Partners in security

Mar 1, 2002 12:00 PM, By Jacqueline Emigh

With security and financial pressures mounting, more companies are looking to outsource information security needs to service providers. Beyond improving network security, the benefits of outsourcing can include lower expenditures and reduced overhead. To attain the desired results, however, a well-suited provider is necessary.

“Why should you outsource security, instead of doing it in-house? Because a security provider can do a better job for much less money,” says Dennis Treece, director of the X-Force special operations group at Atlanta-based Internet Security Systems (ISS), an intrusion detection/vulnerability assessment firm.

MSPs vs. MSSPs

“There are lots of players out there — and there's also lots of consolidation,” warns Greg de Haaf, a product manager at LoudCloud, Sunnyvale, Calif., another major service provider.

Like IBM Global Services (IGS), EDS, and Xand, as examples, LoudCloud is a managed service provider (MSP). MSPs typically provide both security and other related services such as Web hosting and remote management.

ISS, on the other hand, is part of a group known generically as managed security service providers (MSSPs), which tend to target security specifically. Some MSSPs, such as intrusion detection specialist Counterpane, Cupertino, Calif., focus on a particular type of security service. Other MSSPs, such as ISS, Riptech (Alexandria, Va.), and TruSecure (Herndon, Va.), are broad-based. But the definitions for MSPs and MSSPs vary, and differences can be difficult to pinpoint.

Increasingly, service providers are offering customers wider ranges of security services including occasional security audits, 24-hour intrusion detection, managed firewall, VPN (virtual private network), anti-virus, and content filtering services.

“ISPs (Internet Service Providers), ASPs (Application Service Providers), systems integrators and telephone companies are also broadening out into the security services market. So, too, are security software vendors,” says Kelly Kavanagh of GartnerGroup, an industry analyst firm based in Stamford, Conn.

Other companies that provide security services include AT&T; Worldcom; Unisys; Computer Sciences Corp. (CSC); Symantec, Verisign; Interland; SecureWorks; Verio; KeyBridge; Guardent; Ubizen; NetSolve; Genuity; Intermedia; and Imperito.

Securing customer satisfaction

Fandango, an online ticketing agency, has benefitted from using MSPs. “I think LoudCloud has freed us to concentrate on the entertainment industry, which is really what Fandango is about. Our job is to sell movie tickets, and to make that experience more enjoyable. (With LoudCloud), we don't have to worry about the back-end technology that enables this to happen. We know that there's somebody watching our Web site 24 hours a day, 365 days a year,” says Rob Peralta, director of project management at Fandango.

TruSecure's customer roster includes PHH Arval, Hunt Valley, Md., a vehicle leasing organization, and FiServe, a Brookfield, Wis.-based provider of technical services to banks. “FiServe began by using services to take care of its corporate environment. We then created a program whereby they can extend our services to their banking customers,” says Peter Horst, senior vice president at TruSecure.

Providers promote customers' ability to benefit from their expertise, as well as from economies of scale. “Security is among the most complex types of technology,” says Amit Yoran, president and CEO of Riptech.

“Security can be a frustrating process for anyone whose core business is not technology,” agrees Seth Ostreicher, vice president of operations for Xand, Hawthorne, N.Y.

“We do the hard stuff so you don't have to — because it's all we do. You don't have to hire a staff to do 24-hour security monitoring, for instance. We know how to hire these people, train them and keep them happy,” Treece says. Customers are also spared the hefty expense of setting up a security operations center, he adds.

Expanding Services

Many service providers are already expanding their range of services through acquisition. TruSecure recently bought intrusion detection systems (IDS) specialist Three Pillars, Norcross, Ga. For its part, Riptech has acquired the customer base of MSSP Para-Protect, Centreville, Va., agreeing to provide security services to these customers without interruption.

Outsourcing does have its down sides, though. Despite the successes of some companies, a couple of other MSSPs have failed badly. Pilot Networks and the Salinas Group both went out of business last spring, leaving their customers stranded.

According to Treece, many early adopters in the MSSP arena are government agencies and organizations in the heavily regulated finance and health care industries. In other areas of business, outsourcing can still be a tough sell internally. “To many people, outsourcing is an anathema. NOCs (network operations centers) almost always resist outsourcing,” he says.

“There's a cultural bias against outsourcing,” agrees de Haaf. “People who've had bad experiences with outsourcing in some previous job are afraid that they'll lose control over their networks. The way we overcome that is to explain how we'll give them visibility into what's happening on the network.”

Todd E. Tucker, director of security architecture and strategy at PentaSafe Security Technologies, Austin, Texas, is one user who's had a negative experience with outsourcing in a previous job. Tucker hasn't turned against outsourcing, but he believes “if an MSSP is chosen to secure part of a company's network, the company should independently verify from time to time the effectiveness of those services.”

Tucker's former employer used a large MSSP for firewall and intrusion detection monitoring. “Late one Sunday evening, one of our technicians blasted our Web site, which was supposed to be monitored, with everything our vulnerability scanner could throw at it. Yet come the next morning, our MSSP had not called us. Instead, we called (the MSSP), only to find out their systems logged the attacks but (the MSSP) did nothing about them, not even to see if we were okay,” Tucker recalls.

When to outsource

If outsourcing is a viable option for a company, where can it start in a search for an MSP or MSSP? “You should look into which services you're able to do in-house, and which services you want to outsource, using the help of a consultant if you need to,” Kavanagh recommends.

An MSP is the answer if all network management operations — not just security management — are desired. Some MSPs, such as LoudCloud, sell security services only as part of a larger package. “Security isn't something that can be separated out from managing a network,” de Haaf says.

Some MSPs offer security and other fare as a la carte items on their service menus. “Our biggest differentiator is that we custom-tailor. Customers can buy only those services they want and need,” Ostreicher says.

MSSPs also differ in terms of flexibility and range of choice. “Some customers start by outsourcing a few security services with us. Then, as they build a level of trust with us, they add more,” Treece says.

Traditional security outsourcing options include managed firewall and VPN services. More recently, users have added IDS and, less frequently, PKI (public key infrastructure) management to the outsourcing list.

“Intrusion detection is the security person's Christmas puppy. A lot of people want to have it. But then it becomes a nightmare of care and feeding. This is particularly true in the middle market, where companies usually don't have the in-house expertise for IDS,” says Pete Lindstrom, an analyst at Hurwitz Group, Framingham, Mass., an industry analyst firm.

Some customers opt to outsource only services that are less extensive, or needed less often, such as user account management or security audits.

Choosing the right provider

After deciding what services need to be outsourced, the next step is finding a qualified provider. “Pick a company that has a strong financial situation and a well known reputation,” Kavanagh advises.

“One of the biggest challenges is that this is a young market. Do the research. Talk to analysts. Go see the operations center,” Yoran adds.

“Go with a substantial player. Ask about numbers of clients, and numbers of managed security services. Get customer references,” Horst suggests.

Typically, providers specifically target either global enterprises, mid-sized corporations, or a mixture of the two. Providers also vary in their philosophies of service. Almost invariably, service providers espouse combining intervention with prevention. But providers practice prevention in different ways. TruSecure, for example, provides a four-step “assurance plan,” complete with cash awards in the event that a customer completes the plan but still suffers a security incursion.

Given the turbulence of today's market, experts contend it's wise to protect the outsourcing investment with a solid contingency plan. “It can also be a good idea to use separate providers for security services and Internet access, for instance. That way, you're not putting all your eggs in one basket,” Kavanagh says.

As the market continues to mature, the complex patchwork of security service providers is projected to settle more firmly into place. In the meantime, however, the market will remain volatile. Over the next 12 months, GartnerGroup projects that six to eight players will drop out of the security services market, and another four to six players will join.

For the record

About the author

Jacqueline Emigh is a 12-year veteran of technology journalism and a freelance writer for iSecurity.

About the companies

Visit infoLink at www.securitysolutions.com for more information on companies featured in this article.

Counterpane — 131
EDS — 132
IBM global Services — 133
Internet Security Systems — 134
LoudCloud — 135
PentaSafe Security Technologies — 136
Riptech — 137
TruSecure — 138
Xand — 139

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue