Users bank on managed security services

More enterprise business customers are turning to managed security service providers to help them cope with the complexities of network security, especially when it comes to intrusion prevention .

MSSP offerings are expected to generate about $1 billion in spending this year, says Allan Carey, a program manager for business and continuity services at IDC. The $1 billion is part of an overall security services spending projection, which includes consulting, training, implementation and MSSP costs, of about $7.4 billion for 2005.

Security audits and regulatory compliance are just two of the reasons organizations are more interested in MSSP offerings, says Kelly Kavanagh, an analyst at Gartner. MSSP services can help with audit compliance through documented monitoring, reporting and remediation, he says.

Users have become more willing to outsource their security needs to a third party. "Over the past couple of years enterprise customers have become more comfortable with the level of maturity in the MSSP market," Carey says.

Many organizations also don't have the capital to deploy the hardware and software necessary to support their own intrusion detection, intrusion prevention, anti-distributed denial of service or other security services, he says.

Compliance was one of the key reasons why Boiling Springs Savings Bank switched to MSSP Perimeter Internetworking, which specializes in offering managed security services to small banks.

Boiling Springs is a $1.1 billion thrift with 14 locations in northeastern New Jersey that uses Perimeter's intrusion-detection services, says Kenneth Emerson, director of strategic planning and CIO. Emerson says he sold the board of directors on Perimeter's services by explaining that they are essentially an "insurance policy against lost customer confidence."

About three years ago Boiling Springs turned to Perimeter to shore up the bank's security support. Emerson says he had an ISP that knew security, but didn't have a Level II Statement on Auditing Standard (SAS) review. This is a specialized audit that verifies a company's operational and internal controls over processing user transactions.

"It's up to me to engage a firm that has a SAS 70. If they don't, then it's up to me to have one done. They're expensive - about $30,000 to $50,000," Emerson says. "My ISP said they were looking into having one, but I needed something more proactive."

Perimeter had the required audit.

Emerson says banks also are required to have annual penetration tests, which cost about $12,000 to $15,000. But because he's using Perimeter's intrusion-detection services and has no outward facing hosts to the Internet, he's covered.

The bank has a centralized network set-up with all traffic coming through its headquarters in Rutherford. Boiling Springs has a dedicated frame relay connection to Perimeter from its headquarters and another to an ISP. In a hub-and-spoke architecture, each branch also has a dedicated frame connection to Rutherford. There is an ISDN backup at each site.