Print

Comment

Email

Digg

Del.icio.us

Reddit

Since enterprises are not experts in security, which is fairly acceptable, the answer lies in outsourcing to someone who has expertise in that domain

The inability of administrators to keep pace with hundreds of new vulnerabilities in applications, operating systems and even network infrastructure has led to networks with more potential holes than barriers. Coupled with the fact that these vulnerabilities and tools to exploit them are blatantly advertised on the Internet, enterprises are facing the daunting task of building walls to protect their network while keeping it open for their business. Moreover, the amount of time between the discovery of vulnerability and the release of tools exploiting these vulnerabilities is decreasing significantly. Network administrators have less time to react and install patches or fixes.

This has forced many IT administrators to re-evaluate their security arsenal and question their own ability to secure the network. The fact that they have thus far struggled to effectively secure their networks with internal resources has led IT leaders to seek additional means of security: this is driving the growth of managed security services.

A trend being seen on the enterprise side is the outsourcing of security operations management to managed security service providers (MSSP). Organizations are increasingly realizing the importance of a secure IT environment and that the management and mitigation of risk is not their core competency.

Outsourcing of security is a reliable and feasible idea depending upon the size of the organization and what is being outsourced. The business models differ from industry to industry. It could be a paper-used model or a lump-sum model or even a volume-driven model on technology. The models depend upon the technology being outsourced. Currently, the market is responding in a mixed manner, while some companies outsource security, there are others who are still not comfortable with security outsourcing as a concept.

Security Options
Remote management and monitoring of firewalls, gateway anti-virus systems, intrusion detection, and prevention systems and other dedicated security infrastructure, can significantly reduce operational expenditure. MSSPs can provide higher levels of responsiveness and quicker fault resolution than enterprises can themselves and at a lower cost. This model also enables enterprises to extend 24/7/365 coverage across locations where it may have been uneconomical to do so with internal resources.

A security utility promises just-in-time provisioning, lower costs, easier scalability and better reliability with a “pay-as-you-grow” delivery model. But where do these utilities reside and in what form to they exist? Security utility services can be delivered in the wide area network (WAN) via an “in the cloud” (ITC) infrastructure; or within the local area network (LAN) via a virtualized hosting IT environment. Both utility models reduce the need for customer premises equipment devices. Capacity planning is easier as the complexity associated with scaling is reduced.

Services such as DDoS mitigation, firewalling, intrusion detection and prevention, and spam and virus filtering of emails are examples of security services that can be provided within the cloud, thus ensuring only clean content reaches the customer's network. ITC security services are commonly delivered by network services providers (especially tier-1s) and some MSSPs who have outsourcing arrangements with these providers.

MSSP Advantage
Outsourcing managed security services is often a good solution for transferring information security responsibility and operations. Although the organization still owns information security risk and business risk, contracting with an MSSP allows it to share risk management and mitigation approaches. There are several drivers for MSS. Some key ones would include: expertise across platforms since security is a fragmented space with several vendors; continuous monitoring, which will be difficult for individual companies to implement; organizations get time to focus on their core competence; more proactive alert mechanism and awareness of mitigation steps; lower cost of ownership; usage of advanced technologies; and proactive, continuous security model.

The dynamic nature of security threats, the increasing complexity of information security infrastructure, regulatory compliances, resource challenges, and the need for strong domain skills are driving more and more organizations to outsource their information security management to a trusted service provider. Outsourcing security management addresses the issue of the ever-increasing security administration overhead and cost of compliance. Though it is a reliable idea, however, the engagement model should be one that is consistent, predictable, and SLA based.

MSSPs offer a business model wherein they monitor and manage the security infrastructure of the organization but the risk still lies with the organization. Therefore, the customer must build up a very strong internal governance structure and manage its strategic and engineering pieces with the help of qualified partners. One suggestion to make the outsourcing engagement a success is to move beyond a 'vendor-client' relationship to a 'partnership'. In fact, the organization itself needs to be mature enough to understand what it takes to make the relationship successful.

Gyana Ranjan Swain
gyanas@cybermedia.co.in