Outsourcing corporate security is no longer risky business and large organizations should hand off network monitoring and security services as soon as possible.
That was the main conclusion Gartner analysts presented to about 2,000 IT executives at the firm’s IT Security Summit in June. Gartner predicts the future of security is in the cloud and expects to see more services such as MCI’s WAN Defense, announced two weeks ago.
“Why should I filter out this garbage at my end? Outsource as much of the day-to-day busywork as you can, as soon as you can,” said Gartner analyst John Pescatore in his presentation titled “The Near Future of Network Security.”
Pescatore acknowledged this is a radical change from what Gartner would have advocated in years past, when it viewed security outsourcing – which requires a company to entrust an outsider with critical support – as controversial.
“It’s just not controversial anymore,” Pescatore said. He said the level of expertise exhibited by the first-generation of managed security service providers (MSSPs) along with the rise of carrier-class high-speed security gear from vendors such as iPolicy Networks indicate that security outsourcing can evolve into a trusted service.
Customers need not purchase their own customer premises equipment (CPE), Pescatore says, particularly for perimeter defense.
Managed security services will evolve into “in-the-cloud services” in which network traffic is cleaned of spam, viruses, attack traffic and other problems before it reaches the enterprise, and perimeter firewalls and IDS reside with the carrier, said Kelly Kavanaugh, whose presentation was titled “Security in the Cloud: Take My Security Hardware, Please.”
Traditional pure-play MSSPs such as Symantec, Internet Security Systems and Counterpane Internet Security, as well as the larger IT outsourcers such as EDS and IBM, are most often associated with remote monitoring customer IDS, firewalls and other gear.
But he predicted, “It becomes a utility that’s shared. For enterprises, it’s a way to let go of having customer premises equipment.”
He said a number of in-the-cloud anti-spam and anti-virus filtering services already exist, including those from MessageLabs and Symantec’s Brightmail outfit. While MSSPs also might offer their own version of in- the-cloud security, Kavanaugh explained that “the carriers have the best opportunity to deliver in the cloud” because they provide the essential connection closest to the customer’s network.
A mixed reaction
The security-cloud concept generated a mixed reaction among attendees.
“I couldn’t see doing that at this point,” said Peter Walker, chief security officer at healthcare insurance provider Blue-Shield of California. The company relies on Counterpane for monitoring firewall and intrusion-detection and prevention gear, but he said he would be reluctant to forgo owning his own security gear.
Walker said his close relationship with Counterpane gave him confidence in outsourcing equipment monitoring and its cost-effectiveness. But he couldn’t envision not owning a security CPE.
Phil Maier, vice president of information security technologies at Inovant, a division of Visa that provides IT support, said he also had reservations.
“I’m a security-paranoid, I trust nobody,” said Maier, adding his views about outsourcing had been influenced by his past experience working for a defense contractor where strict military guidelines ruled.
“But sharing your infrastructure with another organization is something that can happen and it can work,” Maier added, noting that outsourcing of security was the direction is which Visa was headed since doing so would eliminate the need to hire more staff to monitor security devices.
But larger organizations say they’re seriously examining the possibility of adopting security outsourcing.
“We intend to transfer assets under an outsourcing contract,” said Byrne Huntley, director of the IT services center at the U.S. Department of Health and Human Services. HHS is in the middle of a bid process in which the goal is to obtain a significant portion of its network equipment and security as a service in which the supplying vendor would own and manage all the assets under a five-year contract.
“We’re open to all ideas,” said Huntley, who attended last week’s Gartner conference. “We want an innovative approach.”
The outsourcing move comes as part of a reorganization at HSS to integrate a hodgepodge of networks and applications used in eight different divisions, Huntley said.
In the move to buy the network equipment and security protection as a service, HHS still has specific products it wants to keep using. During the past few months, HHS has adopted a security-monitoring system from Securify, which uses traffic-behavior analysis to pinpoint problems such as worm outbreaks, network misconfigurations or suspicious network activity.
Any outsourcing vendor willing to supply equipment and security services will also be expected to manage Securify as part of the assets, Huntley said. “We’ll be working with Gartner as consultants on this outsourcing acquisition,” said Huntley, adding it would be the first time the department ever negotiated this type of arrangement. “We hope to award it this summer.”
With Gartner’s history in influencing market direction – the consultancy strongly advocated customers adopt intrusion-prevention systems to block attacks rather than just monitor for them with IDS, with considerable success – some vendors are concerned.
Jonah Paransky, senior manager for security product management at Symantec’s security operations center in Alexandria, Va., questioned Gartner’s assertion that the telecom carriers are better positioned to provide security services than an MSSP such as Symantec.
Monitoring the perimeter isn’t enough to get the customer’s enterprise security picture, says Paransky. Monitoring the internal equipment, such as switches or host-based intrusion-prevention systems inside the corporate network, is as important as monitoring the perimeter, he noted.
“There are worm outbreaks all the time caused by someone plugging in a laptop,” he pointed out. Paransky said he doubted that companies would be quick to give up their CPE.
Others noted that the move to outsource security functions could be a slow one. One reason is that the so-called managed security service provider market continues to consolidate – Level 3 Communi-cations acquired Genuity in 2003, and VeriSign snapped up Guardent in 2004 – leaving some corporate executives wary about contracting with a firm that might not be around in a few months.
Security outsourcing as Gartner outlined it last week wouldn’t be a fit for companies with specialized needs, such as a requirement that equipment be touched only by those with top-secret clearances, said Chuck Jarrow, vice president of information technical services at L-3 Communications Government Services in Chantilly, Va.
Gartner analysts conceded that in-the-cloud security services aren’t going to meet this type of military-grade security requirement, nor will they be the right fit for organizations which want carriers or MSSPs to use some brand of security device that’s not on the menu.
“It may not be a flexible arrangement,” Kavanaugh acknowledged.
