The idea of turning to an outside firm to manage your firewall, VPN, intrusion-detection system or vulnerability assessment still raises a few eyebrows. But outsourcing security has become a popular step, either as a way to hold down costs or because it's difficult to hire security professionals for round-the-clock monitoring and management.
Gartner Inc. expects the managed security service provider (MSSP) market to reach $US1.6 billion this year, and increase to $3 billion by 2006. "The value proposition is pretty simple," says Kelly Kavanagh, a Gartner research director who tracks MSSPs. "There's 24-7 monitoring by staff who are experts and dedicated to the function." Outsourced services usually let companies avoid the cost of staffing to manage corporate-owned equipment, he adds.
An MSSP operates at least one security operations center from which the outsourcer can remotely access the customer's network at the perimeter or deep inside. But hosted security providers are a motley crew with varying services and prices. Many carriers, including AT&T, Equant and Sprint, count as MSSPs, as can some systems integrators such as Computer Sciences, Electronic Data Systems, IBM, Unisys and Science Applications International. A few security software firms — including Internet Security Systems, Symantec and VeriSign — offer outsourced services.
Then there are companies for which managed security services are the sole business: Counterpane Internet Security, Guardent, NetSec, NetSolv, RedSiren and Ubizen are among them. A handful of providers — including FrontBridge Technologies, MessageLabs and Postini — exclusively focus on anti-spam and antivirus protection. Whatever their menu of services, MSSPs are gaining credibility and customer loyalty as their use increases.
Law firm Gray, Cary, Ware & Friedenrich, which has about 900 employees in nine offices in San Diego, last fall began directing its email through FrontBridge to be culled for spam and viruses.
"It works out to be $US3 per user, per month," says Don Jaycox, the law firm's CTO. While declining to put an exact dollar value on doing the same job in-house, Jaycox said outsourcing is less than half the cost.
The firm gets about 1.4 million messages each month, about 65% of which is spam. Outsourcing the spam filtering hasn't negatively affected the flow of mail into the organization in any way, Jaycox says.
MSSPs are more closely identified with firewall or remote-access management and IDS, which Gartner estimates typically start at $1000 per month, per firewall, and $1600 per IDS sensor. The service providers have different menus for what they'll monitor or manage at the perimeter or inside the corporate intranet.
"We offer managed IDS services based on Enterasys Dragon," says Stacy Meadows, group manager of managed IP security services products at Sprint. "But we are more flexible on what we'll do for firewall/VPN."
The carrier is altering its MSSP strategy to more closely integrate with managed services for PBXs, routers and IP-based voice.
"Ideally, we'd like to look at the customer's corporate security policy and have the security services focus across the board," Meadows says.
This might be a trend in the future. Noveon, a chemicals company with about 2800 employees in 30 locations worldwide, has relied on NetSolv for multi-purpose network management and firewall security monitoring since the firm began using IP-based telephony products from Cisco Systems last year.
Todd Nelson, CTO at Noveon in Brecksville, Ohio, says the move to IP telephony raised Internet security issues, such as monitoring for IP-based attacks, which can be addressed through an MSSP. Noveon has NetSolv monitor and manage moves and changes in the IP-based voice system and firewall. "They also monitor the routers and switches," Nelson says.
MSSPs are getting high marks for their services, although many customers note that an outsider, no matter how much expertise, might not be able to overcome drawbacks inherent in some equipment. IDSs, for example, are notorious for generating false and irrelevant alerts because they know little about the networks they watch.
"There are a lot of false positives, but very few are red flags that are applicable in our environment," says Joseph Gurga, manager of information security at People's Energy in Chicago. The firm outsourced its firewall and IDS monitoring and management to Symantec but still has to sift through information on IDS that Symantec supplies.
But MSSPs are gaining ground. Earlier this year, DuPont outsourced its firewall and IDS management to e-DMZ, although the company declines to discuss it. Merrill Lynch took the same step with VeriSign to manage 300 devices. While reticent to discuss the management, CIO David Bauer says cost was a factor. "There is now a fairly mature market for these services, and there's better value," he adds.
Others taking the MSSP route says it's a bit more expensive than in-house, but the problems of 24-7 security staffing make outsourcing worthwhile. "Do-it-yourself is cheaper," says Kurt de Ruwe, IT director in the polyurethane and specialties division at Huntsman in Salt Lake City. Last month, the company outsourced its global firewall and IDS management to Ubizen in a contract valued at about $1 million over three years.
David MacLeod, director of corporate security at The Regence Group in Portland, Oregon, which is the Blue Cross/Blue Shield provider for four states, says he can quantify the savings his MSSP, Counterpane, provides through its monitoring services. "It would cost me more to hire the six people I would need to replace what I get with Counterpane," he says.
Unlike many MSSPs, Counterpane monitors internal applications and operating systems in addition to perimeter firewall and IDS. This month Counterpane announced it's expanding into offering management of security devices and vulnerability scanning.