the development skills needed to stay in business. Gartner emphasized the need for security services to have complex monitoring capabilities that often have to be developed in-house. When initial funding for these companies dries up, these monitoring projects are often the first to be pushed to the back burner.

When some of the new managed security providers eventually fail, it will be "quickly and loudly" according to Gartner. John Pescatore, one of Gartner's authors for the research note, says, "There are four key parts to look for in a successful managed service provider: 1) an efficient security operation center; 2) the ability for the organization to hire and retain skilled staff; 3) the ability to find and keep new clients; and 4) the ability to constantly invest in technology and research to keep up with threats." The relationship between the enterprise and the managed security provider is a "partnership," but "in picking an outsourced security provider, an enterprise better base a decision on criteria that will ensure that the provider is going to be in business for the long haul."

—M.M.

What's Different?
Managed Security Services can be different from in-house security teams. Eddie Schwartz, vice president of operations at Guardent, a security consulting and managed service provider, argues that this is one of the primary virtues of outsourced security. "Managed Security Services are capable of doing things that an individual company cannot do. One example is our ability to correlate events at a variety of sites in real-time so that events and trends can be identified immediately."

Schwartz also points out that a managed security company can afford to develop tools for managing security that an individual company couldn't afford to develop on its own. "Take, as an example," he says, "a system where you correlated the Web logs, firewall logs and known characteristics of attacks and threats. What's important is not that you collect that information, or how you correlate that information, but what you do with it. Many companies come to us and say, 'I wish I could do that myself,' but the truth is that they have so many other things to do and we have the staff to constantly build on the tools we have."

The potential to leverage an enterprise's security requirements against many customers is what makes the managed security model work. It promises more effective security at a lower cost to the client. But does every enterprise need to take the wrenching step of putting its security in the hands of an outside organization?

Balancing Risks
Most enterprises grapple with security; most also realize there's a balance between acceptable risk and what a company can spend on application and data security. Enterprises of all sizes have traditionally addressed security by determining what assets need to be protected, and designing a program to minimize the risk of potential threats. Today, enterprises are getting additional motivation to concentrate on security.

With the emergence of new laws that include the European Union's Privacy Directive, the U.S. Health Insurance Portability and Accountability Act, and the new Gramm-Leach-Bliley privacy legislation, security is now a mandatory effort for companies that bring their enterprise offerings online. Each of these laws requires compliance with security and privacy procedures.

To address those requirements, enterprises will need to open their checkbooks. Research firm IDC has estimated that enterprise expenditures for security products and services will grow at a compounded annual growth rate of 26 percent, starting at $5.5 billion at the beginning of 2000 and ending at $17.2 billion by 2004.

There's always been investment in outsourced security, according to John Pescatore, senior security research analyst at Gartner Inc. "When you look at it, big financial firms have been doing this for years," he says. "Their attitude is, 'Once we've solved a problem and turned it into day-to-day gruntwork, let's outsource that gruntwork as soon as we can.'"

Enter the Outsourcer
Many companies would be comfortable providing for their own security if it weren't for two key factors: The complexity of security (including its changing nature), and the shortage of security professionals.

Managing firewalls and virtual private networks is easily done remotely. Performing vulnerability analysis and auditing is also naturally done away from a customer's network. Some companies even provide services that assist in the design, implementation and management of enterprise security architectures.

However, the complexity of the current security world means that security staff must be up-to-date on encryption, virus attacks, denial of service exploits, new intrusion strategies and the technologies that make them possible. In fact, the landscape of security changes so fast that one managed security provider estimated that there are fewer than 150 people who really understand all aspects of enterprise data security.

Naturally, competition for those experts is stiff. Many companies report investing in training and experience for key security staff, only to have that staff leave after their skills make them more valuable than the company can afford. Even among security providers, competition for expertise is intense—with staff moving regularly between competing service companies.

It's no wonder—automated tools and software are a useful foundation for the services that many of the companies provide. Still, Quarterstone's Hiller notes that "software is not enough by itself. It's the skill sets of the people providing the service that are the most important."

A Word of Caution
While the promise of outsourced security offers comprehensive security at reduced costs, some recent events show that it's always important to use caution before enlisting new services.

One problem is the current state of the industry. With the importance of security obvious to everyone and the market for security staff so tight, a variety of small, managed security vendors have emerged in the marketplace. A combination of desperation and ignorance can lead to the growth of organizations that might not have the expertise or experience that they advertise.

Gartner's Pescatore argues that a managed service provider might not be right for an organization that has limited business requirements. "A company should ask themselves if they're really a 24x7 business," he says. "If they're really a 10-hour-a-day by five-day business, then maybe they don't need the ongoing monitoring and on-call services. Supporting a limited 10x5 operation is going to be much cheaper than outsourcing."

Also, as the number of security service providers grows, they become attractive targets for hacking exploits. After all, if breaking into a single Fortune 500 company provides a passing thrill, breaking into a managed security service provider can provide access to a large number of institutions.

Working Out the Legalities

One mechanism for cementing a partnership between an outsourced security provider and an organization is the legal agreement between them. A Service Level Agreement (SLA) is usually signed between the two organizations and dictates the precise services and tasks that the service provider agrees to deliver.

A typical SLA for firewall and router security management, from the Seattle-based online services company Verio, specifies a variety of criteria including:

  • 99.93 percent availability for the security operations center
  • 15-minute notification window for firewall failures
  • Emergency security policy changes implemented within 60 minutes
  • Routine security policy changes made within 24 hours.

SLAs are often more detailed. According to Mitchell Hryckowian of Interliant, a Boston-based Application and Security Service provider, the SLA is simply a legal document that "is designed to document what work is to be done by the outsourced security provider . . . and in what timeframe."

"In the end," Hryckowian says, "those are just words on paper. It's the day-to-day working relationship that is more important. That working relationship is what gets to the heart of the partnership between the customer and the security service provider. The working relationship is how long-term trust gets built."

For some managed security providers, the SLAs help provide a platform for the working relationship. According to Hryckowian, "there are lots of opportunities for adjustment and compromise between the two organizations. Those opportunities can be used to ensure that the work can be delivered so that everyone—including customer and security service—is happy."

—M.M.

Trust Your Provider
While the Managed Security Provider business is poised for success, almost everyone agrees that the key to that success can be summed up in a single word: trust. There's an obvious psychological barrier enterprises face when considering outsourcing security. How can a company put one of its most sensitive IT tasks in the hands of a third party?

Mitchell Hryckowian of Interliant says that one of the first steps is to ensure that the customer "isn't losing control of security or the firewall. The customer still owns their security. The best organizations extend their company's abilities through a 'partnership.' That's the only way outsourced security works."

If trust forms the core of the relationship between the enterprise and outsource security services, then at least one vendor sees the landscape changing. The psychological barrier to adopting an outsourced security model is beginning to be replaced with a hard-nosed focus on ROI and services to be delivered. RIPtech's Yoran observes that, "A year ago we focused on education to get people over that psychological barrier. We had to hammer it into clients' minds that outsourcing security was an effective—sometimes the only effective—option. In the last six months or so we've seen a real change. There's been a tremendous increase in the maturity of requests for managed security. It's illustrated in intelligent and mature RFPs and RFIs for security service that focus on ROI and service delivery."

Maybe that maturity shows that a level of trust is beginning to emerge between those who would provide outsourced security and the enterprise struggling to protect their IT and infrastructure assets.