Enterprises on the fence over moving to a SaaS-based messaging security solution must make sure they know what they want before talking to vendors.
“My top piece of advice is to understand why you want to outsource this kind of solution and then what you need as you outsource it,” said Diana Kelley, partner at Amherst, N.H.-based IT security consultancy SecurityCurve.
Speaking at a recent seminar hosted in Markham, Ont., sponsored by security vendor Symantec Corp., Kelley outlined key points companies should keep in mind prior to signing a contract for SaaS-based messaging security and hygiene.
Any size organization, from businesses with one employee to Fortune 100 companies, can get value out of the SaaS model, she said. “The bottom line is, companies don’t want all of this stuff coming to their mail server,” said Kelley.
Benefits of the SaaS model
SaaS vendors reduce overheads and headcount by handling the installation, as well as the hiring, managing and training of administrators, she said. This is a big benefit for organizations that aren’t currently filtering because they don’t have the security messaging hygiene expertise, she pointed out. “You wouldn’t have to expand out and hire in an area where you couldn’t necessarily hire right now,” she said.
External expertise can also help with compliance issues, she noted. “Maybe you don’t necessarily want to be the expert on that,” she said. On-demand resource management is also a plus, according to Kelley, because IT no longer has to petition for expansions of hardware, software and headcount.
“Reliability is another big one,” said Kelley. Large SaaS providers can deliver multiple data centres and five 9s uptime on a 24/7 schedule, which many organizations can’t afford to support on their own, she said.
SaaS providers also run sensors that look for outbreaks, stay on top of the security reports, respond faster to threats and provide insight related to your own domain to let you know, for example, if your company becomes a spam target, she pointed out.
Potential pitfalls of SaaS
There are a lot of messaging security SaaS providers out there, but be careful about which vendor you select and what contract you sign, because they are not “created equal,” Kelley warned.
Keep in mind that the vendor’s employees will have access to your critical data, so inquire about how and who they hire, as well as how they monitor their staff, she suggested.
Data management and ownership issues may lead to “data hostage” situations, she said. “If you want to break up with your provider and take your data and go, will you necessarily be able to get it?” she asked. You also want to make sure that the provider will delete all of your data when you go, she added.
Deletion is a big concern, Kelley pointed out. If you have spoliation requirements, make sure the vendor can actually delete the data, she said. Vendors may also cart your data offsite, so ask them in advance if deletion involves additional costs, she said.
Ask whether the vendor archives your data, including log files. If you need to enforce a 30-day or 60-day cycle, ensure the vendor can deliver, and find out whether they delete your data at the level your business requires or if they continue to hold a copy of your records, she suggested.
Consider the geographic location of the vendor’s servers and the laws that apply to this location, she noted. If the servers are located in the United States, for example, your data may be subject to U.S. laws, such as the Patriot Act.
Alerting is another area to pay attention to, Kelley pointed out. “If your vendor has seen a breach or if your data got breached, do they have to tell you that there is a problem? Not necessarily,” she said. Also consider what happens if you are on a nine-to-five alert plan and a breach occurs over the weekend, she noted.
Questions to ask before signing a contract
Questions related to business requirements include not only the cost of installation but potential hidden costs, ongoing costs and whether the vendor can increase these costs in the future, she advised. “Is there anything in the contract that says they can’t double it, triple it, tomorrow or the next day?” she asked.
When it comes to functionality, most organizations want anti-virus and anti-spam filtering, but ask the vendor what engines they are using, whether they are taking a hybrid approach (as opposed to straight signature-checking), what kind of false positives they receive and how clean their traffic is, she said.
“I also strongly recommend you talk to some of their reference customers,” said Kelley.
Other technical requirements to keep in mind include multi-language support for non-English spam, content inspection (not necessarily full data leakage protection, but the ability to scan messages for content like credit card numbers and resumes), encryption, archive and searching and compliance reporting.
Ask what kind of searching the vendor provides, how quickly information is brought back to you and whether the vendor can provide scalability to support your organization as your business grows, she noted.
Look at compliance reporting and whether you will be able to provide information to your auditors if necessary, she said. Also look at the portability issues, such as whether or not the vendor sub-contracts to other vendors, she suggested.
Additional security technologies worth looking into include advanced protection (DNSSEC, SPF), Web filtering, data leakage protection, IM security and graynet/grayapps, she pointed out.
Questions that reveal the real and hidden costs must be asked to perform your cost/benefit analysis, she said. The most common hidden costs, according to Kelley, relate to mobile support, archiving and retrieval, spoliation and destruction and alerts.
Blackberry support could double your costs, archiving and retrieval services may require additional fees, and while the vendor may delete your data according to your requested 30-day or 60-day cycle, this doesn’t necessarily guarantee the data is destroyed, she pointed out.
You must also quantify the impact of downtime, exposure and loss, she said. Look for service level agreements that place penalties on the vendor if, for example, their servers crash for a day and make sure the penalties also apply to sub-contractors involved in the service, she suggested.
Symantec weighs in
Ron Poserina, senior manager of enterprise and partner services at Symantec, was also on hand to discuss SaaS-based messaging security offered by Symantec Hosted Services, a division that arose from the company’s acquisition of MessageLabs in late 2008.
“From a size and scope standpoint, we are by far the largest organization playing in this space,” said Poserina. With 14 data centres around the world, Symantec Hosted Services scans roughly 4 billions e-mail messages per day and supports roughly 10 million end users from 30,000 organizations globally.
Using the cloud for messaging security “makes good sense,” according to Poserina. “There is no need to bring all of that into your environment if we can simply that for you in the cloud while giving you all the visibility through a management console,” he said.
A variety of e-mail, Web and IM services are available from Symantec Hosted Services, including traditional anti-virus and spam filtering, content control, image control, two e-mail encryption products, Web security, continuity and archiving, he pointed out.
The archiving is a hybrid solution that deploys a lightweight appliance within your environment to capture your internal mail stream and encrypt e-mail before it is offloaded to Symantec’s storage data centres, he explained. Symantec doesn’t have a data centre within Canada, but Canadian organizations that have issues with the U.S. Patriot Act can be provisioned to European infrastructure instead, he said.
“We have an entire menu of SLAs we offer to customers,” said Poserina, which include financial remuneration in the event that the company doesn’t deliver as expected. Customer support is provided on a 24/7 basis through the phone, e-mail and online, which can act as “an extension to your IT security staff,” he said.
Organizations seeking a SaaS-based solution should ask vendors whether they provide adaptive security solutions and are able to predicatively identify targeted zero-day threats, Poserina advised. “The signature-based days are becoming less and less effective,” he said. Skeptic (Symantec’s proprietary, rules-base engine) identifies about 200 new threats on a normal day, he said.