Watching the shop

The idea of turning to an outside firm to manage your firewall, VPN, intrusion-detection system or vulnerability assessment still raises a few eyebrows. But outsourcing security has become a popular step, either as a way to hold down costs or because it's difficult to hire security professionals for round-the-clock monitoring and management.

Gartner expects the managed security service provider (MSSP) market to reach $1.6 billion this year, and increase to $3 billion by 2006. "The value proposition is pretty simple," says Kelly Kavanagh, a Gartner research director who tracks MSSPs. "There's 24-7 monitoring by staff who are experts and dedicated to the function." Outsourced services usually let companies avoid the cost of staffing to manage corporate-owned equipment, he adds.

An MSSP operates at least one security operations center from which the outsourcer can remotely access the customer's network at the perimeter or deep inside. But hosted security providers are a motley crew with varying services and prices.

Many carriers, including AT&T, Equant and Sprint, count as MSSPs, as can some systems integrators such as Computer Sciences, Electronic Data Systems, IBM, Unisys and SAIC. A few security software firms - including Internet Security Systems, Symantec and VeriSign - offer outsourced services.

Then there are companies for which managed security services are the sole business: Counterpane Internet Security, Guardent, NetSec, NetSolve, RedSiren and Ubizen are among them. A handful of providers - including FrontBridge Technologies, MessageLabs and Postini - exclusively focus on anti-spam and anti-virus protection. Whatever their menu of services, MSSPs are gaining credibility and customer loyalty as their use increases.

Law firm Gray, Cary, Ware & Friedenrich, which has about 900 employees in nine offices in San Diego, last fall began directing its e-mail through FrontBridge to be culled for spam and viruses.

"It works out to be $3 per user, per month," says Don Jaycox, the law firm's CTO. While declining to put an exact dollar value on doing the same job in-house, Jaycox said outsourcing is less than half the cost.

The firm gets about 1.4 million messages each month, about 65% of which is spam. Outsourcing the spam filtering hasn't negatively affected the flow of mail into the organization in any way, Jaycox says.

MSSPs are more closely identified with firewall or remote-access management and IDS, which Gartner estimates typically start at $1,000 per month, per firewall, and $1,600 per IDS sensor. The service providers have different menus for what they'll monitor or manage at the perimeter or inside the corporate intranet.

"We offer managed IDS services based on Enterasys Dragon," says Stacy Meadows, group manager of managed IP security services products at Sprint. "But we are more flexible on what we'll do for firewall/VPN."

Sprint also offers three different anti-virus scanning engines based on Symantec, Trend Micro and Sophos software, and operates a FrontBridge switch for anti-spam protection.