Security for hire

Does the potential of denial-of-service (DoS) attacks send chills up your spine? Does the thought of the skilful hacker planting a zombie in your system make you feel faint from fright? Are the ulcers in your stomach a result of too many close brushes with system-fatal viruses? If you are experiencing any of these symptoms, managed security services may be the right cure for you.

But, in order to prescribe the right medicine, the key is in understanding the symptoms and how harmful they are to the health and wellness of your infrastructure. The key is also in understanding what managed security services are and what they offer to keep your network safe and protected.

In Denial

Dan McLean, research manager for IDC Canada in Toronto, says that the term “managed security services” is very ambiguous to explain.

“The whole notion means different things to different people,” McLean says. “The one that is most typical is something like a VPN. You could also consider intrusion detection as a managed service.”

By definition, according to Eric Hemmendinger, research director of security and privacy for Boston, Mass.-based Aberdeen Group, managed security service providers are in the business of providing – as a service – a security capability that a customer wants, but doesn’t necessarily want to invest the money into. He says that businesses are beginning to recognize threats to their IT environments and are looking to managed security services to keep these environments protected.

Hemmendinger offers that services including managed firewalls, intrusion detection, vulnerability assessment services, VPN services, and monitoring are the primary security services offered to businesses. Still, he cautions that users have different reasons for selecting different services.

“One reason could be that they don’t have this capability. They want it, and they don’t want to invest in the people. They will look to a service provider because they have no intention of making (that security service) a core competency. Another scenario is a company that has been doing something (in terms of security), and decided they can’t do it well enough or what they do have is archaic. A scenario that comes up all the time is, ‘We can’t handle this problem effectively,'” he says.

Admitting There Is a Problem

Once you have realized that you need more than the rusty padlock you’ve had on your wiring closet for the past ten years, what’s next?

McLean says that selecting a provider for your security services comes down to an issue of who you can trust.

“A lot of the time, you go to the consultants, but they don’t work cheap,” he says. “The other issue is that a lot of services are largely geared for larger companies because that is where the money is.”

Hemmendinger suggests that customers go out and get a sense of what is possible.

“In order to understand what I need, I have to understand what people actually do,” he says. “The most common complaint I hear from users is that the service providers seem to be focused on a technology problem rather than a business problem. In other words, they want to sell me a technology solution or service to solve what it is they think is a technology problem, but they don’t really understand how this really fits into with my business. (Customers) should select (providers) that really try to understand the business.”

According to PricewaterhouseCoopers (PWC), businesses seeking managed security services should seek a provider who has an established track record.

“Obviously you don’t want to go to ‘Joe’s Security Monitoring service,'” says Robert Reimer, national leader of PWC’s information security practice in Winnipeg. “If you are going to use a particular vendor as part of your solution, you want to make sure you choose a vendor that has national or global vendor solutions.”

Who Can I Trust?

Dan McCall is the general manager of managed security services and co-founder of Waltham, Mass.-based security firm Guardent Inc. He says that as part of its managed security services methodology, Guardent conducts an initial review of customers’ Internet architecture in order to understand present environments and where the customer would like to be in terms of security.

“It is difficult to separate the managed services from the consulting piece of the business because the topic itself is complicated,” McCall says. “Guardent does a combination of both consulting and managed security services. Before we will outsource a firewall or install an IDS or scanning service, one of the first things we do is audit (the customer’s) environment.”

McCall says that Guardent often finds infrastructures that have not been protected are “owned.” What that means, he explains, is that someone has already taken over the infrastructure. Guardent assesses the environment and ensures the customer understands the risks of remaining unprotected. He says only then will Guardent suggest potential services.

“Frankly, no one is going to buy a firewall, IDS and scanning service unless they appreciate what that will do for them and what risks they are taking if they do not (implement) them,” McCall says. “Start by making a conscious decision of what it is important to you relative to security.”

Can I Help?

Okay, so you have identified your problems, assessed your risks and even selected a provider to manage your security. As network manager, your job is not over. PWC’s Reimer says that although the actual monitoring and managing of security is in someone else’s hands, there still must be a primary point of contact and well-established security policies in place.

“Typically, we like to have regular meetings and reassess risks so that (customers) can be appropriately protected,” Reimer says. “Businesses are changing very rapidly and continuously. We need to know what those changes are or risks are so that the appropriate solutions are always in place.”

Guardent’s McCall says network mangers should be aware and understand what it is they are trying to mitigate. They should also ensure that employees are informed of security policies and practices.

“We can do a great job of protecting your network security, but if you are letting people walk in the front door without badges or you are handing out passwords and not updating your authentication and logins, we cannot protect against those things,” he says.

The bottom line, says Aberdeen’s Hemmendinger, is that network managers should be thinking about how their needs are going to evolve over the next six to 12 months. He suggests selecting a provider who will be able to meet those future needs. McLean agrees and also recommends seeking a provider who will offer a total security solution as opposed to point tools.

“What you are trying to do in effect, is plug up all of the holes that might exist,” he says. “That is the notion of holistic: to look at the total problem and address the total problem.”