Skip Links

Outsourced security called battle tested

By , Network World
June 13, 2005 12:13 AM ET

Network World - WASHINGTON, D.C. - Outsourcing corporate security is no longer risky business and large organizations should hand off network monitoring and security services as soon as possible.

That was the main conclusion Gartner analysts presented to about 2,000 IT executives at the firm's IT Security Summit last week. Gartner predicts the future of security is in the cloud and expects to see more services such as MCI's WAN Defense, announced two weeks ago.

"Why should I filter out this garbage at my end? Outsource as much of the day-to-day busywork as you can, as soon as you can," said Gartner analyst John Pescatore in his presentation titled "The Near Future of Network Security."

Pescatore acknowledged this is a radical change from what Gartner would have advocated in years past, when it viewed security outsourcing - which requires a company to entrust an outsider with critical support - as controversial.

"It's just not controversial anymore," Pescatore said. He said the level of expertise exhibited by the first-generation of managed security service providers (MSSPs) along with the rise of carrier-class high-speed security gear from vendors such as iPolicy Networks indicate that security outsourcing can evolve into a trusted service. Customers need not purchase their own customer premises equipment (CPE), Pescatore says, particularly for perimeter defense.

Managed security services will evolve into "in-the-cloud services" in which network traffic is cleaned of spam, viruses, attack traffic and other problems before it reaches the enterprise, and perimeter firewalls and IDS reside with the carrier, said Kelly Kavanaugh, whose presentation was titled "Security in the Cloud: Take My Security Hardware, Please."

Traditional pure-play MSSPs such as Symantec, Internet Security Systems and Counterpane Internet Security, as well as the larger IT outsourcers such as EDS and IBM, are most often associated with remote monitoring customer IDS, firewalls and other gear.

But he predicted, "It becomes a utility that's shared. For enterprises, it's a way to let go of having customer premises equipment."

He said a number of in-the-cloud anti-spam and anti-virus filtering services already exist, including those from MessageLabs and Symantec's Brightmail outfit. While MSSPs also might offer their own version of in- the-cloud security, Kavanaugh explained that "the carriers have the best opportunity to deliver in the cloud" because theyprovide the essential connection closest to the customer's network.

A mixed reaction

The security-cloud concept generated a mixed reaction among attendees.

"I couldn't see doing that at this point," said Peter Walker, chief security officer at healthcare insurance provider Blue-Shield of California. The company relies on Counterpane for monitoring firewall and intrusion-detection and prevention gear, but he said he would be reluctant to forgo owning his own security gear.

Walker said his close relationship with Counterpane gave him confidence in outsourcing equipment monitoring and its cost-effectiveness. But he couldn't envision not owning a security CPE.

Phil Maier, vice president of information security technologies at Inovant, a division of Visa that provides IT support, said he also had reservations.

"I'm a security-paranoid, I trust nobody," said Maier, adding his views about outsourcing had been influenced by his past experience working for a defense contractor where strict military guidelines ruled.

"But sharing your infrastructure with another organization is something that can happen and it can work," Maier added, noting that outsourcing of security was the direction is which Visa was headed since doing so would eliminate the need to hire more staff to monitor security devices.

Not so fast
According to Gartner, outsourcing corporate security is no longer risky business, but there are some issues.
Pros
Requires less staff for round-the-clock equipment monitoring.
Removes the need to purchase customer-premises equipment.
Reduces equipment support cost.
Cons
Potentially limits security gear support.
Introduces legal questions, especially when outsourcing in a foreign country.
Leaves users wary of long-term contracts with some managed services companies.
Click to see:

But larger organizations say they're seriously examining the possibility of adopting security outsourcing.

"We intend to transfer assets under an outsourcing contract," said Byrne Huntley, director of the IT services center at the U.S. Department of Health and Human Services. HHS is in the middle of a bid process in which the goal is to obtain a significant portion of its network equipment and security as a service in which the supplying vendor would own and manage all the assets under a five-year contract.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News